search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.75k stars 4k forks source link

User already exists API social_login #24003

Closed krakazyabra closed 3 years ago

krakazyabra commented 3 years ago

Steps to reproduce

  1. Create user in keycloak (or another same provider)
  2. Assign him role, which allows to use Nextcloud
  3. Using API, create user in Nextcloud 
    
POST /ocs/v1.php/cloud/users HTTP/1.1
Authorization: Basic ***HIDDEN***
User-Agent: MSIE
Host: ***NEXTCLOUD HOST***
Accept: */*
OCS-APIRequest: true
Content-Length: 82
Content-Type: application/x-www-form-urlencoded

Array ( [password] => PASSWORD [userid] => USER ID )


### Expected behaviour

<?xml version="1.0"?>

ok 100 OK 

### Actual behaviour

<?xml version="1.0"?>

failure 102 User already exists 

### Server configuration

**Operating system:**
Debian 10 Buster

**Web server:**
nginx/1.19.1

**Database:**
Percona xtradb-cluster 5.7.19

**PHP version:**
PHP 7.3.20

**Nextcloud version:** (see Nextcloud admin page)
19.0.1-fpm

**Updated from an older Nextcloud/ownCloud or fresh install:**
Rolling updates from 16 

**Where did you install Nextcloud from:**
 Docker image

**Signing status:**
<details>
<summary>Signing status</summary>

No messages

</details>

**List of activated apps:**
<details>
<summary>App list</summary>

Enabled:

Nextcloud configuration:

Config report ``` { "system": { "theme": "mytheme", "blacklisted_files": [], "mail_smtpmode": "sendmail", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": 25, "mail_smtptimeout": 10, "mail_smtpsecure": "", "mail_smtpauth": false, "mail_smtpauthtype": "LOGIN", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "logfile": "\/dev\/stdout", "enable_previews": true, "preview_max_filesize_image": 4096, "preview_max_y": 4096, "preview_max_x": 4096, "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\Illustrator", "OC\\Preview\\Photoshop" ], "logtimezone": "Europe\/Prague", "social_login_auto_redirect": true, "updatechecker": false, "has_internet_connection": true, "objectstore_multibucket": { "class": "\\OC\\Files\\ObjectStore\\S3", "arguments": { "num_buckets": 15000, "bucket": "nextcloud-", "autocreate": true, "key": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "use_ssl": true, "hostname": "***REMOVED SENSITIVE VALUE***", "port": 443, "use_path_style": true } }, "onlyoffice": { "jwt_header": "Authorization", "verify_peer_off": true }, "loglevel": 3, "trusted_domains": [ "nc.domain.org", "localhost", "10.*.*.*", "onlyoffice.domain.org", "nc-api.domain.org", "*cluster.local" ], "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "filelocking.enabled": false, "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": "6379", "timeout": 0 }, "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "19.0.1.1", "overwrite.cli.url": "https:\/\/nc.domain.com", "overwriteprotocol": "https", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "updater.release.channel": "stable", "maintenance": false } } ```

Are you using external storage, if yes which one: local/smb/sftp/... Minio S3 as default backend

Are you using encryption: yes/no No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... Keyclak and Social login app in NC

Logs

Nextcloud log (data/nextcloud.log)

Nothing criminal for this operation

For me it is similar to https://github.com/nextcloud/server/issues/14796 but I'm using SSO instead of LDAP For automated user creation I'm using such command: 

curl -X POST https://admin:<VERYSTRONGPASSWORD>@nc-api.domain.org/ocs/v1.php/cloud/users -H "OCS-APIRequest: true" -d userid="USER ID" -d password="USER PASSWORD"
kesselb commented 3 years ago

Why do you think that's an issue for nextcloud/server? I guess if social_login (the user_backend) says the user exist there is not much we can do.

krakazyabra commented 3 years ago

hi @kesselb It is nextcloud, who is reporting that, because I'm calling to /ocs/v1.php/cloud/users. And this endpoint reports, that user exists. Social login doesn't create users (it can, but this function is disabled). Because this is disabled by me, I have to create a user manually, before user can login, for that I'm using Nextcloud API and executing curl -X POST https://admin:<VERYSTRONGPASSWORD>@nc-api.domain.org/ocs/v1.php/cloud/users -H "OCS-APIRequest: true" -d userid="USER ID" -d password="USER PASSWORD"

May be I was not clear, let me explain it again:

  1. The user is creating in user_backend (keycloak in my case). In this backend there is role, which allows user to use nextcloud. On this step I collect ID and pass from user, I will use it later in API request to nextcloud
  2. On nextcloud side there is Social_login application, which is configured to trust my backend and allows accepted users to login. As I wrote, automatic user creation is disabled, I have reasons for that.
  3. I need to create user in Nextcloud, which will correspond with backend user, for this I'm calling to nextcloud's backend and provide there id and pass for the user (I collected them previously), setup group for him and set quota for group.
  4. On the step 3 (curl -X POST https://admin:<VERYSTRONGPASSWORD>@nc-api.domain.org/ocs/v1.php/cloud/users -H "OCS-APIRequest: true" -d userid="USER ID" -d password="USER PASSWORD") I receive error 
    <?xml version="1.0"?>
<ocs>
<meta>
<status>failure</status>
<statuscode>102</statuscode>
<message>User already exists</message>
<totalitems></totalitems>
<itemsperpage></itemsperpage>
</meta>
<data/>
</ocs>

@zorn-v am I right, that in this process social login does not take part?

zorn-v commented 3 years ago

am I right, that in this process social login does not take part?

Yes, it use default "user backend" and does not provide own

kesselb commented 3 years ago

cc @rullzer @ChristophWurst

krakazyabra commented 3 years ago

@kesselb @rullzer @ChristophWurst Is there any progress with it?

ChristophWurst commented 3 years ago

nope

zorn-v commented 3 years ago

More context - AFAIR this problem is "floating", may occur and may not. I think problem maybe in some "cloud config" (like k8s) and several distributed servers/containers.

krakazyabra commented 3 years ago

Yesterday I got idea: we're running nextcloud in 3 replicas with shared config and common DB, there is service in front of them, which is pointing to random replica of nextcloud. Can it be the cause of such message?

zorn-v commented 3 years ago

Em, with that message user actually created ? If yes - of course can. Some two requests to different servers from "proxy", return first received response and gotcha.

ChristophWurst commented 3 years ago

we're running nextcloud in 3 replicas with shared config and common DB, there is service in front of them, which is pointing to random replica of nextcloud. Can it be the cause of such message?

do you also share the session data?

krakazyabra commented 3 years ago

do you also share the session data?

Should I do it manually? I thought such kind of data should be in redis.

ChristophWurst commented 3 years ago

nah redis is perfectly fine. you just shouldn't use local files on each of the nodes :)

krakazyabra commented 3 years ago

local files on each of the nodes

No, there is NFS filesystem (read-write-many) with nextcloud, which mounts in /var/www/nextcloud of each replica :)

krakazyabra commented 3 years ago

Today I created dedicated replica of the same nextcloud (same nfs, db, redis, config), use separate url to access exactly this replica. Will try to point api requests to this single-replica. If error will go away - then the deal is in multi-replicas.

krakazyabra commented 3 years ago

After 5 months started to get this error again.
Month ago upgraded Nextcloud to 19.0.10. Have no idea, why it appeared again. And have no idea, how to debug.

szaimen commented 3 years ago

Is this Issue still valid in NC21.0.3? If not, please close this issue. Thanks! :)

krakazyabra commented 3 years ago

I don't know about 21st version, I'm using 19th. And will use it until the end-of-life. So, please, try to find the solution for 19th version.

ChristophWurst commented 3 years ago

Well https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

krakazyabra commented 3 years ago

that was unexpected xD I'll upgrade to 20th and update current issue, or will close it.

ghost commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.