OAuth broken with 23.0.0 (since 22.0.0)

[sephentos]

The way an OAuth login works doesn't seem to work anymore. So far I have always used an OAuth sign-in in RocketChat (configuration and more see below). That doesn't seem to work anymore. The only thing Nextcloud outputs as a log is a "Login failed: ". But I don't know where there would be more logs (if Nextcloud creates more logs at all). If there are more logs, please let me know where I can find these logs and I will be happy to provide them as soon as possible but my search did not result to more useful informations.

Steps to reproduce

1. Login on RocketChat with OAuth
2. Give access to RocketChat OAuth Client within the Nextcloud Authorization Flow
3. After successfull Nextcloud Authorization Flow the OAuth Client receives that: Exception while invoking method login Error: Failed to complete OAuth handshake with nextcloud at https://XXXXXXXX/index.php/apps/oauth2/api/v1/token. failed [401] {"message":""} - while Nextcloud does only log that: Login failed: '<OAuth Client ID)' (Remote IP: 'XXX')

Server configuration

Operating system: Debian 10

Web server: Latest NGINX

Database: MySQL 10.3.29

PHP version: 7.4.21

Nextcloud version: 22.0.0.11

Where did you install Nextcloud from: Website

Signing status:

Signing status

``` No errors have been found. ```

List of activated apps:

App list

``` Enabled: - accessibility: 1.7.0 - activity: 2.15.0 - admin_audit: 1.11.0 - apporder: 0.13.0 - bruteforcesettings: 2.2.0 - circles: 22.0.0 - cloud_federation_api: 1.4.0 - comments: 1.11.0 - contacts: 4.0.1 - contactsinteraction: 1.2.0 - dashboard: 7.1.0 - dav: 1.18.0 - external: 3.9.0 - extract: 1.3.2 - federatedfilesharing: 1.11.0 - files: 1.16.0 - files_accesscontrol: 1.12.0 - files_pdfviewer: 2.3.0 - files_rightclick: 1.1.0 - files_sharing: 1.13.2 - files_trashbin: 1.11.0 - files_versions: 1.14.0 - files_videoplayer: 1.11.0 - firstrunwizard: 2.11.0 - groupfolders: 10.0.0-beta1 - impersonate: 1.9.0 - integration_gitlab: 1.0.1 - logreader: 2.7.0 - lookup_server_connector: 1.9.0 - mail: 1.10.2 - nextcloud_announcements: 1.11.0 - notes: 4.1.0 - notifications: 2.10.1 - oauth2: 1.9.0 - password_policy: 1.12.0 - passwords: 2021.7.23 - photos: 1.4.0 - privacy: 1.6.0 - provisioning_api: 1.11.0 - quota_warning: 1.11.0 - recommendations: 1.1.0 - serverinfo: 1.12.0 - settings: 1.3.0 - sharebymail: 1.11.0 - spreed: 12.0.1 - survey_client: 1.10.0 - systemtags: 1.11.0 - text: 3.3.0 - theming: 1.12.0 - twofactor_backupcodes: 1.10.1 - updatenotification: 1.11.0 - user_status: 1.1.1 - viewer: 1.6.0 - weather_status: 1.1.0 - workflowengine: 2.3.0 Disabled: - afterlogic - deck - encryption - federation - files_external - files_texteditor - hsts - metadata - polls - social - support - user_ldap ```

Nextcloud configuration:

Config report

``` { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "default_language": "de_DE", "activity_expire_days": 1, "force_language": "de_DE", "default_locale": "de_DE", "default_phone_region": "DE", "trusted_domains": [ "localhost", "" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "22.0.0.11", "overwrite.cli.url": "http:\/\/localhost", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_sendmailmode": "smtp", "mail_smtpauth": 1, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "ssl", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "memcache.local": "\\OC\\Memcache\\APCu", "maintenance": false, "loglevel": 2, "updater.secret": "***REMOVED SENSITIVE VALUE***", "theme": "", "updater.release.channel": "stable" } } ```

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Latest Firefox, latest Chrome

Operating system:

Win10

Log from OAuth Client (RocketChat):

I20210730-15:34:19.956(0) Exception while invoking method login Error: Failed to complete OAuth handshake with nextcloud at https://XXXXXXXX/index.php/apps/oauth2/api/v1/token. failed [401] {"message":""} 

• No useful logs from Webserver

nextcloud.log

{"reqId":"xxxx","level":2,"time":"2021-07-30T15:34:19+00:00","remoteAddr":"xxxxx","user":"--","app":"core","method":"POST","url":"/index.php/apps/oauth2/api/v1/token","message":"Login failed: '<OAuth Client ID>' (Remote IP: 'XXX')","userAgent":"Meteor/METEOR@2.1.1","version":"22.0.0.11"}

Again: please let me know where I can find more logs and I will be happy to provide them as soon as possible but my search did not result to more useful informations from Nextcloud. I wish to see more informations what exactly has gone wrong. It seems to be an issue since Nextcloud 22, because before it had worked.

Edit: It's been almost 3 months now, I can confirm that with 22.2.0 OAuth is still not working.

[szaimen]

Hi there, did you make sure that you've correctly configured nginx? https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html?highlight=nginx

[sephentos]

Hi there, did you make sure that you've correctly configured nginx? https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html?highlight=nginx

Hi @szaimen , yes, Nginx is configured well. Using the same vhost (also please notice that with Nextcloud 21 everything worked well).

It would be very great if nextcloud could log more than just that, so debugging could be easier...

https://user-images.githubusercontent.com/35430448/127677194-abc2bec1-5409-4c4a-a629-735a2e6056ae.png

Update: Also does not work in 22.1.0. It definitely went broken with Nextcloud 22.

[stonerl]

I do have the same problem with Nextcloud and Moodle. I upgrade to version 22.1.0 using the Docker images and get the following error message in Moodle when I try to authenticate.

Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 401

The log-output from Nextcloud:

[core] Warning: Login failed: 'j7nWFkFbkrcYGYfUGIJSJCPfner94pnhnhFF2NqZakg45tPGI31qchrDe0EcxRNM' (Remote IP: '172.18.0.1')

POST /index.php/apps/oauth2/api/v1/token

from 172.18.0.1 at 2021-08-16T11:26:47+00:00

[TobjasR]

I've got the same issue with NC22 upgrade - and reported as #28554 (closed now)

[stonerl]

An additional note. This bug also prevents the desktop client from sharing with other users:

[TobjasR]

on NC 21 it's working fine..

[sephentos]

Issue still existing with the recent update to 22.1.1.

[TobjasR]

Issue still existing with the recent update to 22.2.0

Invalid response received from OAuth Provider. Contact your administrator for more details.

Response :
{"message":""}

[firlevapz]

I have the same OAuth2 problem with nextcloud + rocketchat. Strange that not more people are affected by this bug...

I've tried to use the files from /core/templates/loginflow from version 21 as a workaround but it didn't help. Did anyone else find a workaround yet? Or any ideas which files have changed to cause this problem?

[btittelbach]

I have the same issue with rocketchat + nextcloud 22.2.0 I tried regenerating the oauth tokens in the hope this was a stored-data-interpretation issue introduced by an upgrade. Unfortunately: nope. Did not help.

[sephentos]

I have the same issue with rocketchat + nextcloud 22.2.0 I tried regenerating the oauth tokens in the hope this was a stored-data-interpretation issue introduced by an upgrade. Unfortunately: nope. Did not help.

Yeah, I've tried the same as well. Even with a completly new instance of RocketChat. Its just broken since 22.0.0.

Seems that issue does only exist within nextcloud + rocketchat. Its broken for months now.

Weird way of a partnership between rocketchat and nextcloud imho...

[btittelbach]

I can also confirm, it's not related to Nextcloud Bruteforce Detection.

Reminder: Nextcloud does/would log any oauth login attempt, successful or not, as failed login. Causing the bruteforce detection to eventually block the rocket.chat ip.)

However, I tried it with trusted_proxies set. Checked that table oc_bruteforce_attempts was empty and also used occ security:bruteforce:reset on any set ips.

[TobjasR]

Seems that issue does only exist within nextcloud + rocketchat. Its broken for months now.

actually the problem exists also with this wordpress plugin

[stonerl]

Seems that issue does only exist within nextcloud + rocketchat. Its broken for months now.

actually the problem exists also with this wordpress plugin

Moodle is also broken.

[TobjasR]

I'm wondering if any Nextcloud staff does actually care about this bug?

[charlax]

I have the same issue with a plain NC installation. It looks like NextCloud is trying to authenticate the OAuth2 client as a user instead of as an app, even though the endpoint is marked as public.

It's quite easy to reproduce with this Python script:

#!/usr/bin/env python3
import sys
import logging

import requests
from authlib.integrations.requests_client import OAuth2Session
from http.client import HTTPConnection
from authlib.oauth2.rfc6749.parameters import (
    parse_authorization_code_response,
)

# Add debug logging

log = logging.getLogger("authlib")
log.addHandler(logging.StreamHandler(sys.stdout))
log.setLevel(logging.DEBUG)
HTTPConnection.debuglevel = 1

logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True

def main() -> int:
    client_id = "REDACTED"
    client_secret = "REDACTED"

    client = OAuth2Session(client_id, client_secret)
    authorization_endpoint = "http://127.0.0.1:8080/index.php/apps/oauth2/authorize"
    uri, state = client.create_authorization_url(authorization_endpoint)

    print(uri)

    authorization_response = input("redirection url: ").strip()
    parsed = parse_authorization_code_response(authorization_response, state=state)
    print(parsed)

    code = parsed["code"]

    token_endpoint = f"http://{client_id}:{client_secret}@127.0.0.1:8080/index.php/apps/oauth2/api/v1/token"
    res = requests.post(
        token_endpoint, data={"grant_type": "authorization_code", "code": code}
    )
    print(res.text)
    res.raise_for_status()

    return 0

if __name__ == "__main__":
    sys.exit(main())

This script works with 21.0, fails with the latest version 22.x

[cjhille]

Oh crap, just ran into this after the upgrade from 21 to 22. Unfortunately I'm unable to go back to 21 (backup was already deleted because everything seemed fine). Now our user are unable to login to rocketchat, since all user auth is done by NC. Does anybody know if there is temporary way to circumvent this without disabling oauth and forcing everyone to set a new rocketchat password?

[sephentos]

Oh crap, just ran into this after the upgrade from 21 to 22. Unfortunately I'm unable to go back to 21 (backup was already deleted because everything seemed fine). Now our user are unable to login to rocketchat, since all user auth is done by NC. Does anybody know if there is temporary way to circumvent this without disabling oauth and forcing everyone to set a new rocketchat password?

I feel you. OAuth broken in Nextcloud since 3 months and we all still wait, we don't even know if anyone of the devs are paying attention in this issue (But when I see the 1.4k open issues here.. well.....)

If anyone does: Yes, oauth is still even with 22.2.0 broken.

[pabsta1]

I face a similar problem with NC and Moodle (same error message as @stonerl, but different from OP). I have reproduced the bug on a fresh moodle install and a fresh install on NC 22.X, but the bug disappears on a fresh moodle install with NC 21.04. The same oauth problem occurs when NC 22 attempts to authenticate users for Drupal 8. However, the authentication process does not fail wih HedgeDoc.

My original report can be found on the NC community page.

[TobjasR]

I feel you. OAuth broken in Nextcloud since 3 months and we all still wait, we don't even know if anyone of the devs are paying attention in this issue (But when I see the 1.4k open issues here.. well.....)

with that many open issues like these devs should immediately stop working on new mayor releases and focus on those issues instead. who cares about some fancy new features in NC23, 24, ... as long as NC19 through 24 are/will be full of bugs and fails?

[FrankyB]

I am sorry to chime in, but I searched my fingers wound - I am using nextcloud's oauth with a Java Oaut library ( from my pom.xml: 8.29</nimbus-oauth.version>) also tried the newest one with the same result - I am unable to login, message in nextcloud.log is just "Login failed: ". The funny thing is that I use nextcloud's gitlab integration and gitlab to authenticate users via nextcloud - this is working fine with 22.2.0.2

[EdGeraghty]

After having been bitten by this in a recent Nextcloud upgrade, I manged to track it down!

This was introduced by the commit https://github.com/nextcloud/server/commit/521bb30541277f6f5e6d939bf75328a9ce8322a9

I will ask for a code review, but for now commenting out that line should make everything all work again.

[nickvergessen]

Thanks @charlax for the script.

As a first attempt it works when sending client id and secret as body instead of basic auth:

    token_endpoint = f"http://{client_id}:{client_secret}@127.0.0.1:8080/index.php/apps/oauth2/api/v1/token"
    res = requests.post(
        token_endpoint, data={"grant_type": "authorization_code", "code": code, "client_id": client_id, "client_secret": client_secret}
    )

But of course this is not enough. We will prepare a patch to wrap the login code to not try a user login when trying to get an oauth token. Stay tuned

[nickvergessen]

Patch available at https://github.com/nextcloud/server/pull/29320

[sephentos]

Unfortunately the problem still exists for me with v22.2.1.

Problem unchanged as already described at the end of July. @nickvergessen

Does it work for you? @FrankyB @TobjasR @pabsta1 @cjhille @charlax

Maybe there is someone here who uses Rocket Chat <=> NextCloud OAuth. @firlevapz

Double checked and that commit here is existing on the server:

https://github.com/nextcloud/server/commit/03936d776272e5bd270fb185ad7bcb438cc635d7

[firlevapz]

Yes, I'm using nextcloud + rocketchat. The nextcloud OAuth part is fixed, but since rocketchat 4.1.0 the OAuth integration is broken on their side, see: https://github.com/RocketChat/Rocket.Chat/issues/23613 :cry:

[sephentos]

Yes, I'm using nextcloud + rocketchat. The nextcloud OAuth part is fixed, but since rocketchat 4.1.0 the OAuth integration is broken on their side, see: RocketChat/Rocket.Chat#23613 😢

I don't want to sound disrespectful, but I don't think so. Because, as you can see in my screenshot, Nextcloud shows the same error as it did a few months ago - namely that Nextcloud's login fails.

And the quoted issue RocketChat/Rocket.Chat#23613 shows another error "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method" while I get no additional error message..

Also, another OAuth Service works for me in my RocketChat server...

[EdGeraghty]

I've just successfully SSO logged in (and then SSO auth'd to delete the same session) to my org's Element-Web using Nextcloud's OIDC.

This sounds like a RocketChat client regression.

[stonerl]

v22.2.2 contains a fix

[firlevapz]

I don't want to sound disrespectful, but I don't think so. Because, as you can see in my screenshot, Nextcloud shows the same error as it did a few months ago - namely that Nextcloud's login fails.

You're right, the error is different now, i just wanted to mention it, because again the most recent versions are not compatible anymore between these systems. But it's a completely different issue...

Just upgraded to v22.2.2 dockerized deployment and OAuth2 (with patched Rocketchat) works for me!

[pabsta1]

The fix works for me. Thanks! :)

[sephentos]

Looks like they released v22.2.3 (I didn't know that nextcloud has an auto-update feature, because my nextcloud already shows 22.2.3, but whatever)

Now I've found this in the rocketchat while nextcloud does not show any logs anymore:

{"level":50,"time":"2021-11-17T03:17:59.246Z","pid":8,"hostname":"7af58635f8c5","name":"System","msg":"Exception while invoking method login 'Failed to complete OAuth handshake with nextcloud at /index.php/apps/oauth2/api/v1/token. url must be absolute and start with http:// or https://'"} 

(Of course the given nextcloud URL is valid)

Well, the search goes on - now on the rocketchat issues at github.

Edit: Continuing here: https://github.com/RocketChat/Rocket.Chat/issues/23654

[sephentos]

Another update - and it is still not working (23.0.0).

[nickvergessen]

As per above this is not a Nextcloud problem anymore. The OAuth server and client parts work well sine 22.2.1

[firlevapz]

hi @sephentos, it works for me since nextcloud v22.2.2 again, i also think it's rocketchat related.

For me it helped, that i removed the existing previously configured OAuth2 connection and added a new Custom OAuth2 with following settings:

[FrankyB]

For me it does also work again. The User Info that comes back as a json had some added/changed fields, but after tweaking my code I am able to log in and verify again. Thank you!