[Bug]: Using calendar with SAML authentication does not work as expected (re-opened)

kmille commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[ ] This issue is not already reported on Github (I've searched it).
[x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

This is a reopen of #20646. Quote We are using Keycloak as authentication backend. Authentication works in the browser if people are using /login. If Android/Thunderbird wants to subscribe a calendar, it gets a 401. If we reset the "local nextcloud" password with occ user:resetpassword, the Cal/CardDav login works. Username can be found with occ user:list | grep. Why does Card/CaldDav authentication not work with third party authentication?

I used this for testing. ~~Also interesting: the 401 takes ~30 seconds (it's always the same).~~ So it seems like there is a timeout involved.~~

Installed version: 25.0.1.1

What user-backends are you using?

[ ] Default user-backend (database)
[ ] LDAP/ Active Directory
[x] SSO - SAML
[ ] Other

List of activated Apps

Enabled:
  - activity: 2.17.0
  - calendar: 4.2.2
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.2
  - contactsinteraction: 1.6.0
  - dav: 1.24.0
  - deck: 1.8.3
  - external: 5.0.0
  - federatedfilesharing: 1.15.0
  - files: 1.20.1
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - group_everyone: 0.1.11
  - lookup_server_connector: 1.13.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - onlyoffice: 7.6.8
  - provisioning_api: 1.15.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sociallogin: 5.2.0
  - text: 3.6.0
  - theming: 2.0.1
  - theming_customcss: 1.12.0
  - twofactor_backupcodes: 1.14.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - dashboard: 7.5.0
  - encryption
  - federation: 1.15.0
  - files_external
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - groupfolders: 13.1.0
  - logreader: 2.10.0
  - nextcloud_announcements: 1.14.0
  - password_policy: 1.15.0
  - photos: 2.0.0
  - privacy: 1.9.0
  - recommendations: 1.4.0
  - richdocumentscode: 22.5.802
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - suspicious_login
  - systemtags: 1.15.0
  - timemanager: 0.3.4
  - timetracker: 0.0.77
  - twofactor_totp
  - updatenotification: 1.15.0
  - user_ldapThere
  - user_status: 1.5.0
  - weather_status: 1.5.0

kmille commented 1 year ago

Some debugging (log level: 0, checked nextcloud.log). If I run this:

show output

```json { "reqId": "powbOMCGLYVUH4H7tjqT", "level": 0, "time": "2023-02-21T12:44:38+00:00", "remoteAddr": "172.26.0.1", "user": "--", "app": "webdav", "method": "PROPFIND", "url": "/remote.php/dav/calendars/Keycloak-45e6a9a5-03f6-4a53-a60b-60c5f8cbd7a5/personal/", "message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "userAgent": "python-requests/2.28.1", "version": "25.0.1.1", "exception": { "Exception": "Sabre\\DAV\\Exception\\NotAuthenticated", "Message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "Code": 0, "Trace": [ { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "beforeMethod", "class": "Sabre\\DAV\\Auth\\Plugin", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 456, "function": "emit", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ "beforeMethod:PROPFIND", [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 360, "function": "exec", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 171, "args": [ "/var/www/html/apps/dav/appinfo/v2/remote.php" ], "function": "require_once" } ], "File": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php", "Line": 152, "message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "exception": {}, "CustomMessage": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect" } } ```

If I replace Basic with Bearer:

show output

```json { "reqId": "077Y2HVX4fONoKzK4xAd", "level": 0, "time": "2023-02-21T12:52:38+00:00", "remoteAddr": "172.26.0.1", "user": "--", "app": "webdav", "method": "PROPFIND", "url": "/remote.php/dav/calendars/Keycloak-45e6a9a5-03f6-4a53-a60b-60c5f8cbd7a5/personal/", "message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "userAgent": "python-requests/2.28.1", "version": "25.0.1.1", "exception": { "Exception": "Sabre\\DAV\\Exception\\NotAuthenticated", "Message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "Code": 0, "Trace": [ { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "beforeMethod", "class": "Sabre\\DAV\\Auth\\Plugin", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 456, "function": "emit", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ "beforeMethod:PROPFIND", [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 360, "function": "exec", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 171, "args": [ "/var/www/html/apps/dav/appinfo/v2/remote.php" ], "function": "require_once" } ], "File": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php", "Line": 152, "message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "exception": {}, "CustomMessage": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured" } } ```

as we are using the social plugin, maybe @zorn-v can help a bit.

joshtrichards commented 1 year ago

Hi @kmille - Thanks for your report. I assume the same thing happens if you do any sort of WebDAV based access not just Cal/CardDAV, correct? - e.g. To get the properties of files in the folder /testing123:

curl -X PROPFIND -H "Depth: 1" -u USERNAME:PASSWORD https://example.com/nextcloud/remote.php/dav/files/USERNAME/testing123/

kmille commented 11 months ago

This is what I get:

(venv) kmille@linbox: bash test-caldav-sso.sh
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotFound</s:exception>
  <s:message>File with name //testing123 could not be located</s:message>
</d:error>

(venv) kmille@linbox: bash test-caldav-sso.sh
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect</s:message>
</d:error>

It works If you use the NC password (occ user:resetpasword), with the SSO password, login fails.

nextcloud / server