[Bug]: SAML (Keycloak) authentication not working w/ CalDAV / WebDAV

kmille commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[ ] This issue is not already reported on Github (I've searched it).
[x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

This is a reopen of #20646. Quote We are using Keycloak as authentication backend. Authentication works in the browser if people are using /login. If Android/Thunderbird wants to subscribe a calendar, it gets a 401. If we reset the "local nextcloud" password with occ user:resetpassword, the Cal/CardDav login works. Username can be found with occ user:list | grep. Why does Card/CaldDav authentication not work with third party authentication?

I used this for testing. ~~Also interesting: the 401 takes ~30 seconds (it's always the same).~~ So it seems like there is a timeout involved.~~

Installed version: 25.0.1.1

What user-backends are you using?

[ ] Default user-backend (database)
[ ] LDAP/ Active Directory
[x] SSO - SAML
[ ] Other

List of activated Apps

Enabled:
  - activity: 2.17.0
  - calendar: 4.2.2
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.2
  - contactsinteraction: 1.6.0
  - dav: 1.24.0
  - deck: 1.8.3
  - external: 5.0.0
  - federatedfilesharing: 1.15.0
  - files: 1.20.1
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - group_everyone: 0.1.11
  - lookup_server_connector: 1.13.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - onlyoffice: 7.6.8
  - provisioning_api: 1.15.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sociallogin: 5.2.0
  - text: 3.6.0
  - theming: 2.0.1
  - theming_customcss: 1.12.0
  - twofactor_backupcodes: 1.14.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - dashboard: 7.5.0
  - encryption
  - federation: 1.15.0
  - files_external
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - groupfolders: 13.1.0
  - logreader: 2.10.0
  - nextcloud_announcements: 1.14.0
  - password_policy: 1.15.0
  - photos: 2.0.0
  - privacy: 1.9.0
  - recommendations: 1.4.0
  - richdocumentscode: 22.5.802
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - suspicious_login
  - systemtags: 1.15.0
  - timemanager: 0.3.4
  - timetracker: 0.0.77
  - twofactor_totp
  - updatenotification: 1.15.0
  - user_ldapThere
  - user_status: 1.5.0
  - weather_status: 1.5.0

kmille commented 1 year ago

Some debugging (log level: 0, checked nextcloud.log). If I run this:

show output

```json { "reqId": "powbOMCGLYVUH4H7tjqT", "level": 0, "time": "2023-02-21T12:44:38+00:00", "remoteAddr": "172.26.0.1", "user": "--", "app": "webdav", "method": "PROPFIND", "url": "/remote.php/dav/calendars/Keycloak-45e6a9a5-03f6-4a53-a60b-60c5f8cbd7a5/personal/", "message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "userAgent": "python-requests/2.28.1", "version": "25.0.1.1", "exception": { "Exception": "Sabre\\DAV\\Exception\\NotAuthenticated", "Message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "Code": 0, "Trace": [ { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "beforeMethod", "class": "Sabre\\DAV\\Auth\\Plugin", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 456, "function": "emit", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ "beforeMethod:PROPFIND", [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 360, "function": "exec", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 171, "args": [ "/var/www/html/apps/dav/appinfo/v2/remote.php" ], "function": "require_once" } ], "File": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php", "Line": 152, "message": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect", "exception": {}, "CustomMessage": "No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect" } } ```

If I replace Basic with Bearer:

show output

```json { "reqId": "077Y2HVX4fONoKzK4xAd", "level": 0, "time": "2023-02-21T12:52:38+00:00", "remoteAddr": "172.26.0.1", "user": "--", "app": "webdav", "method": "PROPFIND", "url": "/remote.php/dav/calendars/Keycloak-45e6a9a5-03f6-4a53-a60b-60c5f8cbd7a5/personal/", "message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "userAgent": "python-requests/2.28.1", "version": "25.0.1.1", "exception": { "Exception": "Sabre\\DAV\\Exception\\NotAuthenticated", "Message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "Code": 0, "Trace": [ { "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php", "line": 89, "function": "beforeMethod", "class": "Sabre\\DAV\\Auth\\Plugin", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 456, "function": "emit", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ "beforeMethod:PROPFIND", [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 253, "function": "invokeMethod", "class": "Sabre\\DAV\\Server", "type": "->", "args": [ { "__class__": "Sabre\\HTTP\\Request" }, { "__class__": "Sabre\\HTTP\\Response" } ] }, { "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php", "line": 321, "function": "start", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/lib/Server.php", "line": 360, "function": "exec", "class": "Sabre\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/apps/dav/appinfo/v2/remote.php", "line": 35, "function": "exec", "class": "OCA\\DAV\\Server", "type": "->", "args": [] }, { "file": "/var/www/html/remote.php", "line": 171, "args": [ "/var/www/html/apps/dav/appinfo/v2/remote.php" ], "function": "require_once" } ], "File": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php", "Line": 152, "message": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured", "exception": {}, "CustomMessage": "No public access to this resource., Bearer token was incorrect, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured" } } ```

as we are using the social plugin, maybe @zorn-v can help a bit.

joshtrichards commented 1 year ago

Hi @kmille - Thanks for your report. I assume the same thing happens if you do any sort of WebDAV based access not just Cal/CardDAV, correct? - e.g. To get the properties of files in the folder /testing123:

curl -X PROPFIND -H "Depth: 1" -u USERNAME:PASSWORD https://example.com/nextcloud/remote.php/dav/files/USERNAME/testing123/

kmille commented 1 year ago

This is what I get:

(venv) kmille@linbox: bash test-caldav-sso.sh
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotFound</s:exception>
  <s:message>File with name //testing123 could not be located</s:message>
</d:error>

(venv) kmille@linbox: bash test-caldav-sso.sh
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No public access to this resource., No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect</s:message>
</d:error>

It works If you use the NC password (occ user:resetpasword), with the SSO password, login fails.

Codekloeppler commented 1 month ago

Hi,

the same behavior happens for authentication with OpenID Connect on Authentik server. I'm using the "OpenID Connect user backend (Version 6.0.1)" Nextcloud App

Is there any fix to be expected?
Do you need additional info?

I'm quite happy, if I can help on this.

nextcloud / server