[Bug]: "CORS requires basic auth" error when authenticating with OIDC token

[akhil1508]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

• I use https://github.com/pulsejet/nextcloud-oidc-login/ for OIDC login in my server(as it supports ldap backend as a proxy)
• I'm trying to extend this plugin to support bearer token authentication for OCS API calls and also CORS API calls like the one in notes API
• I got it to work with OCS API calls but get "CORS requires basic auth" error whenever I try the notes API
  • This line checks if the login was done using BASIC auth and otherwise throws an exception with the error
• I'm not sure this is a bug for most nextcloud users(it is very specific to the third party plugin I use) but would appreciate some direction as to how I can deal with my issue :)

Steps to reproduce

1. Install https://github.com/pulsejet/nextcloud-oidc-login/ on your nextcloud server
2. Configure the app with your OIDC provider

3. Apply the following patch using patch -u custom_apps/oidc_login/lib/AppInfo/Application.php -i oidc_api.patch

   
   --- Application.php 2024-03-20 23:26:05.315639574 +0530
   +++ Application-new.php 2024-03-20 23:27:12.099748051 +0530
   @@ -20,6 +20,7 @@
   use OCP\IURLGenerator;
   use OCP\IUserSession;
   use OCP\Util;
   +use OCA\OIDCLogin\WebDAV\BearerAuthBackend;
   
   class Application extends App implements IBootstrap
   {
   @@ -68,6 +69,15 @@
   
        /** @var IRequest */
        $request = $container->get(IRequest::class);
   +        $bearerAuthBackend = $container->query(BearerAuthBackend::class);
   +
   +        // If it is an OCS request, try to authenticate with bearer token
   +        if ($request->getHeader('OCS-APIREQUEST') === 'true' &&
   +            $request->getHeader('OIDC-LOGIN-WITH-TOKEN') === 'true' &&
   +            str_starts_with($request->getHeader('Authorization'), 'Bearer ')) {
   +            $this->loginWithBearerToken($request, $bearerAuthBackend);
   +        }
   +
   
        // Check if automatic redirection is enabled
        $useLoginRedirect = $this->config->getSystemValue('oidc_login_auto_redirect', false);
   @@ -157,4 +167,12 @@
            }
        }
    }
   +    private function loginWithBearerToken(IRequest $request, BearerAuthBackend $bearerAuthBackend) {
   +        $authHeader = $request->getHeader('Authorization');
   +       $bearerToken = substr($authHeader, 7);
   +        if (empty($bearerToken)) {
   +            return;
   +        }
   +       $bearerAuthBackend->validateBearerToken($bearerToken);
   +    }
   }

4. Get an access token from OIDC provider
5. Perform an API call to `/index.php/apps/notes/api/v0.2/notes` with Bearer authentication set using the above access token and header `OIDC-LOGIN-WITH-TOKEN` set to `true`  
7. Notice the "CORS requires basic auth" message

### Expected behavior

- Notes API should return results correctly

### Installation method

Community Docker image

### Nextcloud Server version

26

### Operating system

Debian/Ubuntu

### PHP engine version

PHP 8.1

### Web server

Nginx

### Database engine version

MariaDB

### Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

### Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

### What user-backends are you using?

- [ ] Default user-backend _(database)_
- [X] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other

### Configuration report

_No response_

### List of activated Apps

_No response_

### Nextcloud Signing status

_No response_

### Nextcloud Logs

_No response_

### Additional info

_No response_

[akhil1508]

Is it okay to get CSRF token using /csrftoken route and then re-use the session associated with this along with BEARER token authentication? My use case is accessing notes API route from a mobile client using BEARER token authentication with SSO.

There is a @NoCSRFRequired annotation for these routes though

[akhil1508]

• Is it secure to skip this CORS check as we do in https://github.com/nextcloud/server/commit/2fb703dfdac399972305c7180f2940d1aaf15b9f for AppAPI requests?

  • Something like:

        if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc') === true) {
            return;
        }