[Bug]: Creating App Password not possible when using SAML Auth

MasterPuffin commented 5 months ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

When SAML is configured to be the only possible option for login, it is not possible to create an app password. When trying to crate an app password the server responds with a 503, however no error is displayed in the webinterface. The log states Call to undefined method OCA\User_SAML\UserBackend::checkPassword()

Steps to reproduce

Click on create app password

Expected behavior

An app password is created or at least an error is shown

Installation method

Community Web installer on a VPS or web space

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[ ] Default user-backend (database)
[ ] LDAP/ Active Directory
[X] SSO - SAML
[ ] Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

Error
Call to undefined method OCA\User_SAML\UserBackend::checkPassword()
/var/www/hostname/lib/private/User/Session.php
line 627
OC\User\Manager->checkPasswordNoLogging(
  "*** sensitive parameters replaced ***"
)
/var/www/hostname/lib/private/User/Session.php
line 356
OC\User\Session->loginWithPassword(
  "*** sensitive parameters replaced ***"
)
/var/www/hostname/lib/private/User/Session.php
line 453
OC\User\Session->login(
  "*** sensitive parameters replaced ***"
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 113
OC\User\Session->logClientIn(
  "*** sensitive parameters replaced ***"
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php
line 103
OCA\DAV\Connector\Sabre\Auth->validateUserPass(
  "*** sensitive parameters replaced ***"
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 231
Sabre\DAV\Auth\Backend\AbstractBasic->check(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 138
OCA\DAV\Connector\Sabre\Auth->auth(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php
line 179
OCA\DAV\Connector\Sabre\Auth->check(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php
line 135
Sabre\DAV\Auth\Plugin->check(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/3rdparty/sabre/event/lib/WildcardEmitterTrait.php
line 89
Sabre\DAV\Auth\Plugin->beforeMethod(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 456
Sabre\DAV\Server->emit(
  "beforeMethod:OPTIONS",
  [
    [
      "Sabre\\HTTP\\Request"
    ],
    [
      "Sabre\\HTTP\\Response"
    ]
  ]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 253
Sabre\DAV\Server->invokeMethod(
  [
    "Sabre\\HTTP\\Request"
  ],
  [
    "Sabre\\HTTP\\Response"
  ]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 321
Sabre\DAV\Server->start()
/var/www/hostname/apps/dav/lib/Server.php
line 370
Sabre\DAV\Server->exec()
/var/www/hostname/apps/dav/appinfo/v2/remote.php
line 35
OCA\DAV\Server->exec()
/var/www/hostname/remote.php
line 172
undefinedundefinedrequire_once(
  "/var/www/hostname/apps/dav/appinfo/v2/remote.php"
)
Raw log entry
{
  "reqId": "aG2wEPA7jJK5VHAkwgqn",
  "level": 3,
  "time": "2024-04-14T19:52:25+00:00",
  "remoteAddr": "IP",
  "user": "--",
  "app": "webdav",
  "method": "OPTIONS",
  "url": "/remote.php/dav/files/Username",
  "message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
  "userAgent": "gvfs/1.52.2",
  "version": "28.0.2.5",
  "exception": {
    "Exception": "Error",
    "Message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/hostname/lib/private/User/Session.php",
        "line": 627,
        "function": "checkPasswordNoLogging",
        "class": "OC\\User\\Manager",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/hostname/lib/private/User/Session.php",
        "line": 356,
        "function": "loginWithPassword",
        "class": "OC\\User\\Session",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/hostname/lib/private/User/Session.php",
        "line": 453,
        "function": "login",
        "class": "OC\\User\\Session",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
        "line": 113,
        "function": "logClientIn",
        "class": "OC\\User\\Session",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php",
        "line": 103,
        "function": "validateUserPass",
        "class": "OCA\\DAV\\Connector\\Sabre\\Auth",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
        "line": 231,
        "function": "check",
        "class": "Sabre\\DAV\\Auth\\Backend\\AbstractBasic",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
        "line": 138,
        "function": "auth",
        "class": "OCA\\DAV\\Connector\\Sabre\\Auth",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php",
        "line": 179,
        "function": "check",
        "class": "OCA\\DAV\\Connector\\Sabre\\Auth",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php",
        "line": 135,
        "function": "check",
        "class": "Sabre\\DAV\\Auth\\Plugin",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "beforeMethod",
        "class": "Sabre\\DAV\\Auth\\Plugin",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 456,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          "beforeMethod:OPTIONS",
          [
            [
              "Sabre\\HTTP\\Request"
            ],
            [
              "Sabre\\HTTP\\Response"
            ]
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": [
          [
            "Sabre\\HTTP\\Request"
          ],
          [
            "Sabre\\HTTP\\Response"
          ]
        ]
      },
      {
        "file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/hostname/apps/dav/lib/Server.php",
        "line": 370,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/hostname/apps/dav/appinfo/v2/remote.php",
        "line": 35,
        "function": "exec",
        "class": "OCA\\DAV\\Server",
        "type": "->",
        "args": []
      },
      {
        "file": "/var/www/hostname/remote.php",
        "line": 172,
        "args": [
          "/var/www/hostname/apps/dav/appinfo/v2/remote.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/hostname/lib/private/User/Manager.php",
    "Line": 265,
    "message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
    "exception": [],
    "CustomMessage": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()"
  },
  "id": "661c33fc04507"
}

Additional info

No response

solracsf commented 5 months ago

Possible duplicate of https://github.com/nextcloud/user_saml/issues/826

adsche commented 3 months ago

Possible duplicate of nextcloud/user_saml#826

I don't think it is. Our user_saml has the fixed version of lib/UserBackend.php but we still cannot create app passwords. There are no error messages for the user nor in the Nextcloud or php_fpm logs. Devtools shows a 503 response to the POST request to /settings/personal/authtokens (request only containing the "name" for the new app, JSON encoded).

Naia-love commented 3 months ago

I can confirm adsche comment No log in nextcloud.log the button just dosent do anything, and in webbrowser's console it just show a 503 for a POST request to https://diopbox.fr/settings/personal/authtokens

It appear that loggin off and back in fix it, I suppose its linked to this patch? https://github.com/nextcloud/server/pull/7487/files which appear to set a timer for it (30m, i can try to wait rn and see)

edit: dosent happen anymore, I'll try to find an actual way to replicate it

adsche commented 2 months ago

Wow! Indeed, it works right after login for a while (more than 30 min) but stops working at some point.

aurelilia commented 2 months ago

I can confirm that this bug, including the timed behavior and no errors, also happens with OIDC login.

adsche commented 2 months ago

I upgraded to 29.0.3 because I almost expected #43942 (#45705) to fix this issue as it seems related. Unfortunately it doesn't seem to have fixed it. App password creation was again possible for only a short time after SSO login.

Naia-love commented 2 months ago

can confirm upgraded to 29.0.3 and it still have the same problem

j007bond007 commented 1 month ago

Confirmed... only recent login allows it to work - affects installing Apps as well

battosai30 commented 1 week ago

I confirm. Account deconnection/Reconnection solves the issue

nextcloud / server