search

nextcloud / user_oidc

OIDC connect user backend for Nextcloud
GNU Affero General Public License v3.0
82 stars 33 forks source link

"csrf check failed" after Nextcloud session ends #743

Open isdnfan opened 9 months ago

isdnfan commented 9 months ago

Problem

I successfully integrated Nextcloud with Zitadel IdP using user_oidc but I hit an issue with allow_multiple_user_backends=0 config.

Setup

The idea was to reduce Nextcloud session lifetime so NC session ends quickly and the user must re-login using IdP to ensure user session is still valid in IdP. To ensure I configure following settings in NC:

setting value
auto_logout false
session_keepalive true
session_lifetime 120
session_relaxed_expiry false
remember_login_cookie_lifetime 0

with allow_multiple_user_backends=1 the settings work fine and the user returns to login screen where hitting the button "login with IdP" allows to start another session.

image

the problem starts when I forced IdP login allow_multiple_user_backends=0 using occ config:app:set --value=0 user_oidc allow_multiple_user_backends which worked as expected immediately redirecting unauthorized user to IdP and allowing access upon successful authorization. But after Nextcloud session ends the user is unable to return to Nextcloud. The browser keeps bouncing between Nextcloud and IdP with requests

keeping requesttoken constant and at some point hitting 412 "CSRF check failed"

image

How to reproduce

Logs

I'm adding anonymized HAR file from browser dev tools showing the issue. In this log https://dev-nc.mydomain.tld is my Nextcloud and https://sso.mydomain.tld is the IdP. In my case I'm using Zitadel but the same issue happens with authentik and Keycloak as well.

dev-nc.mydomain.tld_Archive [23-12-28 20-22-20].har.zip

Nextcloud config report:

## Server configuration detail

**Operating system:** Linux 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64

**Webserver:** Apache/2.4.57 (Debian) (apache2handler)

**Database:** mysql 10.5.23

**PHP version:** 8.2.13

Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, bcmath, exif, gd, gmp, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, sysvsem, zip, Zend OPcache

**Nextcloud version:** 28.0.1 - 28.0.1.1

**Updated from an older Nextcloud/ownCloud or fresh install:** 

**Where did you install Nextcloud from:** unknown

<details><summary>Signing status</summary>

[]
</details>

<details><summary>List of activated apps</summary>

Enabled:

</details>

<details><summary>Configuration (config/config.php)</summary>

{ "htaccess.RewriteBase": "\/", "memcache.local": "\OC\Memcache\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "overwritehost": "dev-nc.mydomain.tld", "overwriteprotocol": "https", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "localhost" ], "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "28.0.1.1", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "instanceid": "REMOVED SENSITIVE VALUE", "loglevel": "1", "maintenance": false, "memcache.distributed": "\OC\Memcache\Redis", "memcache.locking": "\OC\Memcache\Redis", "redis": { "host": "REMOVED SENSITIVE VALUE", "password": "REMOVED SENSITIVE VALUE", "port": 6379 }, "default_phone_region": "CH", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtpsecure": "ssl", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "465", "mail_smtpname": "REMOVED SENSITIVE VALUE", "mail_smtppassword": "REMOVED SENSITIVE VALUE", "allow_local_remote_servers": true, "trashbin_retention_obligation": "15, 180", "app_install_overwrite": [ "suspicious_login" ], "serverinfo": { "token": "lmFaJ6JXR5e8wxCuyfSn" }, "trusted_proxies": "REMOVED SENSITIVE VALUE", "remember_login_cookie_lifetime": 0, "session_keepalive": "true", "session_lifetime": "120", "auto_logout": "false", "overwrite.cli.url": "https:\/\/dev-nc.mydomain.tld", "theme": "", "session_relaxed_expiry": "false", "updater.release.channel": "stable", "enabledPreviewProviders": [ "OC\Preview\MP3", "OC\Preview\TXT", "OC\Preview\MarkDown", "OC\Preview\OpenDocument", "OC\Preview\Krita", "OC\Preview\Imaginary" ], "preview_imaginary_url": "http:\/\/dev-nextcloud-imaginary:9000", "preview_concurrency_all": "12", "preview_concurrency_new": "8", "log_rotate_size": 1048576 }

</details>

**Cron Configuration:** Array
(
    [backgroundjobs_mode] => cron
    [lastcron] => 1703793901
)

**External storages:** yes

<details><summary>External storage configuration</summary>

No mounts configured

</details>

**Encryption:** no

**User-backends:** 
 * OCA\UserOIDC\User\Backend
 * OCA\UserOIDC\User\Backend
 * OC\User\Database

**Talk configuration:** 

STUN servers
 * no custom server configured

TURN servers
 * turn:nc.mydomain.tld:3478 - udp,tcp

Signaling servers (mode: default):
 * SIP dialin is disabled
 * SIP dialout is disabled
 * no custom server configured

Recording servers:
 * Recording is enabled
 * Recording consent is set to "default"
 * no recording server configured

**Browser:** Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
isdnfan commented 9 months ago

found this issue which looks similar but using SAML https://github.com/nextcloud/server/issues/40626

julien-nc commented 8 months ago

@isdnfan Thanks for the bug report. #761 is an attempt to fix this. Could you check it?

isdnfan commented 8 months ago

hi @julien-nc thank you for you attention. I tested the version you provided and there is an improvement in terms there is no more logout/login loop. the new version work, the user logins successfully but once the auto-logout happens user_oidc disappears somehow - clean original NC login UI appears and user_oidc doesn't start working (even when I restart the docker container) until I recover the original Application.php version.. Once it works I can apply the patch again and it works once..

image

I don't see anything useful in nextcloud.log

dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:51 +0000] "POST /apps/text/session/135693/sync HTTP/1.1" 200 1226 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"
dev-nextcloud-app  | ::1 - - [16/Jan/2024:21:08:52 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.57 (Debian) PHP/8.2.14 (internal dummy connection)"
dev-nextcloud-app  | ::1 - - [16/Jan/2024:21:08:53 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.57 (Debian) PHP/8.2.14 (internal dummy connection)"
dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:53 +0000] "GET /logout?requesttoken=xX6vrvXaeZSijqwWJd%2FQpwVqtwId8ZI2yonPqsGENU4%3D%3ApAuayJKZF9uT%2Bu9REu%2BxyEE7hTZ4tdFHmN%2Bby7TCV3k%3D HTTP/1.1" 303 1758 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"
dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:53 +0000] "GET /login?clear=1 HTTP/1.1" 200 10375 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"

and nothing in the container logs.. but the app seems to work somehow in the backend - if I have valid OIDC session - I can access my Nextcloud directly - likely the fix broke the login redirection logic

julien-nc commented 7 months ago

@isdnfan We think we figured out the source of the issue (or one of the sources). This is explained in https://github.com/nextcloud/server/pull/43701 . Would you be ready to try it out on your instance? I can provide the new compiled scripts for your Nextcloud version. Are you still using Nextcloud 28.0.1 or did you upgrade to 28.0.2?

isdnfan commented 7 months ago

hi @julien-nc thank you. definitely I would test in my instance. I'm running 28.0.2 now.

julien-nc commented 7 months ago

So you can replace nextcloud/dist/core-main.js and nextcloud/dist/core-main.js.map by those ones (i renamed them to txt so GH accepts them). Keep the original files in case you wanna revert.

core-main.js.map.txt core-main.js.txt

I'm not entirely sure this will fix the issue for you since you have auto_logout disabled but the symptoms on your side are very close to what the fix is addressing (being redirected multiple times to the logout page with the same requesttoken GET param).

isdnfan commented 7 months ago

I replaced both files in my instance and first look is really good!!

many thanks for your hard work!

I see /logout... followed by /login?clear=1, then redirect to the IdP, successful auth and further redirect to /login?authRequestID=.. and finally the browser hits my main page /apps/files/

image

I only tested few scenarios - leave the browser time out in files, activities and calendar app - all worked and result in clean login into the system.. the only cosmetical problem - the session doesn't return to the same app but returns to "fresh login state".

I can live with this limitation but definitely would be great if the client would return to the previous state.

julien-nc commented 7 months ago

That's great news, thanks for the feedback! The fix has been merged in NC server and backported to stable28, stable27 and stable26. It will be included in the next minor releases soon (all scheduled for Feb 29th).

The problem you mention is tough to solve as the logout page is reached, we loose the information of which page you were browsing before being logged out.

Let's keep this issue open until someone confirms this is solved by the next minor release.

phoenixtechnam commented 2 days ago

Good day, I have the same issue. Using auto_logout=true and user_oidc plugin.

Even when logging in as native admin (non-oidc), when the forced logout kicks in, I get "CSRF check failed" and user is not logged out.

I noticed that auto-logout seems to work without error when the browser tab is active/visible. But when the browser tab is inactive, auto-logout results in "CSRF check failed".

Manual logout works without issues.

Tested on NC 29 and 30.