search

nextcloud / user_oidc

OIDC connect user backend for Nextcloud
GNU Affero General Public License v3.0
82 stars 33 forks source link

Displayname not updated anymore #839

Open quenenni opened 5 months ago

quenenni commented 5 months ago

Hello,

Since I upgraded the user_oidc app from v1.3.2 to v5.0.2, the displayname is not updated anymore in Nextcloud profil if it is modified in our Ldap. The modification of the mail address or adding/removing a group in the LDAP are still working fine.

Our Nextcloud is still in v25.0.6 (we are planning to update it, but first we updated the applications and this problems needs to be resolved before going on)

In the nextcloud log, I can see it has the correct new display name:

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXXX&session_state=YYYYYY&code=ZZZZZZ","message":"Parsed the JWT payload: {\"at_hash\":\"CYT3eT7iWHG79mu0hvVYF5cYsDfxQOjUa4X5UeReV4w\",\"name\":\"<CORRECT NEW DISPLAYNAME>\",\"nonce\":\"EKWKQCZAR9C5GPX6TNY9O7NP00RO4Z1V\",\"adminN\":0,\"acr\":\"loa-2\",\"sub\":\"<MY ID>\",\"exp\":1713371794,\"adminN_bool\":true,\"aud\":[\"rp-nextcloud\"],\"azp\":\"rp-nextcloud\",\"email\":\"aa@bb.coop\",\"iss\":\"https:\\/\\/auth.mydomain.coop\",\"nextCloudQuota\":\"10737418240\",\"iat\":1713370354,\"auth_time\":1713370349,\"groupsNc\":[\"groupTest2\",\"groupTest\",\"admin\"]}","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"<MY ID>","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXX&session_state=YYYYY&code=ZZZZZ","message":"$user->canChangeAvatar() is true","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"<MY ID>","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXXX&session_state=YYYYY&code=ZZZZZ","message":"Redirecting user","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

The ,\"name\":\"<CORRECT NEW DISPLAYNAME>\" shows the right new value and name is the correct mapped attribute name.

I checked in the DB and I found the old display name in 3 tables:

I modified manually the value in the tables oc_user and oc_user_oidc without any change in the cloud interface. I modified the value in oc_accounts and it changed in the cloud interface.

But any of these values are updated when I modified a display name in the Ldap and logout / login in the cloud.

The user_oidc config in the Db :

user_oidc | allow_multiple_user_backends    | 0
| user_oidc | enabled                         | yes
| user_oidc | installed_version               | 5.0.2
| user_oidc | provider-3-bearerProvisioning   | 1
| user_oidc | provider-3-checkBearer          | 1
| user_oidc | provider-3-extraClaims          | n_nc 
| user_oidc | provider-3-groupProvisioning    | 1 
| user_oidc | provider-3-jwksCache            | {"keys":[{"e":"AQAB","kid":"UqD2O/EF7ZFhT4FcbLIJ8Q","kty":"RSA","use":"sig","n":"<long key>"}]} |
| user_oidc | provider-3-jwksCacheTimestamp   | 1713368828
| user_oidc | provider-3-mappingAddress       | 
| user_oidc | provider-3-mappingAvatar        | 
| user_oidc | provider-3-mappingBiography     | 
| user_oidc | provider-3-mappingCountry       | 
| user_oidc | provider-3-mappingDisplayName   | name
| user_oidc | provider-3-mappingEmail         | email
| user_oidc | provider-3-mappingFediverse     | 
| user_oidc | provider-3-mappingGender        | 
| user_oidc | provider-3-mappingGroups        | groupsNc 
| user_oidc | provider-3-mappingHeadline      | 
| user_oidc | provider-3-mappingLocality      |  
| user_oidc | provider-3-mappingOrganisation  |   
| user_oidc | provider-3-mappingPhonenumber   |  
| user_oidc | provider-3-mappingPostalcode    |   
| user_oidc | provider-3-mappingQuota         | nextCloudQuota 
| user_oidc | provider-3-mappingRegion        | 
| user_oidc | provider-3-mappingRole          | 
| user_oidc | provider-3-mappingStreetaddress |
| user_oidc | provider-3-mappingTwitter       |
| user_oidc | provider-3-mappingUid           | sub 
| user_oidc | provider-3-mappingWebsite       |
| user_oidc | provider-3-providerBasedId      | 0
| user_oidc | provider-3-sendIdTokenHint      | 1
| user_oidc | provider-3-uniqueUid            | 0 
| user_oidc | types                           | authentication

And I added today these 2 settings in nextcloud config.php file, but I don't think they are needed. And nothing changed.

  'user_oidc' => [
    'auto_provision' => true,
    'userinfo_bearer_validation' => true,
  ]

Any idea where that could come from?

Thank you

quenenni commented 4 months ago

Bumpy bump.

Can someone point me to the right file/function where the test between the current name and the one received in the token are analyzed?

yeoldegrove commented 3 months ago

I have a similar issue but I am using keycloak directly (without LDAP behind it). In the log "reqId": ... also shows me the updated displayname, but it never gets changed (even after logging off/on).

Another thing that I noticed is when I use the OCS API to query the changed user, the following is displayed:

{
  "ocs": {
    "meta": {
      "status": "ok",
      "statuscode": 100,
      "message": "OK",
      "totalitems": "",
      "itemsperpage": ""
  },
  "data": {
    "enabled": true,
    "storageLocation": "/var/www/html/data/07c95427-25d2-41f5-951b-f327809836b4",
    "id": "07c95427-25d2-41f5-951b-f327809836b4",
    ...
    "backend": "user_oidc",
    "displayname": "New Name",
    "display-name": "New Name",
    ...
    "backendCapabilities": {
      "setDisplayName": false,
      "setPassword": false
    }
  }
}

Noticed the part about backendCapabilities->setDisplayName->false.

Yet another thing I noticed is that the code to change the displayname is indeed triggered:

{"reqId":"xxx","level":0,"time":"2024-07-01T21:37:07+00:00","remoteAddr":"xx.xx.xx.xx","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=xxx&session_state=xxx&iss=https%3A%2F%2Fauth.xxx.com%2Fauth%2Frealms%2Fmyrealm&code=xxx","message":"Displayname mapping event dispatched","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"28.0.6.1","data":{"app":"user_oidc"}}

https://github.com/nextcloud/user_oidc/blob/1603f66a4057963485b9a6021a63156c2b85493b/lib/Service/ProvisioningService.php#L156