TL;DR: when the provider was configured with unique-uid=1 (default) an ID would be created that is not equal to the ID in Nextcloud's backend and derived from the sub claim.
This would later lead to code not finding the user in the user_oidc backend, i.e. to check whether password authentication is possible.
Steps
Configure and provision
Configure OIDC in the instance config for hard provisioning
Configure the OIDC provider with --unique-uid explicitly or implicitly true (1)
Provision the user in the Nextcloud backend with the ID from the sub claim
Provision the user in the user_oidc backend with the ID from the sub claim
Note: user_oidc will add an entry to its user table with a different ID.
Details: how the user was provisioned in Nextcloud
id="<ID as returned by the OIDC provider in the 'sub' claim>"
# other variables omitted
curl \
-d "userid=${id}" \
-d "password=" \
-d "email=${email}" \
-d "displayName=${display_name}" \
-d "groups[]=${group}" \
-H "OCS-APIRequest: true" \
"http://${AUTH}@localhost:8080/ocs/v1.php/cloud/users"
Details: how user_oidc was configured and provisioned
Note: the provider was not configured with --unique-uid=0.
The user was provisioned with:
provider="<provider ID as returned by occ user_oidc:provider>"
id="<ID from the OIDC provider>"
# other variables omitted
curl \
-D - \
-X POST \
-d "providerId=${provider}" \
-d "userId=${id}" \
-d "email=${email}" \
-d "displayName=${display_name}" \
"http://${AUTH}@localhost:8080/index.php/apps/user_oidc/user"
Why was the user provisioned in Nextcloud's and user_oidc's backend?
The call /apps/user_oidc/user (ApiController->createUser()) will fail at getUserFolder(), which tries to get a user folder from the Nextcloud backend.
Thus, the assumption was that a user has to be provisioned in the Nextcloud backend too.
Login via OIDC
Log user in via the OIDC provider
In the browser console test run or evaluate window.backendAllowsPasswordConfirmation
Observation: the value is true
Wait a couple of hours
Go to settings and try to create an app token
Expected: the token gets created and is displayed
Actual: a password confirmation dialog is displayed (see below)
How this leads to a problem
Later, when the user had logged in, the user manager will query the all known backends (including Nextcloud's user database).
Earlier in the request the user would be looked up by the OIDC provider's ID (see type of the user mapper $this and the value of $uid):
Later - different from what's shown below - code would use the default Nextcloud backend ($backend) and fail the instanceof IPasswordConfirmationBackend test:
This is how it would turn out if the provider was configured with uniqueUid=0, see how $backend is correct now:
Expectation
the documentation on hard provisioning should be extended to explain how to provision users in the Nextcloud backend correctly
granted the updated documentation does not explain why this would be a user/admin/developer error: possible bug fix of the user_oidc provisioning code depending on a user to be added in the Nextcloud backend
granted the updated documentation does not explain why this would be a user/admin/developer error: user_oidc should not add users with a different ID than was specified through the API (since, as explained above, this may lead to subsequent errors)
The code path during user provisioning should either not exist or there should be documentation how to provision users in Nextcloud correctly when using uniqueUid=1.
TL;DR: when the provider was configured with
unique-uid=1(default) an ID would be created that is not equal to the ID in Nextcloud's backend and derived from thesubclaim.This would later lead to code not finding the user in the user_oidc backend, i.e. to check whether password authentication is possible.
Steps
Configure and provision
--unique-uidexplicitly or implicitly true (1)subclaimsubclaim Note: user_oidc will add an entry to its user table with a different ID.Details: how the user was provisioned in Nextcloud
Details: how user_oidc was configured and provisioned
The addon is configured with:
The provider was configured as:
Note: the provider was not configured with
--unique-uid=0.The user was provisioned with:
Why was the user provisioned in Nextcloud's and user_oidc's backend?
The call
/apps/user_oidc/user(ApiController->createUser()) will fail atgetUserFolder(), which tries to get a user folder from the Nextcloud backend.Thus, the assumption was that a user has to be provisioned in the Nextcloud backend too.
Login via OIDC
window.backendAllowsPasswordConfirmationHow this leads to a problem
Later, when the user had logged in, the user manager will query the all known backends (including Nextcloud's user database).
However, it would not be able to find the user in the user_oidc table, because it was generated with a unique ID.
Since the user was not found in the user_oidc backend, Nextcloud will default to its own backend.
Later code will use the "wrong" backend and may mistakenly determine the user could authenticate themself.
Example
JsConfigHelper.Debugging session
Earlier in the request the user would be looked up by the OIDC provider's ID (see type of the user mapper
$thisand the value of$uid):Later - different from what's shown below - code would use the default Nextcloud backend (
$backend) and fail theinstanceof IPasswordConfirmationBackendtest:This is how it would turn out if the provider was configured with
uniqueUid=0, see how$backendis correct now:Expectation
The code path during user provisioning should either not exist or there should be documentation how to provision users in Nextcloud correctly when using
uniqueUid=1.