nextcloud / user_saml

:lock: App for authenticating Nextcloud users using SAML https://apps.nextcloud.com/apps/user_saml
https://portal.nextcloud.com/article/configuring-single-sign-on-10.html
GNU Affero General Public License v3.0
96 stars 76 forks source link

Bad gateway on logout #814

Open DesertCookie opened 9 months ago

DesertCookie commented 9 months ago

Expected behaviour

Following this guide and some experimentation, I expected logging out to work with one of these options as URL Location of IdP where the SP will send the SLO Request:

  1. https://auth.myurl.com/if/session-end/nextcloud/
  2. https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
  3. https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/

Actual behaviour

I encountered a Bad gateway error that I cannot track down. With (1) the error appears with this URL in the browser: https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with a Bad Request: The SAML request payload is missing. from Authentik.
Furthermore, the Nextcloud web log shows OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).

PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to cloud.myurl.com it briefly shows Authentik's Redirecting to Nextcloud... which it does not show when a Nextcloud session is still active (as happens with (2) and (3)).
Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.

Configuration

Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager

Proxy Configuration

Trembler34 commented 4 months ago

Expected behaviour

Following this guide and some experimentation, I expected logging out to work with one of these options as URL Location of IdP where the SP will send the SLO Request:

  1. https://auth.myurl.com/if/session-end/nextcloud/
  2. https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
  3. https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/

Actual behaviour

I encountered a Bad gateway error that I cannot track down. With (1) the error appears with this URL in the browser: https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with a Bad Request: The SAML request payload is missing. from Authentik. Furthermore, the Nextcloud web log shows OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).

PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to cloud.myurl.com it briefly shows Authentik's Redirecting to Nextcloud... which it does not show when a Nextcloud session is still active (as happens with (2) and (3)). Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.

Configuration

Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager

Proxy Configuration

  • Nginx Proxy Manager is first in line. Enabled: Websockets Support, Force SSL, HTTP/2 Support, HSTS Enabled, HSTS Subdomains. It redirects to my.servers.ipv4.address:11000.
  • Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
  • No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.

Did you ever get this figured out? This is happening to me now. I notice it only happens if i dont have the option selected in SAML to allow multiple backend logins, like LDAP users.. If i keep that unchecked i get the gateway error on logout. If i have it selected and logout i get taken back to the proper authentik page with options.