403 Forbidden on Android using Nextcloud App

[MasterPuffin]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. On Android login using the Nextcloud App

Expected behaviour

The Apache server that hosts the IDP should redirect to my login form

Actual behaviour

Apache throws an 403 error. However this only occurs when logging in with the Android app. Using the mobile browser or the desktop app, all works fine. Apache logs the following error

[rewrite:error] [pid 1168:tid 1168] [client XXX:33946] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

This seems to be related to https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

Server configuration

Web server: Apache 2.4.62 with Nginx Proxy

[MasterPuffin]

Update: Changing

RewriteRule ^(.*)$ index.php?/$1 [QSA]

to

RewriteRule ^(.*)$ index.php?/$1 [QSA,UnsafeAllow3F]

fixes the issue.

[blizzz]

@tobiasKaminsky Is the app doing something to redirect URLs that the browser engine normally would not?

[tobiasKaminsky]

Which urls do you mean?

[blizzz]

I think in this case a redirect toward the IdP. But not entirely sure now seeing the server config at https://github.com/nextcloud/user_saml/issues/892#issuecomment-2388003880 It could be a redirect to index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl= also … but i am also doubting my earlier question now.

[tobiasKaminsky]

With login flow v1 we simply follow what server gives us. With v2, everything is done in browser, so any redirect is not controlled by our app.