Login from apps fails with unique IDs disabled

Question

Login from apps fails with unique IDs disabled

daniel-lerch opened this issue a year ago · 0 comments

daniel-lerch commented a year ago

Steps to reproduce

Setup Keycloak with a custom user storage plugin
Setup a new Nextcloud instance and install user_oidc
Create a confidential client for Nextcloud in Keycloak
Configure Keycloak as OIDC provider in Nextcloud
Disable the Use unique user id option
Try to sign in the Nextcloud app on Android, iOS or Windows

Expected behavior

After granting permission to the app, the web view should close and the Nextcloud app should be authenticated.

Actual behavior

After granting permission to the app, an error 401 Unauthorized appears and authentication fails. The server log shows an error Impossible to decode OIDC token:Wrong number of segments from user_oidc and a warning Login failed: 'f' (Remote IP: '***.***.***.***') from core.

Additional context

I suspect Nextcloud to have problems with user IDs that contain a colon (:). For custom user storage providers, Keycloak generates IDs in the format f:<provider uuid>:<original user id>, e.g., f:d859e431-a45f-4474-8877-fbdfadc31d15:531. If I enable the option Use unique user id which does not include colons (:) in the final user ID, user_oidc works perfectly.

System information

Nextcloud Hub 6 (27.1.2) from docker.io/library/nextcloud:27-apache
user_oidc v1.3.3 from official Apps
Keycloak 22.0.3
User Storage Provider: canchanchara/keycloak-churchtools-storage-provider 0.0.5-alpha