Login from apps fails with unique IDs disabled
daniel-lerch opened this issue · 0 comments
Steps to reproduce
- Setup Keycloak with a custom user storage plugin
- Setup a new Nextcloud instance and install user_oidc
- Create a confidential client for Nextcloud in Keycloak
- Configure Keycloak as OIDC provider in Nextcloud
- Disable the Use unique user id option
- Try to sign in the Nextcloud app on Android, iOS or Windows
Expected behavior
After granting permission to the app, the web view should close and the Nextcloud app should be authenticated.
Actual behavior
After granting permission to the app, an error 401 Unauthorized appears and authentication fails. The server log shows an error Impossible to decode OIDC token:Wrong number of segments
from user_oidc and a warning Login failed: 'f' (Remote IP: '***.***.***.***')
from core.
Additional context
I suspect Nextcloud to have problems with user IDs that contain a colon (:
). For custom user storage providers, Keycloak generates IDs in the format f:<provider uuid>:<original user id>
, e.g., f:d859e431-a45f-4474-8877-fbdfadc31d15:531
. If I enable the option Use unique user id which does not include colons (:
) in the final user ID, user_oidc works perfectly.
System information
Nextcloud Hub 6 (27.1.2) from docker.io/library/nextcloud:27-apache
user_oidc v1.3.3 from official Apps
Keycloak 22.0.3
User Storage Provider: canchanchara/keycloak-churchtools-storage-provider 0.0.5-alpha