WebDAV authentication not working with Nextcloud 27
Opened this issue · 11 comments
Hello,
I am trying to configure Nextcloud 27 to authenticate against Keycloak 23 for development purposes. I run both applications inside docker containers, the Nextcloud is a clean nextcloud:latest docker image with nextcloud-oidc-login app installed. Web authentication works as expected, but I am not able to get the WebDAV authentication working.
I enabled the WebDAV authentication in the config.php:
'oidc_login_webdav_enabled' => true,
'oidc_login_password_authentication' => true,
And now I am trying to use the basic WebDAV authentication via curl:
curl --request OPTIONS -v --user "vojtech:vojtech" http://localhost:9001/remote.php/dav/files/vojtech
I am getting error 401 for my Keycloak user, but the request succeeds for the admin user, which has a native Nextcloud account.
To investigate further, I checked if the BasicAuthBackend::handle() method correctly registers the OIDC backend, but I found out that the initial event check fails because the event is of class OCP\SabrePluginEvent and not the \OCA\DAV\Events\SabrePluginAuthInitEvent in my case. Therefore, the OIDC backend is not registered at all and authentication, of course, fails.
Then I tried to comment out the type check, but I finished with the following exception:
OCA\OIDCLogin\Provider\OpenIDConnectClient::getTokenProfile(): Return value must be of type array, stdClass returned.
I checked the JWT passed to the getTokenProfile() method, and it is valid according to jwt.io. Since the exception is thrown by the decodeJWT() method which comes from the 3rd party library, it seems like some kind of interface incompatibility...
Could you help me to troubleshoot the WebDAV authentication?
Can you try removing the return type of getTokenProfile? YOu may need to restart the php server after this to clear the opcache.
I had to remove:
- Type check at
lib/WebDAV/BasicAuthBackend.phpline 75 (already mentioned above). - Return type at
lib/Provider/OpenIDConnectClient.php::getTokenProfile(). - Type of the first parameter of the
lib/Service/LoginService.php::login()function. - Type of the first parameter of the
lib/Service/LoginService.php::flatten()function.
Then the basic authentication for WebDAV started to work.
After removing the same type check at lib/WebDAV/BearerAuthBackend.php line 76 also the Bearer authentication started to work.
Thanks for helping debug this. Can you revert your changes (just uninstall / re-install the app maybe) and test this patch?
ac62355
Hi, I re-created the docker container and applied your patch. Basic authorization works fine, but bearer token does not work - I always get error 401.
Does removing the type check in bearerauthbackend fix this? Maybe the event is something else...
No, it does not help. Perhaps there is some issue in the token validation...
That's .. weird. That commit changed nothing related to tokens
After the next round of testing, I finally got it working. Your patch was OK, but my access token was not. The iss and aud fields had wrong values because of bad Keycloak configuration. Unfortunately, the server did not give me helpful error messages, which made me think the plugin is broken... Could you turn your commit into a new release?
+1, do you think this fix will be turned into a release soon ?
Got the same problem with WebDAV login since Nextcloud 27 upgrade
3.0.2 is up
I have just made a test with 3.0.2 sitting on Nextcloud 28.0.4 and Authentik 2024.2.3 along with app password - tested with Joplin. I can confirm it works, although the app password for now is limited in duration to 30 minutes until the next release of Authentik 2024.4