nextcloud
[Bug]: Creating App Password not possible when using SAML Auth
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
When SAML is configured to be the only possible option for login, it is not possible to create an app password.
When trying to crate an app password the server responds with a 503, however no error is displayed in the webinterface.
The log states
Call to undefined method OCA\User_SAML\UserBackend::checkPassword()
Steps to reproduce
- Click on create app password
Expected behavior
An app password is created or at least an error is shown
Installation method
Community Web installer on a VPS or web space
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [ ] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [X] SSO - SAML
- [ ] Other
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
Error
Call to undefined method OCA\User_SAML\UserBackend::checkPassword()
/var/www/hostname/lib/private/User/Session.php
line 627
OC\User\Manager->checkPasswordNoLogging(
"*** sensitive parameters replaced ***"
)
/var/www/hostname/lib/private/User/Session.php
line 356
OC\User\Session->loginWithPassword(
"*** sensitive parameters replaced ***"
)
/var/www/hostname/lib/private/User/Session.php
line 453
OC\User\Session->login(
"*** sensitive parameters replaced ***"
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 113
OC\User\Session->logClientIn(
"*** sensitive parameters replaced ***"
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php
line 103
OCA\DAV\Connector\Sabre\Auth->validateUserPass(
"*** sensitive parameters replaced ***"
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 231
Sabre\DAV\Auth\Backend\AbstractBasic->check(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php
line 138
OCA\DAV\Connector\Sabre\Auth->auth(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php
line 179
OCA\DAV\Connector\Sabre\Auth->check(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php
line 135
Sabre\DAV\Auth\Plugin->check(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/3rdparty/sabre/event/lib/WildcardEmitterTrait.php
line 89
Sabre\DAV\Auth\Plugin->beforeMethod(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 456
Sabre\DAV\Server->emit(
"beforeMethod:OPTIONS",
[
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 253
Sabre\DAV\Server->invokeMethod(
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
)
/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php
line 321
Sabre\DAV\Server->start()
/var/www/hostname/apps/dav/lib/Server.php
line 370
Sabre\DAV\Server->exec()
/var/www/hostname/apps/dav/appinfo/v2/remote.php
line 35
OCA\DAV\Server->exec()
/var/www/hostname/remote.php
line 172
undefinedundefinedrequire_once(
"/var/www/hostname/apps/dav/appinfo/v2/remote.php"
)
Raw log entry
{
"reqId": "aG2wEPA7jJK5VHAkwgqn",
"level": 3,
"time": "2024-04-14T19:52:25+00:00",
"remoteAddr": "IP",
"user": "--",
"app": "webdav",
"method": "OPTIONS",
"url": "/remote.php/dav/files/Username",
"message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
"userAgent": "gvfs/1.52.2",
"version": "28.0.2.5",
"exception": {
"Exception": "Error",
"Message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
"Code": 0,
"Trace": [
{
"file": "/var/www/hostname/lib/private/User/Session.php",
"line": 627,
"function": "checkPasswordNoLogging",
"class": "OC\\User\\Manager",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/hostname/lib/private/User/Session.php",
"line": 356,
"function": "loginWithPassword",
"class": "OC\\User\\Session",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/hostname/lib/private/User/Session.php",
"line": 453,
"function": "login",
"class": "OC\\User\\Session",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
"line": 113,
"function": "logClientIn",
"class": "OC\\User\\Session",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php",
"line": 103,
"function": "validateUserPass",
"class": "OCA\\DAV\\Connector\\Sabre\\Auth",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
"line": 231,
"function": "check",
"class": "Sabre\\DAV\\Auth\\Backend\\AbstractBasic",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/apps/dav/lib/Connector/Sabre/Auth.php",
"line": 138,
"function": "auth",
"class": "OCA\\DAV\\Connector\\Sabre\\Auth",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php",
"line": 179,
"function": "check",
"class": "OCA\\DAV\\Connector\\Sabre\\Auth",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php",
"line": 135,
"function": "check",
"class": "Sabre\\DAV\\Auth\\Plugin",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "beforeMethod",
"class": "Sabre\\DAV\\Auth\\Plugin",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 456,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"beforeMethod:OPTIONS",
[
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 253,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
[
"Sabre\\HTTP\\Request"
],
[
"Sabre\\HTTP\\Response"
]
]
},
{
"file": "/var/www/hostname/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 321,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/hostname/apps/dav/lib/Server.php",
"line": 370,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/hostname/apps/dav/appinfo/v2/remote.php",
"line": 35,
"function": "exec",
"class": "OCA\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/hostname/remote.php",
"line": 172,
"args": [
"/var/www/hostname/apps/dav/appinfo/v2/remote.php"
],
"function": "require_once"
}
],
"File": "/var/www/hostname/lib/private/User/Manager.php",
"Line": 265,
"message": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()",
"exception": [],
"CustomMessage": "Call to undefined method OCA\\User_SAML\\UserBackend::checkPassword()"
},
"id": "661c33fc04507"
}
Additional info
No response
Possible duplicate of nextcloud/user_saml#826
I don't think it is. Our user_saml has the fixed version of lib/UserBackend.php but we still cannot create app passwords. There are no error messages for the user nor in the Nextcloud or php_fpm logs. Devtools shows a 503 response to the POST request to /settings/personal/authtokens (request only containing the "name" for the new app, JSON encoded).
I can confirm adsche comment
No log in nextcloud.log
the button just dosent do anything, and in webbrowser's console it just show a 503 for a POST request to https://diopbox.fr/settings/personal/authtokens
It appear that loggin off and back in fix it, I suppose its linked to this patch? https://github.com/nextcloud/server/pull/7487/files which appear to set a timer for it (30m, i can try to wait rn and see)
edit: dosent happen anymore, I'll try to find an actual way to replicate it
Wow! Indeed, it works right after login for a while (more than 30 min) but stops working at some point.
I can confirm that this bug, including the timed behavior and no errors, also happens with OIDC login.
I upgraded to 29.0.3 because I almost expected #43942 (#45705) to fix this issue as it seems related. Unfortunately it doesn't seem to have fixed it. App password creation was again possible for only a short time after SSO login.
Confirmed... only recent login allows it to work - affects installing Apps as well
Using [Nextcloud Hub 8] (29.0.8) and OIDC: Logout and Re-Login is needed to manipulate App Passwords.
Since last comment is 3 months old, I'm just here to tell that it's still happening with version 30.0.6
Just started experimenting this behaviour on last upgrade to Nextcloud 30.0.8
@szaimen - as you added the "28 feedback" tag and there wasn't any response/acknowledgement from the team since then, I'd just like to point out that this is still valid in 29 and 30 ...