nextcloud
Getting 502 sometimes on login and always on logout
After changing the IdP domain I am getting a 502 after the redirection from Authentik with the link https://domain.tld/apps/user_oidc/sls?requesttoken=rjOEcLJdZwWVZWO36qJmrJn/xxxxxxxqt4avU%3D:y3LRQuocSGT3TlLbptgjxdvItdy0xxxBJLI%3D
but only sometimes on login, but i seem to be logged in because when I visit NC with the base url after that I am logged in.
But logging out always produces the 502 aswell.
The logs only show this
Fehler | user_oidc | Impossible to decode OIDC token:Error: kid must be provided in JWT header.
and
OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist
I am running NC with Authentik on another install and it is working flawlessly there. Any hints on getting it debugged further? The console logs of Authentik and NC dont show anything interesting regarding this issue.
I do have a similiar issue. NC + Authentik. It worked once, but just stopped. Login not possible. Evertime Authentik redirect to NC I get an internal error:
Type: Exception
Code: 0
Message: Error: kid must be provided in JWT header.
File: /var/www/html/custom_apps/user_oidc/lib/Service/DiscoveryService.php
Line: 154
A workaround which worked for me was unchecking "send ID token hint on logout" no more browser error for whatever reason. On another install it works flawlessly with the box checked.
I am getting the same issue, and it is consistent. I am unable to log in. Any other workaround?
This issue is a bit difficult to reproduce for me as it requires a setup with Authentik.
You could try to edit line 155 of apps/user_oidc/lib/Service/DiscoveryService.php from
throw new \Exception('Error: kid must be provided in JWT header.');
to
$this->logger->warning('kid is not provided in JWT header');
return $jwks;
To give a bit more context: the Firebase/JWT library used by user_oidc was complaining (crashing :grin:) when decoding a JWT token because it didn't know the encryption algorithm of the JWK (encryption key provided by the discovery endpoint).
Information contained in the JWT token:
- kid: id of the JWK to use to decode
- alg: algorithm used to encrypt the token
So the fix we implemented was to set the missing JWK alg to the value used in the JWT token. The library was then happy and could decode the token. Problem is in your case: the token does not provide a kid so we can't know which key should be used to decode it so we can't try to fix this key.
I guess this logic is a bit broken since the kid is not needed in the token if the JWKs are not broken. Let's find out if it works when the kid is not mandatory anymore (the change I suggested).
@julien-nc
I have the same problem and changed DiscoveryService.php as you suggested. Now I get this error instead:
UnexpectedValueException "keys" member must exist in the JWK Set
@julien-nc
I have the same problem and changed
DiscoveryService.phpas you suggested. Now I get this error instead:UnexpectedValueException "keys" member must exist in the JWK Set
I have the same errors as you, even the same errors when changing the DiscoveryService.php code.
I went further and added
$this->logger->warning(implode(",", $jwk));
and got this error
foreach() argument must be of type array|object, null given at /var/www/html/custom_apps/user_oidc/lib/Service/DiscoveryService.php#160
made me realize that Authentik wasn't sending a jwt so i looked into that and the solution for me was I hadn't selected a "Signing Key" in the provider settings. I selected authentik Self-signed Certificate still didn't work, so i removed the application and provider and recreated it - making sure to chose a signing key and it worked.
Looking back at the guide I was following, I missed the step to select a signing key :sob: https://docs.goauthentik.io/integrations/services/nextcloud
Hopefully that fixes yours too
