user_oidc icon indicating copy to clipboard operation
user_oidc copied to clipboard
verified publisher icon nextcloud

Group character limit

Open dan1el127 opened this issue 1 year ago • 1 comments

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. I am using Authentik as my OIDC provider, following this guide to use a property mapping to add groups. I added a user to some extra groups and came across errors and after looking into it, it seems I found a limit on the characters for groups. Below is the group strings I have been testing, if you add a single extra character to any of the groups below you get an "Access forbidden Failed to contact the OIDC provider token endpoint" error when authenticating, removing that extra character the issue doesn't appear.
[
    "GsfJGATsssXasssZsOAsMXLaRseqasdKZ",
    "TszfSLEsbRWfsssasVbssPLaGsssERj",
    "pseSGYQsasXssssMsLBsRZMfwqEsadarsY",
    "GsdSGPPsKQjKsssesAhsnXlakiqbenuDssfaeAK",
    "WsCSGVPsAXjIsssfsFZsPVLCYsaekjebywkqlqas",
    "pszSGPPsasKksssTsAhsiNtdAsaassqLueyqbwj",
    "WsaSPPPssZTAsssEsRGsdYGsWsoqwddaeE",
    "psaSQPPsGPqWsssZsDvsaEjuebqjdAssyaqjsjs"
]

Expected behaviour

To successfully authenticate when using OIDC

Actual behaviour

Adding the extra character to any of the above group strings causes this error Image

Server configuration

Web server: Nginx

Database: PostgreSQL

PHP version: 8.3.13

Nextcloud version: Nextcloud Hub 9 (30.0.1)

List of activated apps
  • activity: 3.0.0
  • app_api: 4.0.0
  • bruteforcesettings: 3.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • dav: 1.31.1
  • federatedfilesharing: 1.20.0
  • files: 2.2.0
  • files_downloadlimit: 3.0.0
  • files_external: 1.22.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • firstrunwizard: 3.0.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • twofactor_backupcodes: 1.19.0
  • updatenotification: 1.20.0
  • user_oidc: 6.1.2
  • viewer: 3.0.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0
Nextcloud configuration 
{
    "system": {
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.domain.com"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "30.0.1.2",
        "overwrite.cli.url": "http:\/\/nextcloud.domain.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "allow_local_remote_servers": true,
        "filelocking.enabled": true,
        "upgrade.disable-web": true,
        "filesystem_check_changes": true,
        "defaultapp": "",
        "loglevel": 2,
        "maintenance": false,
        "maintenance_window_start": 23,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "default_phone_region": "AU",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        }
    }
}

Browser

Browser name: tried on Firefox, Safari, Chrome

Browser version: varies

Operating system: Mac

Browser log 
nothing useful in the browser logs

dan1el127 avatar Nov 06 '24 00:11 dan1el127

If you set the NC loglevel to 0 (in config.php) and reproduce the issue, you will get log lines (in data/nextcloud.log) that contain Failed to contact the OIDC provider token endpoint and more details about what happened.

Looking at the implementation, it is most likely an Authentik failure on the token_endpoint request.

julien-nc avatar Feb 11 '25 10:02 julien-nc