user_saml Desktop Client - Reauthentication after reboot/restart

Hi,

we are using user_saml and it works very well, thank you for the great work!

I have a question regarding the need of reauthentication on the desktop client. We examined that users have to reauthenticate after reboot/restart of the client. I digged in the code and found "something" in /appinfo/app.php which seems to force the reauthentication. And now im wondering if it would be possible to disable this reauthentication as long as the session is still valid?

Thanks a lot

Dec 12 '17 12:12 anicoa

I digged in the code and found "something" in /appinfo/app.php which seems to force the reauthentication.

What have you found and how should it be changed? Maybe code would help to discuss this.

cc @schiessle

Dec 12 '17 14:12 MorrisJobke

I found especially the following comment/code block beginning in line 87 at /appinfo/app.php

// However, it is an opt-in setting to use SAML for the desktop clients. For better
// UX (users don't have to reauthenticate) we default to disallow the access via
// SAML at the moment.
$useSamlForDesktopClients = $config->getAppValue('user_saml', 'general-use_saml_auth_for_desktop', '0');
if($useSamlForDesktopClients === '1') {
	$currentUrl = substr(explode('?',$request->getRequestUri(), 2)[0], strlen(\OC::$WEBROOT));
	if(substr($currentUrl, 0, 12) === '/remote.php/' || substr($currentUrl, 0, 5) === '/ocs/') {
		if(!$userSession->isLoggedIn() && $request->isUserAgent([\OC\AppFramework\Http\Request::USER_AGENT_OWNCLOUD_DESKTOP])) {
			$redirectSituation = true;
		}
	}
}

I thought (because of the comment and the USER_AGENT_OWNCLOUD_DESKTOP-refernce or perhaps "hoped" is the better term ;) that handles the redirection instead of resuming the session if the desktop client gets restarted. So I changed $redirectSituation = true; to $redirectSituation = false; restarted my signed in oc client and learned that this is obviously not the case: oc client requested reauthentication (because the nc client os x thing i can't test the nc client).

So we tried to light things a little bit up and tried other clients with the finding that nc android app supports SAML AND survives even an app kill/restart. That gave us the information that it's possible but we are still not sure if this is a client thing oder a user_saml (or even nc server) thing.

Would be great if someone can shed some light on this as it would be a enhancement for all people using SAML (or may be even other sso-solutions). Or perhaps someone has an idea where to look further?

thanks a lot nico

Dec 12 '17 18:12 anicoa

This issues is still present, and is kinda a big problem. App passwords don't seem to work, and direct login is broken, it just goes back to the "Choose log in" screen.

I've also noticed that the android client, which was using a app password, was logged out after starting it up today. Considering that isn't meant to be tied to SAML...

I'm having trouble with this, it's kinda important for the desktop and the android client to remain signed on so they can sync in the background.

Jul 09 '18 08:07 Ryonez

This looks more like an issue with the app passwords getting invalid. See https://github.com/nextcloud/server/issues/2581 for the background. We are working on it already and sorry for the mess

Jul 09 '18 08:07 MorrisJobke

@MorrisJobke I don't think that the server is causing this issue. I have the same situation, but when I use the OwnCloud desktop client, then it works perfectly fine - it is not asking for the password again. Only the NextCloud desktop client does.

Aug 23 '18 10:08 yama6a

@MorrisJobke We can't use app passwords at all for the desktop client. If we could, I feel it'd solve this problem as we could use that.

I use an app password for my android client, that can use app passwords, and it doesn't log out on me.

Aug 23 '18 17:08 Ryonez

In the upcoming desktop clients app passwords are used automatically after using the new login flow.

@rullzer @juliushaertl knew more about this.

Aug 24 '18 12:08 MorrisJobke

Hopefully it won't take long to gone out, it's an annoying issue not being able to use the desktop app.

Aug 25 '18 00:08 Ryonez

I'm having this same issue. I'm using Nextcloud 14 (migrated from ownCloud), LDAP and SSO/SAML (Onelogin). Windows client (v2.3.3) authenticates well with SAML, but wants to reauthenticate every time the client is restarted. This is a big annoyance for my users. Same problem repeats with ownCloud client. Is there any news on this issue?

I also tested the beta client (v 2.5.0) but it does not work with SAML (stucks on redirecting -screen after SAML authentication)

Oct 09 '18 13:10 mkauttu

I also tested the beta client (v 2.5.0) but it does not work with SAML (stucks on redirecting -screen after SAML authentication)

cc @rullzer @camilasan

Oct 09 '18 13:10 MorrisJobke

I also tested the beta client (v 2.5.0) but it does not work with SAML (stucks on redirecting -screen after SAML authentication)

Same issue here, 2.5.0 daily builds also failing on the redirect page after IDp authentication.

Oct 14 '18 04:10 Just-Insane

Does any of you have test credentials for me?

When I try it with my SAML setup it works.

Oct 19 '18 13:10 rullzer

@rullzer I'd be willing to give you test credentials for my server to fix this. PM me for details. I am getting the same problem. Specs: Running Keycloak, v4.5.0.Final Running Nextcloud, v14.0.3 Running Nextcloud Desktop for linux, Version 2.5.0 (build 20181112) I tried the Owncloud Desktop Client, and it gets beyond the redirect problem. Their version is Version 2.5.1 (build 10450)

Nov 19 '18 03:11 davidgut1982

@davidgut1982 please send them to roeland @ nextcloud.com

Nov 23 '18 08:11 rullzer

I just faced both problems – forced reauthentication with both ownCloud and Nextcloud client and stuck on redirect with Nextcloud client (@Just-Insane). What solved this was simply unticking "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)" in the options for this plugin. The desktop clients were still authenticating via our Keycloak instance after that.

Nov 29 '18 11:11 bellackn

I’ll have to check it out, thanks for the tip.

Nov 29 '18 11:11 Just-Insane

I'm having issues as well on this. My desktop client app keeps logging out and have to login.

Server: Ubuntu Server 16.0.4 LTS NC Version: 15.0.7 Desktop: Widnows 10, NC Client: 2.5.2

May 06 '19 14:05 ghost

I am having the same problem with NC version 16.0.0 and NC version 2.5.2 on Windows 10.

Using both LDAP and SSO. There is 2FA enabled for LDAP so NC must use app token.

Has there been any progress on this, please?

Jun 26 '19 16:06 RadomirKus

I am having the same problem with NC version 16.0.0 and NC version 2.5.2 on Windows 10.

Using both LDAP and SSO. There is 2FA enabled for LDAP so NC must use app token.

Has there been any progress on this, please?

I have the exact same issues with the exact same setup (except Nextcloud 16.0.1). I fix for this issue is needed urgently. thanks!

Jun 27 '19 06:06 ghost

Installing libgnome-keyring solved it for me.

Jul 05 '19 22:07 aymanbagabas

libgnome-keyring was the solution for me as well. Fedora 30.

Sep 21 '19 14:09 dgoodwin

I didn't have this issue before but suddenly it started happening since a week. I get a window prompting for credentials everytime I reboot my laptop. Installing libgnome-keyring-dev fixed it for me on ubuntu 19.04. @dgoodwin @aymanbagabas thanks for the tip

Sep 30 '19 22:09 dhrunia

There is no libgnome-keyring on xubuntu 19.10, any ideas how to solve it over there? The client keeps setting up app passwords (can see them in nextcloud), but does not reuse them after reboot.

Feb 01 '20 08:02 lenalebt

There might be a libgnome-keyring0 (Debian Stretch here). Installing this fixed the problem for me.

Jun 28 '20 23:06 fpiesche