nextcloud
Bad gateway on logout
Expected behaviour
Following this guide and some experimentation, I expected logging out to work with one of these options as URL Location of IdP where the SP will send the SLO Request:
-
https://auth.myurl.com/if/session-end/nextcloud/ -
https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/ -
https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/
Actual behaviour
I encountered a Bad gateway error that I cannot track down. With (1) the error appears with this URL in the browser: https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with a Bad Request: The SAML request payload is missing. from Authentik.
Furthermore, the Nextcloud web log shows OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).
PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to cloud.myurl.com it briefly shows Authentik's Redirecting to Nextcloud... which it does not show when a Nextcloud session is still active (as happens with (2) and (3)).
Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.
Configuration
Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager
Proxy Configuration
- Nginx Proxy Manager is first in line. Enabled:
Websockets Support,Force SSL,HTTP/2 Support,HSTS Enabled,HSTS Subdomains. It redirects tomy.servers.ipv4.address:11000. - Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
- No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.
Expected behaviour
Following this guide and some experimentation, I expected logging out to work with one of these options as
URL Location of IdP where the SP will send the SLO Request:
https://auth.myurl.com/if/session-end/nextcloud/https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/Actual behaviour
I encountered a
Bad gatewayerror that I cannot track down. With (1) the error appears with this URL in the browser:https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with aBad Request: The SAML request payload is missing.from Authentik. Furthermore, the Nextcloud web log showsOC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not existwithin about two minutes of my logout attempts (don't know if it's lag or an unrelated error).PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to
cloud.myurl.comit briefly shows Authentik'sRedirecting to Nextcloud...which it does not show when a Nextcloud session is still active (as happens with (2) and (3)). Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.Configuration
Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager
Proxy Configuration
- Nginx Proxy Manager is first in line. Enabled:
Websockets Support,Force SSL,HTTP/2 Support,HSTS Enabled,HSTS Subdomains. It redirects tomy.servers.ipv4.address:11000.- Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
- No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.
Did you ever get this figured out? This is happening to me now. I notice it only happens if i dont have the option selected in SAML to allow multiple backend logins, like LDAP users.. If i keep that unchecked i get the gateway error on logout. If i have it selected and logout i get taken back to the proper authentik page with options.
I am having the same problem, I have tried multiple endpoints for user logout without success.
Cannot replicate @Trembler34 "functioning" state with the allow multiple backend logins, it just doesn't work for me.
In the nextcloud logs I can see:
InvalidTokenException Token does not exist: token does not exist
Renewing session token failed: Token does not exist: token does not exist
{"file":"/var/www/html/index.php","line":24,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":165,"Previous":{"Exception":"OCP\\AppFramework\\Db\\DoesNotExistException","Message":"token does not exist","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":157,"function":"getToken","class":"OC\\Authentication\\Token\\PublicKeyTokenMapper","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":232,"function":"getToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/public/AppFramework/Db/TTransactional.php","line":45,"function":"OC\\Authentication\\Token\\{closure}","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":231,"function":"atomic","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":[{"__class__":"Closure"},{"__class__":"OC\\DB\\ConnectionAdapter"}]},{"file":"/var/www/html/lib/private/Authentication/Token/Manager.php","line":155,"function":"renewSessionToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***","1326e2f7a9fb48862893c3b490fe23ce"]},{"file":"/var/www/html/lib/private/User/Session.php","line":884,"function":"renewSessionToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***","1326e2f7a9fb48862893c3b490fe23ce"]},{"file":"/var/www/html/lib/base.php","line":1107,"function":"loginWithCookie","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/base.php","line":1014,"function":"handleLogin","class":"OC","type":"::","args":[{"__class__":"OC\\AppFramework\\Http\\Request"}]},{"file":"/var/www/html/index.php","line":24,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Authentication/Token/PublicKeyTokenMapper.php","Line":81},"message":"Renewing session token failed: Token does not exist: token does not exist","user":"myuser","exception":{},"CustomMessage":"Renewing session token failed: Token does not exist: token does not exist"}}
Configuration
Operating system: k8s Nextcloud: Nextcloud Hub 10 (31.0.2) Browser: Firefox 137.0.2 Operating system: Windows 11 IdP: Authentik Reverse Proxy: nginx ingress -> nginx reverse proxy
As this seems to be a setup issue I would like to ask you to raise your question in the forums: https://help.nextcloud.com
If you wish support with setup issues from Nextcloud GmbH we offer this as part of the Nextcloud subscription. Learn more about this at https://nextcloud.com/enterprise/
