pulsejet
Admin actions require password
Hi
I'm using this plugin to log in and that works fine. However, when doing some admin actions, such as updating plugins, I'm prompted for the nextcloud password. Since I had a local user with password before activating this plugin, I'm still able to enter that, but that is not how it should work. Is there a way to handle this?
Hi, I stopped using this plugin, so I'm not able to test. Maybe some of the others who have marked a thumbs up on this can test it?
I can reproduce this issue:
- Log in via OIDC with an user that is within the admin group, defined in
"oidc_login_attributes": { "is_admin": "your_admin_group" },
- This user therefore has admin rights. But if this user makes some admin-related changes, after some time they get asked by nextcloud to enter their password. But the password defined at your OIDC provider will not work, of course:
What are the workarounds?
- Just logout and login again. This resets this timer and you can make administrative changes for some time.
- Add a new security key (Personal settings --> Security) if you have installed Two-Factor WebAuthn Plugin. This also seems to reset this timer.
One possible solution could be to perform security authentication with some 2FA methods in such situations...
I'm also observing this behavior. it happens when doing certain "sensitive" actions after being logging in for a while as a re-authentication. I noticed this not only when changing admin settings, but also e.g. when creating a new app password.
As a workaround I've simply set myself a known password, so I have something to enter there, but I don't think this is optimal.