user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Error with AssertionConsumerServiceURL using OAuth0

Open kewinbrand opened this issue 6 years ago • 3 comments

Hi, I'm trying to setup nextcloud using auth0 as Identity Provider.

The plugin correctly redirects me to the external login page but then an generic error from oauth0 is displayed. In the oauth0 logs it says:

"error": {
      "message": "The SAML Request AssertionConsumerServiceURL is invalid: 'http://my-nextcloud-domain/apps/user_saml/saml/acs'",
      "oauthError": "invalid_request",
      "type": "request-error"
    }

I inspected the redirects that the browser does when loggin in and indeed the SAMLRequest that nextcloud passes in the assertion service url w/o https. Whole SAMLRequest:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_edc7929f6bf546831d8b2bce06b64bc9a3ccec0d"
    Version="2.0"

    IssueInstant="2019-07-11T15:23:32Z"
    Destination="-omitted-"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://my-nextcloud-domain/apps/user_saml/saml/acs">
    <saml:Issuer>http://my-nextcloud-domain/apps/user_saml/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        AllowCreate="true" />

</samlp:AuthnRequest>

My suspicion is that as the nextcloud is behind an reverse proxy (nginx) it does not use https altough it is.

Can you shed some light? Btw I followed this guide: https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf

kewinbrand avatar Jul 11 '19 17:07 kewinbrand

I'm having the same issue, and it appears that we're not alone. https://github.com/nextcloud/user_saml/issues/227

This was working for me with NC 14, but our upgrade to 16 has broken it.

xtrasimplicity avatar Jul 17 '19 02:07 xtrasimplicity

After a little digging, I can confirm that the URLs are built using OC's URLGenerator, which respects the HTTP_X_FORWARDED_PROTO header and overwriteprotocol configuration option, as per: https://github.com/nextcloud/server/blob/23245904d386144090b313568b09385a88291e73/lib/private/AppFramework/Http/Request.php#L688

TL;DR: You can resolve this by making sure that the proxy server sets the HTTP_X_FORWARDED_PROTO header to https, or by setting overwriteprotocol to https in /var/www/html/config/config.php, like so:

<?php
$CONFIG = array (
 ....
  "overwriteprotocol" => "https",
);

Source: https://docs.nextcloud.com/server/10/admin_manual/configuration_server/reverse_proxy_configuration.html#multiple-domains-reverse-ssl-proxy

xtrasimplicity avatar Jul 17 '19 03:07 xtrasimplicity

Had the same issue. In my case the problem was incorrect "Allowed Callback URLs", I used the same guide and it says to set "https://<NEXTCLOUD_HOSTNAME>/index.php/apps/user_saml/saml/acs" Try setting it to "https://<NEXTCLOUD_HOSTNAME>/apps/user_saml/saml/acs"

danysvirsky avatar Jul 17 '19 21:07 danysvirsky