[Bug]: Can not confirm my password for administrative actions when logged in via LDAP / SAML

[DatNoHand]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Nextcloud 28.0.2

We primarily use SAML via Active Directory for authentication. If I am logged in for a longer period of time I have to confirm my password for certain tasks such as disabling users, installing apps, etc.

When I now enter my SAML password I receive a 403 Forbidden in the console, and the confirmation prompt displays "wrong password"

Steps to reproduce

1. Login via SAML
2. Wait some time to be asked for your password again
3. Enter the password and be denied

Expected behavior

Password is checked against SAML and I can continue without having to log out and log in again

Installation method

None

Nextcloud Server version

28.0.2

Operating system

Ubuntu

PHP engine version

8.1.21

Web server

Apache2

Database engine version

Mysql

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [x] Default user-backend (database)
• [x] LDAP/ Active Directory
• [x] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.***REMOVED SENSITIVE VALUE***.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.2.5",
        "overwrite.cli.url": "http:\/\/172.22.1.77\/nextcloud",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "1, 3",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "defaultapp": "files",
        "default_phone_region": "AT",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "skeletondirectory": "",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "guest_app"
        ],
        "twofactor_enforced_excluded_groups": [],
        "app_install_overwrite": [
            "cfg_share_links",
            "files_downloadlimit"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - admin_audit: 1.18.0
  - bruteforcesettings: 2.8.0
  - cfg_share_links: 4.2.0
  - cloud_federation_api: 1.11.0
  - dav: 1.29.1
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_accesscontrol: 1.18.0
  - files_downloadlimit: 1.1.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - group_default_quota: 0.1.8
  - groupfolders: 16.0.3
  - guests: 3.0.1
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - provisioning_api: 1.18.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - theming: 2.3.0
  - twofactor_admin: 4.4.0
  - twofactor_backupcodes: 1.17.0
  - twofactor_totp: 10.0.0-beta.2
  - user_ldap: 1.19.0
  - user_saml: 6.1.1
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - circles: 28.0.0-dev (installed 27.0.1)
  - comments: 1.18.0 (installed 1.17.0)
  - contactsinteraction: 1.9.0 (installed 1.8.0)
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - federation: 1.18.0 (installed 1.17.0)
  - firstrunwizard: 2.17.0 (installed 2.16.0)
  - nextcloud_announcements: 1.17.0 (installed 1.16.0)
  - photos: 2.4.0 (installed 2.3.0)
  - privacy: 1.12.0 (installed 1.11.0)
  - recommendations: 2.0.0 (installed 1.6.0)
  - related_resources: 1.3.0 (installed 1.1.0-alpha1)
  - sharebymail: 1.18.0 (installed 1.17.0)
  - support: 1.11.0 (installed 1.10.0)
  - survey_client: 1.16.0 (installed 1.15.0)
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0 (installed 1.17.0)
  - text: 3.9.1 (installed 3.9.1)
  - updatenotification: 1.18.0 (installed 1.17.0)
  - user_status: 1.8.1 (installed 1.0.1)
  - weather_status: 1.8.0 (installed 1.0.0)

Nextcloud Signing status

too long, will upload paste if neccesary

Nextcloud Logs

{"reqId":"tNWjYe683QXSWajw1iy6","level":2,"time":"2024-02-16T10:50:02+00:00","remoteAddr":"**removed**","user":"adminsega","app":"core","method":"POST","url":"/index.php/login/confirm","message":"Login failed: 'adminsega' (Remote IP: '**removed**')","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36","version":"28.0.2.5","data":{"app":"core"},"id":"65cf3ddfb2338"}

Additional info

No response

[solracsf]

This does affect all supported versions, not only 28 (same issue occurs on v26).

[verymilan]

Is there no way to disable this check in the meantime? I couldn't find anything...

[solracsf]

@blizzz should we move this to SAML repo or this belongs to server?

[DatNoHand]

Does the same problem occur with social login? I think this is a nextcloud issue.

[blizzz]

There is an issue on user_saml open: https://github.com/nextcloud/user_saml/issues/309

The solution might involve changes on the server, but for the domain of the issue is the SAML backend, let's keep it there, and close here.

[verymilan]

I am not sure I agree with this decision... yes, there may be a ticket in the according SSO plugin repo (in my case actually https://github.com/pulsejet/nextcloud-oidc-login/issues/54) – but those plugins seemingly cannot "fix" this, because it is a problem/missing feature with the server. There should at least be an option for the admin to turn this off as a workaround.

It is by the way hard to reproduce. I gave somebody admin rights but they couldn't do anything due to this until I defined them a password. For me however, there wasn't a single verification form even tho I also was coming from SSO.

[blizzz]

I was expecting an issue with oidc, but never seen one. But have a server only fix candidate. OK, reopening here, and closing there.

[ilya-vv]

Confirm, using oidc. Nextcloud asks for password on App Update for example. As a workaround I have to logout and login again to do admin tasks