nextcloud
[Bug]: App Password Username too long with OAuth Logins
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
I have users login with OAuth, which maps username to the OAuth UUID. This makes Usernames 64 characters long. However, some apps like Mac Calendar (CalDAV) cannot redirect to the OAuth login. An App Password was created to login, however, CalDAV app does not allow for 64char username. Would it be possible to make the app password username customizable, or to default to a shorter (i.e. 20 char) username?
Steps to reproduce
- Create user with 64 character username
- Create App password
- try using app pasword & username in 3rd party software.
Expected behavior
login with app password
Installation method
Community Docker image
Nextcloud Server version
28
Operating system
RHEL/CentOS
PHP engine version
PHP 8.3
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [ ] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [X] SSO - SAML
- [ ] Other
Configuration report
{
"system": {
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"filelocking.enabled": "true",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"enabledPreviewProviders": [
"OC\\Preview\\Imaginary"
],
"preview_imaginary_url": "nextcloud_imaginary:9000",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***"
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "28.0.1.1",
"overwrite.protocol": "https",
"overwritehost": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "ssl",
"mail_sendmailmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpauth": 1,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "US",
"maintenance": false,
"updater.release.channel": "stable",
"theme": "",
"loglevel": 2,
"allow_local_remote_servers": true,
"upgrade.disable-web": true
}
}
List of activated Apps
Enabled:
- calendar: 4.6.2
- cloud_federation_api: 1.11.0
- contactsinteraction: 1.9.0
- dav: 1.29.1
- federatedfilesharing: 1.18.0
- files: 2.0.0
- files_external: 1.20.0
- files_pdfviewer: 2.9.0
- files_reminders: 1.1.0
- files_sharing: 1.20.0
- logreader: 2.13.0
- lookup_server_connector: 1.16.0
- notifications: 2.16.0
- oauth2: 1.16.3
- provisioning_api: 1.18.0
- serverinfo: 1.18.0
- settings: 1.10.1
- sharebymail: 1.18.0
- snappymail: 2.32.0
- spreed: 18.0.1
- text: 3.9.1
- theming: 2.3.0
- twofactor_backupcodes: 1.17.0
- twofactor_totp: 10.0.0-beta.2
- user_oidc: 1.3.5
- viewer: 2.2.0
- workflowengine: 2.10.0
Disabled:
- activity: 2.20.0 (installed 2.17.0)
- admin_audit: 1.18.0
- bruteforcesettings: 2.8.0
- circles: 28.0.0-dev (installed 25.0.0)
- comments: 1.18.0 (installed 1.15.0)
- contacts: 5.5.1 (installed 5.5.1)
- dashboard: 7.8.0 (installed 7.5.0)
- encryption: 2.16.0
- federation: 1.18.0 (installed 1.15.0)
- files_rightclick: 1.6.0 (installed 1.4.0)
- files_trashbin: 1.18.0 (installed 1.15.0)
- files_versions: 1.21.0 (installed 1.18.0)
- firstrunwizard: 2.17.0 (installed 2.14.0)
- nextcloud_announcements: 1.17.0 (installed 1.14.0)
- password_policy: 1.18.0 (installed 1.15.0)
- photos: 2.4.0 (installed 2.0.1)
- privacy: 1.12.0 (installed 1.9.0)
- recommendations: 2.0.0 (installed 1.4.0)
- related_resources: 1.3.0 (installed 1.0.4)
- support: 1.11.0 (installed 1.8.0)
- survey_client: 1.16.0 (installed 1.13.0)
- suspicious_login: 6.0.0
- systemtags: 1.18.0 (installed 1.15.0)
- updatenotification: 1.18.0 (installed 1.17.0)
- user_ldap: 1.19.0
- user_status: 1.8.1 (installed 1.5.0)
- weather_status: 1.8.0 (installed 1.5.0)
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
No response
Additional info
No response
Hi. Are you sure this is related with user_oidc?
So your problem is that the CalDAV client app you are using does not allow long user ID, right? There is not much we can do on the Nextcloud side for that. 64 chars is the max size of a Nextcloud user ID. The "login name" of an app password can't be customized. It must be the user ID. You could file a feature request to the Nextcloud server to be able to customize the "login name" of app passwords (first check if this has already been requested).
If you are using user_oidc to let the users connect to Nextcloud, you are in control of which Oidc attribute is mapped as user ID. On the user_oidc side, you can map another attribute for the user ID. On the Oidc provider side (the identity provider), you can make sure this attribute exists for all users. But then you can't migrate the existing users (before this change) to the new ones. The first new attempt to log in Nextcloud as one of those users will create a new user with the new user ID. The old corresponding user won't be accessible anymore.
