After updating htaccess, SSO stops working

[r3pek]

Steps to reproduce

1. Install and configure NC with user_saml and SSO (i'm using krb5)
2. change rewritebase to / (to remove index.php from the urls)
3. run occ maintenance:update:htaccess

Expected behaviour

Login should continue to work as before

Actual behaviour

Error message saying that account is not provisioned

Server configuration detail

Operating system: Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64

Webserver: Apache/2.4.38 (Debian) (apache2handler)

Database: mysql 10.4.12

PHP version:

7.3.16 Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, bz2, posix, Reflection, session, SimpleXML, pdo_sqlite, standard, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, Phar, exif, gd, gmp, imagick, imap, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, smbclient, sodium, zip, libsmbclient, Zend OPcache

Nextcloud version: 18.0.3 - 18.0.3.0

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array ( )

List of activated apps

Enabled:
 - accessibility: 1.4.0
 - activity: 2.11.0
 - admin_audit: 1.8.0
 - apporder: 0.9.0
 - bookmarks: 2.3.4
 - bruteforcesettings: 1.5.0
 - calendar: 2.0.2
 - cloud_federation_api: 1.1.0
 - comments: 1.8.0
 - contacts: 3.2.0
 - dav: 1.14.0
 - federatedfilesharing: 1.8.0
 - federation: 1.8.0
 - files: 1.13.1
 - files_external: 1.9.0
 - files_pdfviewer: 1.7.0
 - files_rightclick: 0.15.2
 - files_sharing: 1.10.1
 - files_trashbin: 1.8.0
 - files_versions: 1.11.0
 - files_videoplayer: 1.7.0
 - firstrunwizard: 2.7.0
 - issuetemplate: 0.6.0
 - logreader: 2.3.0
 - lookup_server_connector: 1.6.0
 - maps: 0.1.6
 - news: 14.1.3
 - nextcloud_announcements: 1.7.0
 - notes: 3.2.0
 - notifications: 2.6.0
 - oauth2: 1.6.0
 - occweb: 0.0.7
 - password_policy: 1.8.0
 - passwords: 2020.3.1
 - phonetrack: 0.6.2
 - photos: 1.0.0
 - privacy: 1.2.0
 - provisioning_api: 1.8.0
 - qownnotesapi: 20.1.0
 - ransomware_protection: 1.6.1
 - recommendations: 0.6.0
 - richdocuments: 3.5.2
 - serverinfo: 1.8.0
 - settings: 1.0.0
 - sharebymail: 1.8.0
 - spreed: 8.0.5
 - support: 1.1.0
 - survey_client: 1.6.0
 - systemtags: 1.8.0
 - tasks: 0.12.1
 - text: 2.0.0
 - theming: 1.9.0
 - twofactor_admin: 2.0.0
 - twofactor_backupcodes: 1.7.0
 - twofactor_totp: 4.1.3
 - twofactor_u2f: 5.1.0
 - updatenotification: 1.8.0
 - user_ldap: 1.8.0
 - user_saml: 3.0.1
 - viewer: 1.2.0
 - workflowengine: 2.0.0
Disabled:
 - encryption
 - ocdownloader
 - ojsxc

Configuration (config/config.php)

{
    "htaccess.RewriteBase": "\/",
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "memcache.local": "\\OC\\Memcache\\APCu",
    "apps_paths": [
        {
            "path": "\/var\/www\/html\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/www\/html\/custom_apps",
            "url": "\/custom_apps",
            "writable": true
        }
    ],
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.r3pek.org",
        "app",
        "nextcloud_app"
    ],
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/cloud.r3pek.org",
    "dbtype": "mysql",
    "version": "18.0.3.0",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "maintenance": false,
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "logtimezone": "Europe\/Lisbon",
    "mail_smtpmode": "smtp",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpsecure": "tls",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "587",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "loglevel": 2,
    "app_install_overwrite": [
        "occweb"
    ]
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this par if not used)

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Operating system:

Logs

Web server error log

[Mon Mar 30 23:19:57.864833 2020] [authz_core:debug] [pid 183] mod_authz_core.c(820): [client 10.0.0.18:39006] AH01626: authorization result of Require valid-user : granted,
[Mon Mar 30 23:19:57.864878 2020] [authz_core:debug] [pid 183] mod_authz_core.c(820): [client 10.0.0.18:39006] AH01626: authorization result of <RequireAny>: granted,
[Mon Mar 30 23:19:57.856599 2020] [authz_core:debug] [pid 183] mod_authz_core.c(820): [client 10.0.0.18:39006] AH01626: authorization result of Require valid-user : denied (no authenticated user yet),
[Mon Mar 30 23:19:57.856653 2020] [authz_core:debug] [pid 183] mod_authz_core.c(820): [client 10.0.0.18:39006] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet),
[Mon Mar 30 23:19:57.856673 2020] [auth_gssapi:debug] [pid 183] mod_auth_gssapi.c(895): [client 10.0.0.18:39006] URI: /apps/user_saml/saml/login, no main, no prev

Nextcloud log

{"reqId":"BKLpYGOrxA3DXbXsRrPN","level":2,"time":"2020-03-31T00:21:08+01:00","remoteAddr":"10.255.0.2","user":"--","app":"user_saml","method":"GET","url":"/apps/user_saml/saml/login?originalUrl=&requesttoken=E4Z5FY2KSAdXHbHuRQhC2fmokybMHt676DR2tacl0gs%3D:db4wceHQfWxjefrXdEAQl53xpUGgKZuQnnUf8OBugV0%3D&idp=1","message":"Error while trying to login using sso environment variable: IDP parameter for the UID (REMOTE_USER) not found. Possible parameters are: [\"REDIRECT_GSS_NAME\",\"REDIRECT_GSS_SESSION_EXPIRATION\",\"REDIRECT_HTTP_AUTHORIZATION\",\"REDIRECT_PATH_INFO\",\"REDIRECT_htaccessWorking\",\"REDIRECT_front_controller_active\",\"REDIRECT_STATUS\",\"HTTP_AUTHORIZATION\",\"PATH_INFO\",\"htaccessWorking\",\"front_controller_active\",\"HTTP_HOST\",\"HTTP_USER_AGENT\",\"HTTP_ACCEPT\",\"HTTP_COOKIE\",\"HTTP_X_FORWARDED_FOR\",\"HTTP_X_FORWARDED_HOST\",\"HTTP_X_FORWARDED_PORT\",\"HTTP_X_FORWARDED_PROTO\",\"HTTP_X_FORWARDED_SERVER\",\"HTTP_X_REAL_IP\",\"HTTP_ACCEPT_ENCODING\",\"PATH\",\"SERVER_SIGNATURE\",\"SERVER_SOFTWARE\",\"SERVER_NAME\",\"SERVER_ADDR\",\"SERVER_PORT\",\"REMOTE_ADDR\",\"DOCUMENT_ROOT\",\"REQUEST_SCHEME\",\"CONTEXT_PREFIX\",\"CONTEXT_DOCUMENT_ROOT\",\"SERVER_ADMIN\",\"SCRIPT_FILENAME\",\"REMOTE_PORT\",\"REDIRECT_REMOTE_USER\",\"REDIRECT_URL\",\"REDIRECT_QUERY_STRING\",\"GATEWAY_INTERFACE\",\"SERVER_PROTOCOL\",\"REQUEST_METHOD\",\"QUERY_STRING\",\"REQUEST_URI\",\"SCRIPT_NAME\",\"PHP_SELF\",\"REQUEST_TIME_FLOAT\",\"REQUEST_TIME\",\"argv\",\"argc\"]","userAgent":"curl/7.66.0","version":"18.0.3.0","id":"5e827ee4a0673"}

Browser log

[Sx3]

Is your Nextcloud Overview All checks passed. ? Did u tried below configs ? overwritehost overwriteprotocol

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters

[r3pek]

Is your Nextcloud Overview All checks passed. ?

Yes, everything is green.

Did u tried below configs ? overwritehost overwriteprotocol

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters

Just did. Didn't help.

[kleinem86]

Also reported here a while ago...

[r3pek]

Also reported here a while ago...

yeah, the this doesn't look like a setup fail.

[gno65]

Same problem here with nextcloud 20.0.3

I use SSO with Kerberos, openLDAP and Apache mod_auth_kerb (same problem with mod_auth_gssapi)

In nextcloud SSO & SAML configuration I have set REMOTE_USER

In my nextcloud.conf I have

        <Location "/index.php/apps/user_saml/saml/login">
            AuthType Kerberos
            AuthName "SSO Login (Kerberos) "
            KrbMethodNegotiate on
            KrbMethodK5Passwd on
            Krb5Keytab /etc/apache2/http.keytab
            KrbLocalUserMapping on
            KrbSaveCredentials on
            Require valid-user
           SSLRequireSSL
        </Location>

When I set

'htaccess.RewriteBase' => '/'

in /var/www/nextcloud/config/config.php, login is only possible with

<Location "/">
...

But this is not what I want.

Is there any solution for this issue?

[alerque]

I'm getting the same error, but definitely do not have htaccess.RewriteBase setup. In fact this issue finally promoted me that I should set that up, and when I did the error I was getting from Nextcloud (successful login to Keycloak but NC throwing the not provisioned error) I now get an error from Keycloak saying "invalid request".

It seems like this issue is unresolved, but might actually be more than one issue causing this error.

[alerque]

So my root issue was different (I had to have Keycloak pass the LDAP UUID instead of usernames to convince Nextcloud to map to old users), but with that cleared up I was able to work around the RerwiteBase issue by updating all the SAML related URL endpoints to remove index.php/ as well.

In other words it can be made to work, it just needs the iDP side, the NC side, and the web host in the middle to all agree on the URL schema at the same time. Any change to one will break the others until they match, so you can't migrate piecemeal.