pulsejet
Logging in via KeyCloak works only on second attempt if user groups have changed.
Having followed the instructions in README.md, and verified that the KeyCloak-generated access token includes a properly populated ownCloudGroups attribute, here is the sequence of events:
- User
ownCloudGroupsattribute is modified on the KeyCloak backend. - User submits KeyCloak login form.
- NextCloud page opens and displays: "Error: Token is invalid."
- User presses browser Back button (to KeyCloak).
- KeyCloak displays: "You are already logged in" alongside a "Go back to application" button. User clicks on this button.
- NextCloud opens with the user logged in and the user groups properly synced.
- Subsequent login attempts are successful (unless the
ownCloudGroupsattribute is modified again).
Thoughts?
Can you trace where the error is coming from? Can't repro, but I suspect this isn't related to this plugin.
@pulsejet I suspect so myself. Nonetheless I'd be grateful for guidance on how to trace. The NextCloud logs aren't particularly informative. Maybe inject some PHP var_dump — but where?
UPDATE:
Unfortunately I don't have sufficient privileges to Xdebug this remotely. So rigorous tracing is not an option.
However I've been able to narrow down a little: the problem is triggered at the userinfo stage of the authentication process when the ownCloudGroups claim is included. There is no issue with ownCloudQuota.
The ownCloudGroups claim is added to the userinfo token only. (The id and access tokens are irrelevant to this; adding the claim to them is inconsequential.)
I am using space-delimited strings as ownCloudGroups field values.
Any ideas would be very much appreciated.
UPDATE 3:
I might have traced the issue: the NextCloud Notifications app throws an exception whenever the OIDC plugin updates group membership.
Disabling the built-in Notifications app is the only solution I've found so far.
Maybe the issue is with the order of the user logging in and the groups changing? Strictly speaking, this is a bug somewhere upstream, though.
@pulsejet very likely upstream; to be honest I'm content with the current state of affairs. Feel free to investigate further or close if/as appropriate.
Hi, I get the same error on a test setup with Keycloak user management and furthermore, when I add a brand new user to Keycloak, I have to reload the login page up to three times in order to get in. I hope that the following log may help! OTOH this might be a network bridge issue since I run this on podman on my laptop.
Error index Exception: 2023-10-23T15:12:44+00:00 OCA\Circles\Tools\Model\Request::setHost():
Argument #1 ($host) must be
of type string, null given,
called in
/var/www/html/apps/circles/lib/Tools/Model/Request.php
on line 296 in file
'/var/www/html/apps/circles/lib/Tools/Model/Request.php'
line 206 at
lib/private/AppFramework/Http/Dispatcher.php
line 1690. .../App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch( ["OCA\\OIDCLogin\\C ... "], ... c" ) 1. .../Router.php line 315 OC\AppFramework\App::main( "OCA\\OIDCLogin\\Controller\\Logi ... r", ... c", ["OC\\AppFramework\\DependencyInjection\\D ... "], ["oidc_login. ... "] ) 2. .../base.php line 1068 OC\Route\Router->match( "\/apps\/oidc_log ... c" ) 3. index.php line 36 OC::handleRequest( ) Caused by TypeError: OCA\Circles\Tools\Model\Request::setHost(): Argument #1 ($host) must be of type string, null given, called in /var/www/html/apps/circles/lib/Tools/Model/Request.php on line 296 at apps/circles/lib/Tools/Model/Request.php line 206 0. .../Request.php line 296 OCA\Circles\Tools\Model\Request->setHost( ... ll ) 1. .../ConfigService.php line 737 OCA\Circles\Tools\Model\Request->basedOnUrl( "http:\/apps\/circles\/async\/979d39f2 ... /" ) 2. .../FederatedEventService.php line 434 OCA\Circles\Service\ConfigService->configureLoopbackRequest( ... "], ... t", ... "] ) 3. .../FederatedEventService.php line 188 OCA\Circles\Service\FederatedEventService->initBroadcast( ["OCA\ ... "] ) 4. .../SyncService.php line 454 OCA\Circles\Service\FederatedEventService->newEvent( ["OCA\\Circ ... "] ) 5. .../GroupMemberAdded.php line 71 OCA\Circles\Service\SyncService->groupMemberAdded( ... a", ... u" ) 6. .../ServiceEventListener.php line 86 OCA\Circles\Listeners\GroupMemberAdded->handle( ["OC ... "] ) 7. .../EventDispatcher.php line 251 OC\EventDispatcher\ServiceEventListener->__invoke( [ ... "], ... t", ["Symfony\\Componen ... "] ) 8. .../EventDispatcher.php line 73 Symfony\Component\EventDispatcher\EventDispatcher->callListeners( ... ]], ... t", ... "] ) 9. .../EventDispatcher.php line 94 Symfony\Component\EventDispatcher\EventDispatcher->dispatch( ... "], ... t" ) 10. .../EventDispatcher.php line 106 OC\EventDispatcher\EventDispatcher->dispatch( "OCP ... t", ["OCP\ ... "] ) 11. .../Server.php line 530 OC\EventDispatcher\EventDispatcher->dispatchTyped( [ ... "] ) 12. <<closure>> OC\Server->OC\{closure}( "*** sensitive parameters re ... *" ) 13. .../EmitterTrait.php line 105 call_user_func_array( ["C ... "], ["*** sensitive parameters replaced ***","*** sensitive parameters replac ... "] ) 14. .../PublicEmitter.php line 40 OC\Hooks\BasicEmitter->emit( ... p", ... r", ["*** sensitive parameters replaced ***","*** sensitive parameters ... "] ) 15. .../Group.php line 202 OC\Hooks\PublicEmitter->emit( ... p", ... r", ["*** sensitive parameters replaced ***","*** sensitive parameter ... "] ) 16. .../LoginService.php line 527 OC\Group\Group->addUser( "*** sensitive parameters re ... *" ) 17. .../LoginService.php line 170 OCA\OIDCLogin\Service\LoginService->updateUserGroups( ... *" ) 18. .../LoginController.php line 147 OCA\OIDCLogin\Service\LoginService->login( "*** sensi ... *" ) 19. .../LoginController.php line 123 OCA\OIDCLogin\Controller\LoginController->login( "*** ... *" ) 20. .../LoginController.php line 102 OCA\OIDCLogin\Controller\LoginController->authSuccess( ... *" ) 21. .../Dispatcher.php line 230 OCA\OIDCLogin\Controller\LoginController->oidc( ) 22. .../Dispatcher.php line 137 OC\AppFramework\Http\Dispatcher->executeController( ["OCA\\OI ... "], ... c" ) 23. .../App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch( ["OCA\\OIDCLogin\\ ... "], ... c" ) 24. .../Router.php line 315 OC\AppFramework\App::main( "OCA\\OIDCLogin\\Controller\\Log ... r", ... c", ["OC\\AppFramework\\DependencyInjection\\ ... "], ["oidc_login ... "] ) 25. .../base.php line 1068 OC\Route\Router->match( "\/apps\/oidc_lo ... c" ) 26. index.php line 36 OC::handleRequest( )
Update: as indicated by the error message, it is the Circles app that conflicts with group management through Keycloak. I had to disable it.