Connect mobile application with user_cas

[conanedogawa2]

Describe the bug
When i try to connect with user_cas on the official nextcloud application an error is thrown "Access forbidden Invalid request"

To Reproduce
1: Set up a fresh docker installation of Nextcloud 16.0.5 with only custom apps user_cas.
2: Import user and user data
3: Download the android mobile application and try to log in
4 :Error "Access forbidden Invalid request" is thrown

Falling back to old authentication method works but display only a webview of nextcloud.
Log in with QR CODE works like a charm the usual way. But since it won't be very handy for thousand of user to understand the procedure it'll be more conveniant to make the usual way to connect works.

Apache log and Nextcloud one don't report anything at all. (No 4XX http code)

Expected behavior
I'm connected to the app, not the webview one with the new authentication method.

Software (please complete the following information):

• Server-OS: Dockerized debian10.1
• HTTP-Server Version: 2.4.38
• PHP-Version: php 7.3.10
• phpCAS-Library-Version: User_cas one.
• ownCloud/Nextcloud Version : 16.0.5
• user_cas-Version: 1.7.3

[felixrupp]

Hi @conanedogawa2

mobile ownCloud/Nextcloud Application login with CAS is only available with enabled OAuth2 app. Are your already using OAuth2 app?

Regards,
Felix

[conanedogawa2]

I'm afraid i don't understand what you are saying.
I have to install the OAuth plugin on nextcloud or there is another mobile app using OAuth ?

Huge thanks for your help.

[felixrupp]

@conanedogawa2 Yes you have to install the OAuth2 app and configure it, so your Nextcloud instance is working as an OAuth2 provider itself.

Then the desktop and mobile applications can authenticate you via OAuth2 web-requests where you can choose to log in via CAS. There is no other option to authenticate against CAS with an desktop/mobile client, because CAS is a web-form-based authentication system only.

Regards,

Felix

[conanedogawa2]

I have honestly no clue of what i'm supposed to do with OAuth.
Since Desktop application works well with no OAuth enabled i don't really understand why mobile app could act differently.

OAuth isn't supposed to allow login from an external identity provider like google and facebook ?

Thanks again !

[leManu]

We experience the same issue, but strangely not every time...

We have set cas_force_login to 1, and when configuring a mobile client (Android or iOS) using CAS authentication, the client is normally redirected to the CAS authentication form, and then lands on a NextCloud error web page showing :

Error
Access Forbidden
Invalid Request

On the web server side we can see the client making those requests during configuration process :

"GET /index.php/login/flow HTTP/1.1" 302
"GET /apps/user_cas/login HTTP/1.1" 302
"GET /apps/user_cas/login?ticket=<stripped ticket ID> HTTP/1.1" 302
"GET /apps/user_cas/login HTTP/1.1" 303
"GET /index.php/login/flow HTTP/1.1" 200
"GET /core/js/oc.js?v=5a6c5f28 HTTP/1.1" 200

We can also see that a token for the mobile client is generated on the server side (listed in the user's Parameters -> Security), but the client fails to get it...

In some minor cases the mobile client configuration does not fail and it receives correctly the token.

When setting cas_force_login to 0 there are no more client configuration failures...

[felixrupp]

Hi @leManu

thanks for your input, I’ll try to debug this.

Regards
Felix

[pingou2712]

@conanedogawa2 ,
@leManu ,

Bug fixes by #86
If you want to try =)

Regards,
Vincent

[conanedogawa2]

That's nice, thanks a lot !
But i can't test right now. I've switched to SAML-CAS since too many users where complaining about this.
A week too late !