Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It shows "server unavailable" when username mapped by SAML attribute contains specific character #10861

Open
4 tasks done
Nanamiiiii opened this issue Oct 20, 2022 · 1 comment
Open
4 tasks done

It shows "server unavailable" when username mapped by SAML attribute contains specific character #10861

Nanamiiiii opened this issue Oct 20, 2022 · 1 comment
Labels
bug feature: authentication Authentication or accounts related

Comments

@Nanamiiiii
Copy link

⚠️ Before posting ⚠️

  • This is a bug, not a question or an enhancement.
  • I've searched for similar issues and didn't find a duplicate.
  • I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
  • I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

I apologize at the outset for my poor English.

I use SAML2.0 SSO via auth0. auth0's user_id format may cause this issue.

  1. Prepare auth0 tenant and configure SAML SSO with Nextcloud. Patameters of SAML setting are shown below.
    • Enable SAML auth for Desktop Clients
    • attribute mapped to UID: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    • Identifire of IdP entity: urn:<Tenant>.<Region>.auth0.com
    • Authentication Request URL: https://<Tenant>.<Region>.auth0.com/samlp/<auth0 app's client id>
    • SLO Request URL: https://<Tenant>.<Region>.auth0.com/samlp/<auth0 app's client id>/logout
    • Set IdP's X.509 Certificate
  2. Sign in to Nextcloud using SAML SSO via web browser. Confirm that a new user is created and the following userid has been mapped to this user in Nextcloud.
    oauth2|<User Source>|XXXXXXXXX
  3. Sign in from Android application. Enter the URL, sign in to IdP and grant access to Nextcloud. Signing in was successful but the application show "server is unavailable" (Translated from Japanese. The notation might be different.). Additionally, there seems to be no file from android application.

Expected behaviour

Applications on another OS (Windows, macOS, iOS) works correctly, could get files, could upload files, and create new file or folder.
Android apps should work the same way.

Actual behaviour

The situations where things go wrong are described in the section above.
Signing in was successful, and get back to file view. However, app showed "server unavailable" and there seems to be no file. In fact, some files are uploaded and must be displayed. Additionally, I couldn't upload files and create new files. (the '+' button didn't respond)

I was wondering if this was a SAML authentication error or an app problem. However, another client application (Windows, macOS, iOS) could sign in and get files correctly so I have assumed this to be an android app problem. I also found some exception in the log shown below.

I tried to sign in using app password and QR code generated by web browser, but the situation did not change.

The manually created account that can local login worked correctly. This account's userid was admin. So I think the userid cause this issue.

userid mapped from SAML attribute is so long and contains character '|'. When creating account manually, I cannot use | in userid's input box. Are you sure this symbol is an invalid character?

Finally, I changed mappings of userid. I chose attribute not contains |, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn. Then, it worked correctly.
But I want to use nameidentifier since it is guaranteed to be unique...

Android version

12

Device brand and model

Xperia 1 III (XQ-BC42)

Stock or custom OS?

Stock

Nextcloud android app version

3.22.0

Nextcloud server version

24.0.6

Using a reverse proxy?

Yes

Android logs

After app send PROPFIND request, I found some exceptions.
userid and domain are masked by X. They are normal character.

10-21 00:36:08.527  5662  8086 D RefreshFolderOperation: Checking changes in oauth2|slack|XXXXXXXX-XXXXXXXX@xxx.xxxxxxx.dev/
10-21 00:36:08.528  5662  8086 D OwnCloudClient #0: REQUEST PROPFIND /remote.php/dav/files/oauth2%7Cslack%7CT032NHEKPNJ-U032XGMFXNY//
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation: Read file / failed: Unexpected exception
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation: java.lang.ArrayIndexOutOfBoundsException: length=1; index=1
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.lib.common.network.WebdavEntry.<init>(WebdavEntry.java:157)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.lib.resources.files.ReadFileRemoteOperation.run(ReadFileRemoteOperation.java:94)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:205)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.operations.RefreshFolderOperation.checkForChanges(RefreshFolderOperation.java:364)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.operations.RefreshFolderOperation.run(RefreshFolderOperation.java:234)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at com.owncloud.android.lib.common.operations.RemoteOperation.run(RemoteOperation.java:399)
10-21 00:36:08.632  5662  8086 E ReadFileRemoteOperation:       at java.lang.Thread.run(Thread.java:1012)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation: Checked oauth2|slack|XXXXXXXX-XXXXXXXX@xxx.xxxxx.dev/ : Unexpected exception
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation: java.lang.ArrayIndexOutOfBoundsException: length=1; index=1
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.lib.common.network.WebdavEntry.<init>(WebdavEntry.java:157)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.lib.resources.files.ReadFileRemoteOperation.run(ReadFileRemoteOperation.java:94)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:205)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.operations.RefreshFolderOperation.checkForChanges(RefreshFolderOperation.java:364)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.operations.RefreshFolderOperation.run(RefreshFolderOperation.java:234)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at com.owncloud.android.lib.common.operations.RemoteOperation.run(RemoteOperation.java:399)
10-21 00:36:08.632  5662  8086 E RefreshFolderOperation:        at java.lang.Thread.run(Thread.java:1012)
10-21 00:36:08.632  5662  8086 D RefreshFolderOperation: Send broadcast com.owncloud.android.operations.RefreshFolderOperation.EVENT_SINGLE_FOLDER_CONTENTS_SYNCED
10-21 00:36:08.633  5662  8086 D RefreshFolderOperation: Send broadcast com.owncloud.android.operations.RefreshFolderOperation.EVENT_SINGLE_FOLDER_SHARES_SYNCED
10-21 00:36:08.633  5662  5662 D FileDisplayActivity: Received broadcast com.owncloud.android.operations.RefreshFolderOperation.EVENT_SINGLE_FOLDER_CONTENTS_SYNCED
10-21 00:36:08.655  5662  5662 D FileDisplayActivity: Setting progress visibility to true
10-21 00:36:08.655  5662  5662 D FileDisplayActivity: Received broadcast com.owncloud.android.operations.RefreshFolderOperation.EVENT_SINGLE_FOLDER_SHARES_SYNCED
10-21 00:36:08.667  5662  5662 D FileDisplayActivity: Setting progress visibility to false

Server error logs

There is no error logs. All access may be successful.
Successful access logs below

10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:09 +0000] "GET /ocs/v2.php/cloud/user?format=json HTTP/1.1" 200 2078 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"
10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:09 +0000] "GET /status.php HTTP/1.1" 200 1016 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"
10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:09 +0000] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 3041 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"
10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:10 +0000] "GET /ocs/v2.php/apps/user_status/api/v1/predefined_statuses?format=json HTTP/1.1" 200 1774 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"
10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:10 +0000] "GET /ocs/v2.php/cloud/user?format=json HTTP/1.1" 200 2074 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"
10.244.2.20 - oauth2|slack|XXXXXX [20/Oct/2022:15:04:10 +0000] "PROPFIND /remote.php/dav/files/oauth2%7Cslack%7CT032NHEKPNJ-U032XGMFXNY// HTTP/1.1" 207 1382 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.22.0"

Additional information

No response
@Nanamiiiii Nanamiiiii added the bug label Oct 20, 2022
@joshtrichards joshtrichards added the feature: authentication Authentication or accounts related label Oct 8, 2023
@joshtrichards
Copy link
Member

Possibly similar underlying cause: #10561

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature: authentication Authentication or accounts related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtrichards @Nanamiiiii