Login in with the desktop client when using SSO (SAML with Keycloak) fails

[lucode]

We run a Nectcloud instance on Hetzner and using Keycloak ID server witch allows SSO with SAML.
On the browser everything works great, but we can’t login into Nextcloud with the Desktop Client.
Android Client works too, but with the Desktop client the process stucks when I want to give Access to the files. We are not the only ones witch struggle with this issue:
https://help.nextcloud.com/t/issue-login-in-with-the-desktop-client-when-using-sso-saml-with-keycloak/47063

Expected behaviour

The Client should at this stage connect to the server an start synchronzing the files.

Actual behaviour

(https://help.nextcloud.com/uploads/default/original/2X/7/7675f215c2f638e02511e93f0d3ae79599a4d726.png)
The client shows then this state forever. The same siutation is when I using the app token instead of password. When I look in my settings I see there both Desktop and Android client are connected properly, so I assume the error is neither at the server or the Keycloak side. It must be a Desktop Client issue.

Steps to reproduce

Same issue on different machines (Win & Ubuntu)

Client configuration

Client version:

I have installed client Windows version: Version 2.5.1final (build 20181204).
And Ubuntu ppa version 2.5.1. It is the same issue.

Operating system:
Win 10
OS language:
German and EN

Installation path of client:
C:\Program Files (x86)\Nextcloud\nextcloud.exe

Server configuration

Hetzner Owncloud SaaS

Nextcloud version:
15.0.2

Logs

I don't get any logs, because the client is not yet running.

2. Web server error log:
   not accessible
3. Server logfile: nextcloud log (data/nextcloud.log):
   No server logs

[duckdiver]

in our scenario, when we try to Login via NC DektopClient V2.51 and SSO & SAML, I get the SSO Authentication Login Screen for User and PW Input:
https://paste.pics/13434e7ad815a98fb4fd93ae320819a6
https://paste.pics/38c6db52f1c2e47424508f7fca7da567

After that we stuck with that screen
https://paste.pics/cc6ca7340737e07c885c21ba32adf2ce

[lucode]

@duckdiver that is another issue. your issue happens before the client wants to start to sync. Login works basically at our scenario.

[duckdiver]

with NC Server V13

[duckdiver]

@lucode dont you stuck already in the first screen?

[lucode]

No at the last one:

When I look in my settings I see there both Desktop and Android client are connected properly,

[lucode]

From my point of view you did mix up some configs about using token or password.

[duckdiver]

No,
but the credentials are not send within Mozilla-APP with NC Desktop CLient.
When using Login in IE Webbrowser it works perfectly.
Also with Mobile App.

[mudasaryasin]

Guys, any work around, i am facing this issue even i login successfully from IE.

[mudasaryasin]

OS = centos 7.6.1810
PHP version = 7.2.14
NC version = 15.0.2.0
Client = 2.5.1final (build 20181204)] os:[Windows 7 SP 1
Here are logs on client

[OCC::Application::setupLogging 	"################## Nextcloud locale:[en_US] ui_lang:[] version:[2.5.1final (build 20181204)] os:[Windows 7 SP 1 (6.1)]"
[OCC::Application::setupTranslations 	Using "en_US" translation
[OCC::SocketApi::SocketApi 	server started, listening at  "\\\\.\\pipe\\owmync-mudasar"
[OCC::FolderMan::FolderMan 	setting remote poll timer interval to 30000 msec
[unknown 	QSslSocket: cannot resolve SSL_CONF_CTX_new
[unknown 	QSslSocket: cannot resolve SSL_CONF_CTX_free
[unknown 	QSslSocket: cannot resolve SSL_CONF_CTX_set_ssl_ctx
[unknown 	QSslSocket: cannot resolve SSL_CONF_CTX_set_flags
[unknown 	QSslSocket: cannot resolve SSL_CONF_CTX_finish
[unknown 	QSslSocket: cannot resolve SSL_CONF_cmd
[unknown 	QSslSocket: cannot resolve SSL_set_alpn_protos
[unknown 	QSslSocket: cannot resolve SSL_CTX_set_alpn_select_cb
[unknown 	QSslSocket: cannot resolve SSL_get0_alpn_selected
[OCC::owmyncGui::setupContextMenu 	Tray menu workarounds: noabouttoshow: false fakedoubleclick: false showhide: false manualvisibility: false
[OCC::FolderMan::setupFoldersMigration 	Setup folders from  "C:/Users/mudasar.abc/AppData/Roaming/Nextcloud/folders" (migration)
[OCC::ClientProxy::setupQtProxyFromConfig 	Set proxy configuration to use system configuration
[OCC::owmyncGui::slotOpenSettingsDialog 	No configured folders yet, starting setup wizard
[unknown 	Could not parse stylesheet of object 0x44a2d3b0
[OCC::WebViewPage::WebViewPage 	Time for a webview!
[unknown 	Could not parse stylesheet of object 0x44a2d3b0
[unknown 	Could not parse stylesheet of object 0x44a2d3b0
[OCC::OCUpdater::backgroundCheckForUpdate 	Checking for available update
[OCC::AccessManager::createRequest 	2 "" "https://updates.nextcloud.org/client/?version=2.5.1.20181204&platform=win32&oem=Nextcloud&versionsuffix=final" has X-Request-ID "b8373a9f-fa47-45aa-a502-xxxxx"
[OCC::NSISUpdater::versionInfoArrived 	Client is on latest version!
[OCC::OwmyncSetupWizard::slotSystemProxyLookupDone 	No system proxy set by OS
[OCC::AccessManager::createRequest 	2 "" "https://mync.xxxx.co/status.php" has X-Request-ID "7ac26b02-1f31-4cff-9229-xxxxx"
[OCC::AbstractNetworkJob::start 	OCC::CheckServerJob created for "https://mync.xxxx.co" + "status.php" "OCC::OwmyncSetupWizard"
[OCC::CheckServerJob::finished 	No SSL session identifier / session ticket is used, this might impact sync performance negatively.
[OCC::CheckServerJob::finished 	status.php returns:  QJsonDocument({"edition":"","installed":true,"maintenance":false,"needsDbUpgrade":false,"productname":"xxxx.co","version":"15.0.2.0","versionstring":"15.0.2"})   QNetworkReply::NetworkError(NoError)  Reply:  QNetworkReplyHttpImpl(0x4b4e87f0)
[OCC::DetermineAuthTypeJob::start 	Determining auth type for QUrl("https://mync.xxxx.co/remote.php/webdav/")
[OCC::AccessManager::createRequest 	2 "" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "c6a8e6a8-f886-4e9d-80bb-0032b83a9391"
[OCC::AbstractNetworkJob::start 	OCC::SimpleNetworkJob created for "https://mync.xxxx.co" + "" "OCC::Account"
[OCC::AccessManager::createRequest 	6 "PROPFIND" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "cb37f360-ec23-4011-b6ab-6c436033fa91"
[OCC::AbstractNetworkJob::start 	OCC::SimpleNetworkJob created for "https://mync.xxxx.co" + "" "OCC::Account"
[OCC::AbstractNetworkJob::slotFinished 	Redirecting "GET" QUrl("https://mync.xxxx.co/remote.php/webdav/") QUrl("https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=")
[OCC::AccessManager::createRequest 	2 "" "https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=" has X-Request-ID "a8757083-a687-4e4c-83f7-1d2359609880"
[OCC::AbstractNetworkJob::slotFinished 	Redirecting "PROPFIND" QUrl("https://mync.xxxx.co/remote.php/webdav/") QUrl("https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=")
[OCC::AccessManager::createRequest 	6 "PROPFIND" "https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=" has X-Request-ID "8a75e3e0-1938-4a8a-b27a-4b6620f6ecd9"
[OCC::AbstractNetworkJob::slotFinished 	QNetworkReply::NetworkError(ContentOperationNotPermittedError) "Server replied \"405 Method Not Allowed\" to \"PROPFIND https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=\"" QVariant(int, 405)
[OCC::DetermineAuthTypeJob::start::::operator() 	Did not receive WWW-Authenticate reply to auth-test PROPFIND
[OCC::DetermineAuthTypeJob::checkBothDone 	Auth type for QUrl("https://mync.xxxx.co/remote.php/webdav/") is 3
[OCC::WebViewPage::initializePage 	Url to auth at:  "https://mync.xxxx.co/index.php/login/flow"
[OCC::WebViewPageUrlSchemeHandler::requestStarted 	Got user:  "mudasar" , server:  "https://mync.xxxx.co"
[OCC::WebViewPage::urlCatched 	Got user:  "mudasar" , server:  "https://mync.xxxx.co"
[OCC::WebViewPage::urlCatched 	URL:  "https://mync.xxxx.co"
[OCC::OwmyncSetupWizard::slotConnectToOCUrl 	Connect to url:  "https://mync.xxxx.co"
[OCC::WebFlowCredentials::createQNAM 	Get QNAM
[OCC::AccessManager::createRequest 	6 "PROPFIND" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "2ea7c8c0-20e9-4c7b-b59a-b644fc49d414"
[OCC::AbstractNetworkJob::start 	OCC::PropfindJob created for "https://mync.xxxx.co" + "/" "OCC::OwmyncSetupWizard"
[OCC::WebFlowCredentials::slotFinished 	request finished
[OCC::WebFlowCredentials::stillValid 	Still valid?
[OCC::WebFlowCredentials::stillValid 	QNetworkReply::NetworkError(NoError)

OCC::PropfindJob::finished 	*not* successful, http result code is 302 "https://mync.xxxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl="
[OCC::OwmyncSetupWizard::slotAuthError 	Authed request was redirected to "https://mync.xxxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl="
[OCC::WebViewPageUrlSchemeHandler::requestStarted 	Got user:  "YMudasar" , server:  "https://mync.xxxxx.co"
[OCC::WebViewPage::urlCatched 	Got user:  "YMudasar" , server:  "https://mync.xxxxx.co"
[OCC::WebViewPage::urlCatched 	URL:  "https://mync.xxxxx.co"
[OCC::OwmyncSetupWizard::slotConnectToOCUrl 	Connect to url:  "https://mync.xxxxx.co"
[OCC::WebFlowCredentials::createQNAM 	Get QNAM
[OCC::AccessManager::createRequest 	6 "PROPFIND" "https://mync.xxxxx.co/remote.php/webdav/" has X-Request-ID "xxxxx-6ac2-4efd-9147-xxxxxxx"
[OCC::AbstractNetworkJob::start 	OCC::PropfindJob created for "https://mync.xxxxx.co" + "/" "OCC::OwmyncSetupWizard"
[OCC::WebFlowCredentials::slotFinished 	request finished
[OCC::WebFlowCredentials::stillValid 	Still valid?
[OCC::WebFlowCredentials::stillValid 	QNetworkReply::NetworkError(NoError)
[OCC::WebFlowCredentials::stillValid 	"Unknown error"

[mudasaryasin]

Guys any clue?

[lucode]

I got the log now:

[OCC::AbstractNetworkJob::start 	OCC::PropfindJob created for "https://nc.cooby.org" + "/" "OCC::OwncloudSetupWizard"
[OCC::WebFlowCredentials::slotFinished 	request finished
[OCC::WebFlowCredentials::stillValid 	Still valid?
[OCC::WebFlowCredentials::stillValid 	QNetworkReply::NetworkError(NoError)
[OCC::WebFlowCredentials::stillValid 	"Unbekannter Fehler"
[OCC::PropfindJob::finished 	PROPFIND of QUrl("https://nc.cooby.org/remote.php/webdav/") FINISHED WITH STATUS "OK"
[OCC::PropfindJob::finished 	*not* successful, http result code is 302 "http://nc.cooby.org/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=7cmxYSv2hqN03nDPJGkOqtDvhnp/iEm/ZrCQzDBAbkk%3D%3AjPDwUxqv4ZocpDqFEztW8JLXxS4axgXLKf/cgF8rFic%3D"
[OCC::OwncloudSetupWizard::slotAuthError 	Authed request was redirected to "http://nc.cooby.org/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=7cmxYSv2hqN03nDPJGkOqtDvhnp/iEm/ZrCQzDBAbkk%3D%3AjPDwUxqv4ZocpDqFEztW8JLXxS4axgXLKf/cgF8rFic%3D"

Is on another server with NC 15.0.2 installed.

[mudasaryasin]

For me it is working fine after disabling this option in SSO and SAML plugin

"Use SAML auth for the ibex Nextcloud desktop clients (requires user re-authentication)"

[lucode]

@mudasaryasin you are our hero, your suggestion works for us too.
The question remains if this is a bug or a feature?

[mudasaryasin]

No me, it was discovered by my colleague.

[rullzer]

It is kind of a bug. But also a feature. The issue is that the old clients handled saml internally. Which often did 💥 and caused relogins to happen all the time.

There is a bug somewhere in the saml detection logic. But I can't figure out where since I'm unable to reproduce it myself.

[olivierb2]

+1

[holger13]

+3

[Yzed]

seeing same with Mac Desktop Client:

first the 302 redirect, then next request gets a "Method not allowed" 405:

PROPFIND /apps/user_saml/saml/login?originalUrl=&[...]

NGINX is configured to allow PROPFIND

waiting a few sec's actually Desktop Client seem to continue and is successfully logged in and starts syncing... it appears the initial login gets a 405 only.

[pelzvieh]

Same here, same fix worked.

[wget]

Hello everyone,
I confirm this is fixing the issue we had at The Document Foundation. I think we can close now.
#830 (comment)

[camilasan]

We fixed it with the new login flow in 2.6.