Document loading fails when using oauth2 proxy for collabora - no access token is sent (302 redirect breaking it?)

[k-jell]

Describe the bug
Loading a document fails initially when using an oauth2 proxy in front of collabora. Nextcloud will show this error:

Failed to read document from storage, please try to load the document again.

Please check the Collabora Online server log for more details and make sure that Nextcloud can be reached from there.

When making the first request to collabora (http://collabora.example.org/browser/a7d2941/cool.html?WOPISrc=http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg&title=%2Ftesting.odt&lang=en&closebutton=1&revisionhistory=1) and not being authenticated by the authproxy a 302 redirect will be received by the browser and the user gets authenticated (and after that of course being redirected to the original URL resulting in a HTTP 200 response).

This seems to cause that the following websocket request doesn't contain the access_token which results in an error in the collabora server (see collabora log).

Request URL:
ws://collabora.example.org/cool/http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg/ws?WOPISrc=http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg&compat=/ws

In the nextcloud logs this error appears:

 Uncaught error: OCA\Richdocuments\Db\WopiMapper::getWopiForToken(): Argument #1 ($token) must be of type string, null given, called in /var/www/html/custom_apps/richdocuments/lib/Middleware/WOPIMiddleware.php on line 81 in file '/var/www/html/custom_apps/richdocuments/lib/Db/WopiMapper.php' line 142 

After this initial request (for example when just refreshing) the access token is included in the URL and loading a document works:
ws://collabora.example.org/cool/http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg%3Faccess_token%3DiT6UfHIWmtxxxxxxn5A5zf%26access_token_ttl%3D0/ws?WOPISrc=http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg&compat=/ws

Is there any way to make the first request work?

To Reproduce
Steps to reproduce the behavior:

1. run oauth2-proxy in front of collabora
2. try to open any document
3. document is not loading, when the user is not authenticated already

Expected behavior
Document loads after authentication is done without having to refresh.

Client details:

• Browser Firefox, Chrome

Server details

Nextcloud version:
28.0.3
Version of the richdocuments app
8.3.2
Version of Collabora Online
23.05.8.2.1
Configuration of the richdocuments app

{
    "apps": {
        "richdocuments": {
            "disable_certificate_verification": "yes",
            "enabled": "yes",
            "installed_version": "8.3.2",
            "public_wopi_url": "http:\/\/collabora.example.org",
            "types": "prevent_group_restriction",
            "wopi_callback_url": "http:\/\/10.10.10.1:9999",
            "wopi_url": "http:\/\/10.10.10.1:9998"
        }
    }
}

Logs

Nextcloud log (data/nextcloud.log)

 Uncaught error: OCA\Richdocuments\Db\WopiMapper::getWopiForToken(): Argument #1 ($token) must be of type string, null given, called in /var/www/html/custom_apps/richdocuments/lib/Middleware/WOPIMiddleware.php on line 81 in file '/var/www/html/custom_apps/richdocuments/lib/Db/WopiMapper.php' line 142 

Collabora log

wsd-00009-00247 2024-04-08 14:47:46.519162 +0000 [ docbroker_017 ] ERR  No HTTP Authorization type detected. Assuming no authorization needed. Specify access_token to set the Authorization Bearer header.| common/Authorization.cpp:86
frk-00029-00029 2024-04-08 14:47:46.519371 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:529
wsd-00009-00247 2024-04-08 14:47:46.549027 +0000 [ docbroker_017 ] ERR  WOPI::CheckFileInfo failed for URI [http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg]: 500 (Internal Server Error) Internal Server Error. Headers: Date: Mon, 08 Apr 2024 14:47:46 GMT / Server: Apache/2.4.57 (Debian) / Referrer-Policy: no-referrer / X-Content-Type-Options: nosniff / X-Frame-Options: SAMEORIGIN / X-Permitted-Cross-Domain-Policies: none / X-Robots-Tag: noindex, nofollow / X-XSS-Protection: 1; mode=block / X-Powered-By: PHP/8.2.16 / Set-Cookie: ocr50ypxrjmg=2b22babf4be66b76a62512892acd67ed; path=/; HttpOnly; SameSite=Lax / Expires: Thu, 19 Nov 1981 08:52:00 GMT / Cache-Control: no-cache, no-store, must-revalidate / Pragma: no-cache / Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' / X-Request-Id: 0xiQKJB9Yv2sJcCLGeIf / Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' / Content-Length: 19 / Connection: close / Content-Type: application/json; charset=utf-8	Body: [{"message":"Error"}]| wsd/Storage.cpp:708
wsd-00009-00247 2024-04-08 14:47:46.549088 +0000 [ docbroker_017 ] ERR  loading document exception: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/DocumentBroker.cpp:2679
wsd-00009-00247 2024-04-08 14:47:46.549104 +0000 [ docbroker_017 ] ERR  Failed to add session to [http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg] with URI [http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg]: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/DocumentBroker.cpp:2641
wsd-00009-00247 2024-04-08 14:47:46.549118 +0000 [ docbroker_017 ] ERR  Storage error while starting session on http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg for socket #18. Terminating connection. Error: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/COOLWSD.cpp:5434
wsd-00009-00247 2024-04-08 14:47:46.556158 +0000 [ docbroker_017 ] ERR  #26: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1137
wsd-00009-00247 2024-04-08 14:47:46.556189 +0000 [ docbroker_017 ] WRN  #26: Unassociated Kit (233) disconnected unexpectedly| wsd/COOLWSD.cpp:3851
wsd-00009-00249 2024-04-08 14:47:46.728920 +0000 [ docbroker_018 ] ERR  No HTTP Authorization type detected. Assuming no authorization needed. Specify access_token to set the Authorization Bearer header.| common/Authorization.cpp:86
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
wsd-00009-00249 2024-04-08 14:47:46.754493 +0000 [ docbroker_018 ] ERR  WOPI::CheckFileInfo failed for URI [http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg?permission=edit]: 500 (Internal Server Error) Internal Server Error. Headers: Date: Mon, 08 Apr 2024 14:47:46 GMT / Server: Apache/2.4.57 (Debian) / Referrer-Policy: no-referrer / X-Content-Type-Options: nosniff / X-Frame-Options: SAMEORIGIN / X-Permitted-Cross-Domain-Policies: none / X-Robots-Tag: noindex, nofollow / X-XSS-Protection: 1; mode=block / X-Powered-By: PHP/8.2.16 / Set-Cookie: ocr50ypxrjmg=a0a9eac0b802a0a60c8b751a30b401b9; path=/; HttpOnly; SameSite=Lax / Expires: Thu, 19 Nov 1981 08:52:00 GMT / Cache-Control: no-cache, no-store, must-revalidate / Pragma: no-cache / Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' / X-Request-Id: gGOmbYwF3TdgBV6dt8JM / Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' / Content-Length: 19 / Connection: close / Content-Type: application/json; charset=utf-8	Body: [{"message":"Error"}]| wsd/Storage.cpp:708
wsd-00009-00249 2024-04-08 14:47:46.754562 +0000 [ docbroker_018 ] ERR  loading document exception: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/DocumentBroker.cpp:2679
wsd-00009-00249 2024-04-08 14:47:46.754581 +0000 [ docbroker_018 ] ERR  Failed to add session to [http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg] with URI [http://10.10.10.1:9999/index.php/apps/richdocuments/wopi/files/1717_ocr50ypxrjmg?permission=edit]: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/DocumentBroker.cpp:2641
wsd-00009-00249 2024-04-08 14:47:46.754599 +0000 [ docbroker_018 ] ERR  Storage error while starting session on http%3A%2F%2F10.10.10.1%3A9999%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1717_ocr50ypxrjmg for socket #25. Terminating connection. Error: WOPI::CheckFileInfo failed: {"message":"Error"}| wsd/COOLWSD.cpp:5434
wsd-00009-00249 2024-04-08 14:47:46.761977 +0000 [ docbroker_018 ] ERR  #18: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1137
wsd-00009-00249 2024-04-08 14:47:46.762004 +0000 [ docbroker_018 ] WRN  #18: Unassociated Kit (248) disconnected unexpectedly| wsd/COOLWSD.cpp:3851
frk-00029-00029 2024-04-08 14:47:46.779736 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:529