How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Steps to reproduce
- Nextcloud with Keycloak as Login Provider
- Keycloak with GitLab as Login Provider
- Logged out in Nextcloud, Keycloak and Gitlab
- Login in Nextcloud with Keycloak
- After forwarded to Keycloak, Login with GitLab
- Login in GitLab
Expected behaviour
After login in GitLab it should be redirected back to Nextcloud
Actual behaviour
GitLab asks for consent to allow Keycloak access the user profile, even when Keycloak is marked as trusted application in gitlab. The behavior comes from
|
'prompt' => $oidcConfig['prompt'] ?? 'consent' |
because user_oidc sends the promt=consent parameter as default. This is pretty annoying. When we set promt to "none" Nextcloud reports an access forbidden by the login provider if no session is present, which is also annoying. And a promt=login is also not an option because it kill all sessions in our Keycloak for every other application. And promt=internal forces an error in Keycloak. I think this behaviour will also apply if we use Gitlib directly as login provider, without Keycloak in between.
Next problem is here, that Keycloak forward the promt parameter to gitlab, if gitlab is set as "unspecified" in Keycloak. Every other setting doesn't work.
If we commend out this line of code, everything works fine.
The promt parameter is not mandatory in odic. There should be an option to disable the promt parameter to be sent at all.
Server configuration
Web server: Apache/Nginx
not relevant
Database: MySQL/Maria/SQLite/PostgreSQL
not relevant
PHP version: 8.1/8.2/8.3
not relevant
Nextcloud version: (see Nextcloud admin page)
31.0.7
List of activated apps
user_oidc
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Nextcloud configuration
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
Browser
Browser name: Firefox/Chrome/Safari/…
not relevant (all browser)
Browser version: 124/125/…
not relevant (all browser)
Operating system: Windows/Ubuntu/Mac/…
not relevant (all OS)
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
How to use GitHub
Steps to reproduce
Expected behaviour
After login in GitLab it should be redirected back to Nextcloud
Actual behaviour
GitLab asks for consent to allow Keycloak access the user profile, even when Keycloak is marked as trusted application in gitlab. The behavior comes from
user_oidc/lib/Controller/LoginController.php
Line 273 in 79e49c2
Next problem is here, that Keycloak forward the promt parameter to gitlab, if gitlab is set as "unspecified" in Keycloak. Every other setting doesn't work.
If we commend out this line of code, everything works fine.
The promt parameter is not mandatory in odic. There should be an option to disable the promt parameter to be sent at all.
Server configuration
Web server: Apache/Nginx
not relevant
Database: MySQL/Maria/SQLite/PostgreSQL
not relevant
PHP version: 8.1/8.2/8.3
not relevant
Nextcloud version: (see Nextcloud admin page)
31.0.7
List of activated apps
user_oidc
Nextcloud configuration
Browser
Browser name: Firefox/Chrome/Safari/…
not relevant (all browser)
Browser version: 124/125/…
not relevant (all browser)
Operating system: Windows/Ubuntu/Mac/…
not relevant (all OS)
Browser log