First time login fails

[yksflip]

Hey,
I'm having a hard time to find the cause of a strange error. When a user logs into Nextcloud via sso for the first time (account creation), the user will only see a blank page. When trying again it works. I assume somthing with the account creation fails.

Any idea where this fails? Is there a way to get a more detailed error message?

Steps to reproduce:

1. User creates account in Authentik
2. User logs in the first time with sso in Nextcloud
3. User sees white page (http 500 on /apps/oidc_login)
4. User tries again to login and succeeds

Nextcloud log:

{
  "reqId": "a5N03tfCS5DgpdvKFU17",
  "level": 3,
  "time": "2021-11-02T12:39:29+00:00",
  "remoteAddr": "10.0.24.44",
  "user": "--",
  "app": "PHP",
  "method": "GET",
  "url": "/apps/oidc_login/oidc?code=ab61480230f544a38ebfb0c488a02da9&state=9c4ad81e4c2ff776711ae313e65ada5f",
  "message": "Nesting level too deep - recursive dependency? at /var/www/html/lib/private Log/ExceptionSerializer.php#212",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0",
  "version": "22.2.0.2"
}

config.php

  'overwriteprotocol' => 'https',
  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_hide_password_form' => true,
  'oidc_login_provider_url' => 'https://sso.foobar.org/application/o/nextcloud/',
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => 'secret',
  'oidc_login_auto_redirect' => true,
  'oidc_login_logout_url' => 'https://sso.foobar.org/application/o/nextcloud/end-session/',
  'oidc_login_default_quota' => '1000000000',
  'oidc_login_button_text' => 'Log in with SSO',
  'oidc_login_attributes' =>
  array (
    'id' => 'preferred_username',
    'name' => 'given_name',
    'mail' => 'email',
    'groups' => 'groups',
    'quota' => 'nextcloud_quota',
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_use_external_storage' => false,
  'oidc_login_scope' => 'openid profile roles email',
  'oidc_login_proxy_ldap' => false,
  'oidc_login_disable_registration' => false,
  'oidc_login_redir_fallback' => false,
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => true,

[treasuretron]

@yksflip did you ever solve this? You are using Co-op Cloud by chance?

We are having the same issue with Keycloak on Co-op Cloud. The log that it spits out when someone logs in for the first time:

|2022-03-10T14:07:35.754832000Z 2022/03/10 14:07:35 [error] 31#31: *358 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Nesting level too deep - recursive dependency? in /var/www/html/lib/private/Log/ExceptionSerializer.php on line 212" while reading response header from upstream, client: 10.0.5.47, server: , request: "GET /apps/oidc_login/oidc?state=c9949de9ea06a57c418cec9b53eac981&session_state=abf9d930-4277-4964-9319-a71344a230db&code=932260f1-d283-48b0-bb83-2e7759eea4cb.abf9d930-4277-4964-9319-a71344a230db.a441dd44-2634-4c7b-a6d6-7b0979889395 HTTP/1.1", upstream: "fastcgi://10.0.7.9:9000", host: "nextcloud.vrec.coop"
�2022-03-10T14:07:35.755180000Z 10.0.5.47 - - [10/Mar/2022:14:07:35 +0000] "GET /apps/oidc_login/oidc?state=c9949de9ea06a57c418cec9b53eac981&session_state=abf9d930-4277-4964-9319-a71344a230db&code=932260f1-d283-48b0-bb83-2e7759eea4cb.abf9d930-4277-4964-9319-a71344a230db.a441dd44-2634-4c7b-a6d6-7b0979889395 HTTP/1.1" 500 5 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" "69.5.112.49"
�2022-03-10T14:07:35.746321000Z NOTICE: PHP message: PHP Fatal error:  Nesting level too deep - recursive dependency? in /var/www/html/lib/private/Log/ExceptionSerializer.php on line 212
\2022-03-10T14:07:35.746570000Z 10.0.7.14 -  10/Mar/2022:14:07:34 +0000 "GET /index.php" 500

We upgraded from 22.1.0 to 23.0.1, same issue

[trensetim]

Can confirm this behavior with a blank docker installation of 23.0.2-apache and this plugin setup.
After revisiting the login page and selecting to sign in with oidc again, the second time (reproducibly) works as expected

[p00rt]

workaround is using https://github.com/zorn-v/nextcloud-social-login as it's providing all the functionality we needed

[qchn]

Hello,

I experience the same issue with my nextcloud instance which is deployed on my Kubernetes setup.

Steps to reproduce:

1. Login with privileged user via OIDC login
2. Navigate to /settings/users
3. Click on "New User"
4. Fill in the users information including e-mail, password and display name
5. Click "Add new user"
6. Error appears: "An error occured during the request. Unable to proceed."
7. User will be added anyways
8. After that, the user is present in the users list and the admin can edit the user's information as expected and the welcome e-mail will be sent

Log from pod:

[Wed Apr 13 16:25:11.519191 2022] [php:error] [pid 5453] [client REDACTED_FOR_PRIVACY:0] PHP Fatal error: Nesting level too deep - recursive dependency? in /var/www/html/lib/private/Log/ExceptionSerializer.php on line 212

Can someone help me with this?

Regards
qchn

[p00rt]

if you need a quick hack to get it working just edit the function that fails. IIRC this worked for me. Don't do this in production please, only if you're testing.

        private function removeValuesFromArgs($args, $values) {
/*
                  foreach ($args as &$arg) {
                        if (in_array($arg, $values, true)) {
                                $arg = '*** sensitive parameter replaced ***';
                        } elseif (is_array($arg)) {
                                $arg = $this->removeValuesFromArgs($arg, $values);
                        }
                }
*/
                return $args;
        }

[qchn]

Hi @p00rt,
thanks for the hint, this quickfix works but isn't a sufficient solution for me because the users then will be created without an error message but also, without the email-address given in the user create dialogue... :-)

While further debugging this, I found out that in my case this hasn't to do with oidc plugin.
See: nextcloud/helm#229

Regards
qchn

[waja]

hi there,

isn't a sufficient solution for me because the users then will be created without an error message but also, without the email-address given in the user create dialogue... :-)

while also affected by the issue (not related to oidc) I can't confirm the issue about the email-adress. commenting out the foreach loop, the (userfacing) problem passes away and the user is created as expected. This issue started with Nextcloud 22, it's not present in Nextcloud 21.