Desktop: Login in with the desktop client when using SSO (SAML with Keycloak) fails

Created on 13 Feb 2019  路  21Comments  路  Source: nextcloud/desktop

We run a Nectcloud instance on Hetzner and using Keycloak ID server witch allows SSO with SAML.
On the browser everything works great, but we can鈥檛 login into Nextcloud with the Desktop Client.
Android Client works too, but with the Desktop client the process stucks when I want to give Access to the files. We are not the only ones witch struggle with this issue:
https://help.nextcloud.com/t/issue-login-in-with-the-desktop-client-when-using-sso-saml-with-keycloak/47063

Expected behaviour

The Client should at this stage connect to the server an start synchronzing the files.

Actual behaviour

(https://help.nextcloud.com/uploads/default/original/2X/7/7675f215c2f638e02511e93f0d3ae79599a4d726.png)
The client shows then this state forever. The same siutation is when I using the app token instead of password. When I look in my settings I see there both Desktop and Android client are connected properly, so I assume the error is neither at the server or the Keycloak side. It must be a Desktop Client issue.

Steps to reproduce

Same issue on different machines (Win & Ubuntu)

Client configuration

Client version:

I have installed client Windows version: Version 2.5.1final (build 20181204).
And Ubuntu ppa version 2.5.1. It is the same issue.

Operating system:
Win 10
OS language:
German and EN

Installation path of client:
C:\Program Files (x86)\Nextcloudnextcloud.exe

Server configuration

Hetzner Owncloud SaaS

Nextcloud version:
15.0.2

Logs

I don't get any logs, because the client is not yet running.

  1. Web server error log:
    not accessible
  2. Server logfile: nextcloud log (data/nextcloud.log):
    No server logs
0. Needs triage feature authentication
Source
picture lucode
👍2

Most helpful comment

We fixed it with the new login flow in 2.6.

picture camilasan on 28 Sep 2019
👍2

All 21 comments

in our scenario, when we try to Login via NC DektopClient V2.51 and SSO & SAML, I get the SSO Authentication Login Screen for User and PW Input:
https://paste.pics/13434e7ad815a98fb4fd93ae320819a6
https://paste.pics/38c6db52f1c2e47424508f7fca7da567

After that we stuck with that screen
https://paste.pics/cc6ca7340737e07c885c21ba32adf2ce

duckdiver picture duckdiver on 18 Feb 2019

@duckdiver that is another issue. your issue happens before the client wants to start to sync. Login works basically at our scenario.

lucode picture lucode on 18 Feb 2019

with NC Server V13

duckdiver picture duckdiver on 18 Feb 2019

@lucode dont you stuck already in the first screen?

duckdiver picture duckdiver on 18 Feb 2019

No at the last one:

When I look in my settings I see there both Desktop and Android client are connected properly,

lucode picture lucode on 18 Feb 2019

From my point of view you did mix up some configs about using token or password.

lucode picture lucode on 18 Feb 2019

No,
but the credentials are not send within Mozilla-APP with NC Desktop CLient.
When using Login in IE Webbrowser it works perfectly.
Also with Mobile App.

duckdiver picture duckdiver on 18 Feb 2019

Guys, any work around, i am facing this issue even i login successfully from IE.

mudasaryasin picture mudasaryasin on 25 Feb 2019

OS = centos 7.6.1810
PHP version = 7.2.14
NC version = 15.0.2.0
Client = 2.5.1final (build 20181204)] os:[Windows 7 SP 1
Here are logs on client 

[OCC::Application::setupLogging     "################## Nextcloud locale:[en_US] ui_lang:[] version:[2.5.1final (build 20181204)] os:[Windows 7 SP 1 (6.1)]"
[OCC::Application::setupTranslations    Using "en_US" translation
[OCC::SocketApi::SocketApi  server started, listening at  "\\\\.\\pipe\\owmync-mudasar"
[OCC::FolderMan::FolderMan  setting remote poll timer interval to 30000 msec
[unknown    QSslSocket: cannot resolve SSL_CONF_CTX_new
[unknown    QSslSocket: cannot resolve SSL_CONF_CTX_free
[unknown    QSslSocket: cannot resolve SSL_CONF_CTX_set_ssl_ctx
[unknown    QSslSocket: cannot resolve SSL_CONF_CTX_set_flags
[unknown    QSslSocket: cannot resolve SSL_CONF_CTX_finish
[unknown    QSslSocket: cannot resolve SSL_CONF_cmd
[unknown    QSslSocket: cannot resolve SSL_set_alpn_protos
[unknown    QSslSocket: cannot resolve SSL_CTX_set_alpn_select_cb
[unknown    QSslSocket: cannot resolve SSL_get0_alpn_selected
[OCC::owmyncGui::setupContextMenu   Tray menu workarounds: noabouttoshow: false fakedoubleclick: false showhide: false manualvisibility: false
[OCC::FolderMan::setupFoldersMigration  Setup folders from  "C:/Users/mudasar.abc/AppData/Roaming/Nextcloud/folders" (migration)
[OCC::ClientProxy::setupQtProxyFromConfig   Set proxy configuration to use system configuration
[OCC::owmyncGui::slotOpenSettingsDialog     No configured folders yet, starting setup wizard
[unknown    Could not parse stylesheet of object 0x44a2d3b0
[OCC::WebViewPage::WebViewPage  Time for a webview!
[unknown    Could not parse stylesheet of object 0x44a2d3b0
[unknown    Could not parse stylesheet of object 0x44a2d3b0
[OCC::OCUpdater::backgroundCheckForUpdate   Checking for available update
[OCC::AccessManager::createRequest  2 "" "https://updates.nextcloud.org/client/?version=2.5.1.20181204&platform=win32&oem=Nextcloud&versionsuffix=final" has X-Request-ID "b8373a9f-fa47-45aa-a502-xxxxx"
[OCC::NSISUpdater::versionInfoArrived   Client is on latest version!
[OCC::OwmyncSetupWizard::slotSystemProxyLookupDone  No system proxy set by OS
[OCC::AccessManager::createRequest  2 "" "https://mync.xxxx.co/status.php" has X-Request-ID "7ac26b02-1f31-4cff-9229-xxxxx"
[OCC::AbstractNetworkJob::start     OCC::CheckServerJob created for "https://mync.xxxx.co" + "status.php" "OCC::OwmyncSetupWizard"
[OCC::CheckServerJob::finished  No SSL session identifier / session ticket is used, this might impact sync performance negatively.
[OCC::CheckServerJob::finished  status.php returns:  QJsonDocument({"edition":"","installed":true,"maintenance":false,"needsDbUpgrade":false,"productname":"xxxx.co","version":"15.0.2.0","versionstring":"15.0.2"})   QNetworkReply::NetworkError(NoError)  Reply:  QNetworkReplyHttpImpl(0x4b4e87f0)
[OCC::DetermineAuthTypeJob::start   Determining auth type for QUrl("https://mync.xxxx.co/remote.php/webdav/")
[OCC::AccessManager::createRequest  2 "" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "c6a8e6a8-f886-4e9d-80bb-0032b83a9391"
[OCC::AbstractNetworkJob::start     OCC::SimpleNetworkJob created for "https://mync.xxxx.co" + "" "OCC::Account"
[OCC::AccessManager::createRequest  6 "PROPFIND" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "cb37f360-ec23-4011-b6ab-6c436033fa91"
[OCC::AbstractNetworkJob::start     OCC::SimpleNetworkJob created for "https://mync.xxxx.co" + "" "OCC::Account"
[OCC::AbstractNetworkJob::slotFinished  Redirecting "GET" QUrl("https://mync.xxxx.co/remote.php/webdav/") QUrl("https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=")
[OCC::AccessManager::createRequest  2 "" "https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=" has X-Request-ID "a8757083-a687-4e4c-83f7-1d2359609880"
[OCC::AbstractNetworkJob::slotFinished  Redirecting "PROPFIND" QUrl("https://mync.xxxx.co/remote.php/webdav/") QUrl("https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=")
[OCC::AccessManager::createRequest  6 "PROPFIND" "https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=" has X-Request-ID "8a75e3e0-1938-4a8a-b27a-4b6620f6ecd9"
[OCC::AbstractNetworkJob::slotFinished  QNetworkReply::NetworkError(ContentOperationNotPermittedError) "Server replied \"405 Method Not Allowed\" to \"PROPFIND https://mync.xxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl=\"" QVariant(int, 405)
[OCC::DetermineAuthTypeJob::start::::operator()     Did not receive WWW-Authenticate reply to auth-test PROPFIND
[OCC::DetermineAuthTypeJob::checkBothDone   Auth type for QUrl("https://mync.xxxx.co/remote.php/webdav/") is 3
[OCC::WebViewPage::initializePage   Url to auth at:  "https://mync.xxxx.co/index.php/login/flow"
[OCC::WebViewPageUrlSchemeHandler::requestStarted   Got user:  "mudasar" , server:  "https://mync.xxxx.co"
[OCC::WebViewPage::urlCatched   Got user:  "mudasar" , server:  "https://mync.xxxx.co"
[OCC::WebViewPage::urlCatched   URL:  "https://mync.xxxx.co"
[OCC::OwmyncSetupWizard::slotConnectToOCUrl     Connect to url:  "https://mync.xxxx.co"
[OCC::WebFlowCredentials::createQNAM    Get QNAM
[OCC::AccessManager::createRequest  6 "PROPFIND" "https://mync.xxxx.co/remote.php/webdav/" has X-Request-ID "2ea7c8c0-20e9-4c7b-b59a-b644fc49d414"
[OCC::AbstractNetworkJob::start     OCC::PropfindJob created for "https://mync.xxxx.co" + "/" "OCC::OwmyncSetupWizard"
[OCC::WebFlowCredentials::slotFinished  request finished
[OCC::WebFlowCredentials::stillValid    Still valid?
[OCC::WebFlowCredentials::stillValid    QNetworkReply::NetworkError(NoError)

OCC::PropfindJob::finished  *not* successful, http result code is 302 "https://mync.xxxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl="
[OCC::OwmyncSetupWizard::slotAuthError  Authed request was redirected to "https://mync.xxxxx.co/index.php/apps/user_saml/saml/selectUserBackEnd?redirectUrl="
[OCC::WebViewPageUrlSchemeHandler::requestStarted   Got user:  "YMudasar" , server:  "https://mync.xxxxx.co"
[OCC::WebViewPage::urlCatched   Got user:  "YMudasar" , server:  "https://mync.xxxxx.co"
[OCC::WebViewPage::urlCatched   URL:  "https://mync.xxxxx.co"
[OCC::OwmyncSetupWizard::slotConnectToOCUrl     Connect to url:  "https://mync.xxxxx.co"
[OCC::WebFlowCredentials::createQNAM    Get QNAM
[OCC::AccessManager::createRequest  6 "PROPFIND" "https://mync.xxxxx.co/remote.php/webdav/" has X-Request-ID "xxxxx-6ac2-4efd-9147-xxxxxxx"
[OCC::AbstractNetworkJob::start     OCC::PropfindJob created for "https://mync.xxxxx.co" + "/" "OCC::OwmyncSetupWizard"
[OCC::WebFlowCredentials::slotFinished  request finished
[OCC::WebFlowCredentials::stillValid    Still valid?
[OCC::WebFlowCredentials::stillValid    QNetworkReply::NetworkError(NoError)
[OCC::WebFlowCredentials::stillValid    "Unknown error"
mudasaryasin picture mudasaryasin on 26 Feb 2019

Guys any clue?

mudasaryasin picture mudasaryasin on 7 Mar 2019

I got the log now:

[OCC::AbstractNetworkJob::start     OCC::PropfindJob created for "https://nc.cooby.org" + "/" "OCC::OwncloudSetupWizard"
[OCC::WebFlowCredentials::slotFinished  request finished
[OCC::WebFlowCredentials::stillValid    Still valid?
[OCC::WebFlowCredentials::stillValid    QNetworkReply::NetworkError(NoError)
[OCC::WebFlowCredentials::stillValid    "Unbekannter Fehler"
[OCC::PropfindJob::finished     PROPFIND of QUrl("https://nc.cooby.org/remote.php/webdav/") FINISHED WITH STATUS "OK"
[OCC::PropfindJob::finished     *not* successful, http result code is 302 "http://nc.cooby.org/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=7cmxYSv2hqN03nDPJGkOqtDvhnp/iEm/ZrCQzDBAbkk%3D%3AjPDwUxqv4ZocpDqFEztW8JLXxS4axgXLKf/cgF8rFic%3D"
[OCC::OwncloudSetupWizard::slotAuthError    Authed request was redirected to "http://nc.cooby.org/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=7cmxYSv2hqN03nDPJGkOqtDvhnp/iEm/ZrCQzDBAbkk%3D%3AjPDwUxqv4ZocpDqFEztW8JLXxS4axgXLKf/cgF8rFic%3D"

Is on another server with NC 15.0.2 installed.

lucode picture lucode on 19 Mar 2019

For me it is working fine after disabling this option in SSO and SAML plugin

"Use SAML auth for the ibex Nextcloud desktop clients (requires user re-authentication)"

mudasaryasin picture mudasaryasin on 19 Mar 2019

@mudasaryasin you are our hero, your suggestion works for us too.
The question remains if this is a bug or a feature?
grafik

lucode picture lucode on 21 Mar 2019
👍2

No me, it was discovered by my colleague.

mudasaryasin picture mudasaryasin on 21 Mar 2019

It is kind of a bug. But also a feature. The issue is that the old clients handled saml internally. Which often did :boom: and caused relogins to happen all the time.

There is a bug somewhere in the saml detection logic. But I can't figure out where since I'm unable to reproduce it myself.

rullzer picture rullzer on 21 Mar 2019

+1

olivierb2 picture olivierb2 on 15 May 2019

+3

holger13 picture holger13 on 16 May 2019

seeing same with Mac Desktop Client:

first the 302 redirect, then next request gets a "Method not allowed" 405:

PROPFIND /apps/user_saml/saml/login?originalUrl=&[...]

NGINX is configured to allow PROPFIND

waiting a few sec's actually Desktop Client seem to continue and is successfully logged in and starts syncing... it appears the initial login gets a 405 only.

Yzed picture Yzed on 25 May 2019

Same here, same fix worked.

pelzvieh picture pelzvieh on 23 Jul 2019

Hello everyone,
I confirm this is fixing the issue we had at The Document Foundation. I think we can close now.
https://github.com/nextcloud/desktop/issues/830#issuecomment-449589408

wget picture wget on 28 Sep 2019

We fixed it with the new login flow in 2.6.

camilasan picture camilasan on 28 Sep 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vberger picture vberger  路  41Comments
biva picture biva  路  44Comments
anatekar picture anatekar  路  53Comments
eboth picture eboth  路  56Comments
Dennis1993 picture Dennis1993  路  59Comments