-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix potential login -> logout loop when allow_multiple_user_backends is 0 #761
base: main
Are you sure you want to change the base?
Conversation
@isdnfan Answering to #743 (comment) here if you don't mind 😁 . Could you try again? There was a bug in the fix 🙈 . It's now fixed. The auto redirection didn't work when the |
hi Julien I'm using Firefox 121.0.1 on Windows 10 (but loop happens on Edge as well). I'm doing "nothing" to enter the loop. In my installation deck app is disabled so main app is files
I was under impression the issue is related to 'auto_logout' after your last update it worked when the setting was true and looped at false. But switching it back and was not really stable. Additionally I observer an interesting behavior: with the last fix the loop happens but after looping for 10 or 20 times there successful login happens and the browser hits the Files app page.. For me 'GET /login?redirect_url=/logout?requesttoken' sounds strange - if I get it right this makes the client login just to proceed with logout again? this request is the first request when the client comes back from IdP. I added the whole browser HAR file - dev-nc. is Nextcloud 28.0.1 and sso. is IdP (Zitadel) - just replaced my domain with <mydomain.tld>. |
@isdnfan Thanks. I need more details to make sure i'm in the same context:
|
hi @julien-nc likely you missed it - I added the HAR file on my last comment - you can inspect all messages with all details there.. you can load the HAR using firefox dev tools from the file I attached: occ config:list system
occ config:user_oidc
BTW: current provider is 7 (the only existing provider) but there are still leftovers of previously existed IdP.. |
hi @julien-nc still no success :( a don't spot any difference to the previous state.. I add the new HAR file as well |
96aa201
to
bcc2b38
Compare
I'm sorry @julien-nc I still exactly the same issue.. still |
…_multiple_user_backends == 0) Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
bcc2b38
to
17d7e7f
Compare
@julien-nc I think the code change makes sense, but with the config @isdnfan describes I see an issue as there is no singleLogoutService URL defined, so we cannot logout at the IdP and therefore are logged in back right away. However without that I also don't see a good solution except having another intermediate login step with a button that the user needs to click (or do not perform the automatic redirect to the provider when auto_logout is set. |
hi @juliushaertl thank you for your response.. there is no intention to logout the user from IdP when NC session ends. the idea is exactly as you describe - after session ends on NC side the user immediately login again using IdP.. Or maybe I'm doing something wrong in general? what is the right way to move the "login governance" completely to IdP? in other words I want my IdP to keep track about user session and NC should check very frequently if the user is logged in to IdP and deny access as soon there is no valid IdP login? |
This makes sure the user_oidc login page does not allow the
redirect_url
GET param to be the logout page or/apps/user_oidc/sls
(single logout) when allow_multiple_user_backends == 0.The issue is well described in #743. I could reproduce it with those system setting values:
Then authenticate via user_oidc, then wait for the auto logout.
@isdnfan Could you check if it makes things better on your side?