Track upstream: Bearer token authentication failing for app-specific APIs (user_oidc#1221) #209
Description
Upstream Issue
Upstream Repository: nextcloud/user_oidc
Status: 🟡 Open (Issue #1221)
Priority: High
Problem
Bearer token authentication fails for app-specific APIs (Notes, Calendar, Contacts, Deck, Tables) with 401 Unauthorized errors, even though OCS APIs work correctly.
Root Cause
The CORSMiddleware in Nextcloud logs out sessions created by Bearer token authentication when CSRF tokens are missing, which breaks API requests to endpoints with @CORS annotations.
Error Without Patch
When using Bearer token authentication:
401 Unauthorized
Error occurs on requests to:
/apps/notes/api/*- Notes API/remote.php/dav/calendars/*- Calendar (CalDAV)/remote.php/dav/addressbooks/*- Contacts (CardDAV)/apps/deck/api/*- Deck API- All other app-specific APIs
Note: OCS APIs (/ocs/v2.php/*) work correctly without the patch.
Current Workaround
We apply patch 0001-Fix-Bearer-token-authentication-causing-session-logo.patch which sets the app_api session flag during Bearer token authentication to bypass CSRF checks.
Patch Location: app-hooks/post-installation/0001-Fix-Bearer-token-authentication-causing-session-logo.patch
Applied to: lib/User/Backend.php in user_oidc app at lines ~243, ~310, ~315, and ~337
Resolution
This issue can be closed when:
- Upstream issue #1221 is resolved with a fix
- Fix is released in an official version of
user_oidcapp - We verify the fix works with our integration tests
- We remove our patch from the codebase
References
- Upstream Issue: Fix Bearer token authentication for non-OCS endpoints nextcloud/user_oidc#1221
- Documentation: docs/oauth-upstream-status.md
- Patch File: app-hooks/post-installation/0001-Fix-Bearer-token-authentication-causing-session-logo.patch
- Integration Tests:
tests/server/test_oauth*.py