[Bug]: "CORS requires basic auth" error when authenticating with OIDC token #44365
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
- I use https://github.com/pulsejet/nextcloud-oidc-login/ for OIDC login in my server(as it supports ldap backend as a proxy)
- I'm trying to extend this plugin to support bearer token authentication for OCS API calls and also CORS API calls like the one in notes API
- I got it to work with OCS API calls but get "CORS requires basic auth" error whenever I try the notes API
- This line checks if the login was done using BASIC auth and otherwise throws an exception with the error
- I'm not sure this is a bug for most nextcloud users(it is very specific to the third party plugin I use) but would appreciate some direction as to how I can deal with my issue :)
Steps to reproduce
- Install https://github.com/pulsejet/nextcloud-oidc-login/ on your nextcloud server
- Configure the app with your OIDC provider
- Apply the following patch using
patch -u custom_apps/oidc_login/lib/AppInfo/Application.php -i oidc_api.patch
--- Application.php 2024-03-20 23:26:05.315639574 +0530
+++ Application-new.php 2024-03-20 23:27:12.099748051 +0530
@@ -20,6 +20,7 @@
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Util;
+use OCA\OIDCLogin\WebDAV\BearerAuthBackend;
class Application extends App implements IBootstrap
{
@@ -68,6 +69,15 @@
/** @var IRequest */
$request = $container->get(IRequest::class);
+ $bearerAuthBackend = $container->query(BearerAuthBackend::class);
+
+ // If it is an OCS request, try to authenticate with bearer token
+ if ($request->getHeader('OCS-APIREQUEST') === 'true' &&
+ $request->getHeader('OIDC-LOGIN-WITH-TOKEN') === 'true' &&
+ str_starts_with($request->getHeader('Authorization'), 'Bearer ')) {
+ $this->loginWithBearerToken($request, $bearerAuthBackend);
+ }
+
// Check if automatic redirection is enabled
$useLoginRedirect = $this->config->getSystemValue('oidc_login_auto_redirect', false);
@@ -157,4 +167,12 @@
}
}
}
+ private function loginWithBearerToken(IRequest $request, BearerAuthBackend $bearerAuthBackend) {
+ $authHeader = $request->getHeader('Authorization');
+ $bearerToken = substr($authHeader, 7);
+ if (empty($bearerToken)) {
+ return;
+ }
+ $bearerAuthBackend->validateBearerToken($bearerToken);
+ }
}
- Get an access token from OIDC provider
- Perform an API call to
/index.php/apps/notes/api/v0.2/noteswith Bearer authentication set using the above access token and headerOIDC-LOGIN-WITH-TOKENset totrue - Notice the "CORS requires basic auth" message
Expected behavior
- Notes API should return results correctly
Installation method
Community Docker image
Nextcloud Server version
26
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response