user_oidc breaks all other Login Methods

[t0mcat1337]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Enable user_oidc app with configured backend (keycloak in my case)
2. Login via OIDC/Keycloak -> Works
3. Logout
4. Try Login via normal NC Password Dialog -> Login Page re-appears
5. Try Login via webauthn/FIDO2 -> Login Page re-appears
6. Disable user_oidc app
7. Login via normal NC Password Dialog -> works again
8. Logout
9. Login via webauthn/FIDO2 -> works again

Users are managed centralized by AD/LDAP, which is used as Backend in NC (user_ldap) and Keycloak.

Expected behaviour

Different Login Methods beside user_oidc should work in parallel.
Use Case examples:
-> Using NC at a PC in local Network: OIDC with SSO / Kerberos can be used
-> Using NC at Smartphone in other Networks: WebAuthn/FIDO2 can be used for not having to enter Credentials

Actual behaviour

The Login Screen re-appears when using other login methods than OIDC, just Login via OIDC (Keycloak) works.

Server configuration

Web server: Nginx

Database: Maria

PHP version: 8.3.22

Nextcloud version: 31.0.6

user_oidc version: 7.2.0

List of activated apps

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bookmarks: 15.1.1
  - calendar: 5.3.4
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - collectives: 2.18.0
  - contacts: 7.1.3
  - cookbook: 0.11.3
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.1
  - drawio: 3.1.0
  - extract: 1.3.6
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - gpxpod: 7.0.4
  - integration_deepl: 1.3.1
  - integration_giphy: 2.0.2
  - integration_openstreetmap: 2.1.0
  - keeweb: 0.6.21
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.1.5
  - memories: 7.5.2
  - news: 26.0.1
  - notes: 4.12.1
  - notifications: 4.0.0
  - notify_push: 1.1.0
  - oauth2: 1.19.1
  - onlyoffice: 9.9.0
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - previewgenerator: 5.8.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recognize: 9.0.1
  - related_resources: 2.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.1.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_ldap: 1.22.0
  - user_oidc: 7.2.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0 (installed 1.2.0)
  - bruteforcesettings: 4.0.0 (installed 2.2.0)
  - comments: 1.21.0 (installed 1.12.0)
  - contactsinteraction: 1.12.0 (installed 1.3.0)
  - encryption: 2.19.0 (installed 2.3.0)
  - firstrunwizard: 4.0.0 (installed 2.2.1)
  - nextcloud_announcements: 3.0.0 (installed 1.7.0)
  - privacy: 3.0.0 (installed 1.6.0)
  - recommendations: 4.0.0 (installed 0.6.0)
  - serverinfo: 3.0.0 (installed 1.3.0)
  - support: 3.0.0 (installed 1.0.0)
  - survey_client: 3.0.0 (installed 1.17.0)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0 (installed 5.0.0)
  - twofactor_totp: 13.0.0-dev.0 (installed 13.0.0-dev.0)

Nextcloud configuration

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
		"***REMOVED SENSITIVE VALUE***"
        ],
        "default_phone_region": "DE",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.6.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "lost_password_link": "disabled",
        "logtimezone": "Europe\/Berlin",
        "installed": true,
        "appstore.experimental.enabled": true,
        "theme": "",
        "loglevel": 2,
        "filesystem_check_changes": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "updatechecker": false,
        "maintenance": false,
        "updater.release.channel": "stable",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "mysql.utf8mb4": true,
        "maintenance_window_start": 1,
        "blacklisted_files": [],
        "htaccess.RewriteBase": "\/",
        "app_install_overwrite": [
            "apporder",
            "calendar",
            "external",
            "files_accesscontrol",
            "files_automatedtagging",
            "spreed",
            "mindmaps",
            "keeweb",
            "sharerenamer",
            "uploaddetails",
            "files_clipboard",
            "cookbook",
            "drawio",
            "files_readmemd",
            "twofactor_admin",
            "radio",
            "mindmap_app",
            "social",
            "breezedark",
            "extract",
            "news",
            "metadata",
            "souvenirs",
            "mail_roundcube"
        ],
        "mail_sendmailmode": "smtp",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "encryption.legacy_format_support": true,
        "encryption.key_storage_migrated": false,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "allow_local_remote_servers": "true",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "enable_previews": true,
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "jpeg_quality": 60,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\Imaginary"
        ],
        "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
        "memories.exiftool": "\/var\/www\/html\/apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "memories.vod.path": "\/var\/www\/html\/apps\/memories\/bin-ext\/go-vod-amd64",
        "memories.vod.disable": false,
        "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
        "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
        "memories.gis_type": 1,
        "memories.db.triggers.fcu": true,
        "app.mail.verify-tls-peer": false,
        "user_oidc": {
            "auto_provision": true,
            "enrich_login_id_token_with_userinfo": true
        }
    }
}

Browser

Browser name: Any Browser (Firefox, Chrome...)

Browser version: Chrom 138.0.7204.49, Firefox 136.0.4

Operating system: Ubuntu

Browser Requests:

Example using non-working Password Login when user_oidc is enabled. Enter Credentials in User/Password Form, click "Login", then:

1. POST Request to /login with Username/Password in payload...
2. ...Answered with HTTP Code 303, Location Header set to /apps/files
3.  GET Request to /apps/files...
4. ...Answered with HTTP Code 303, Location Header set to /login?redirect_url=/apps/files/
5. GET Request to /login?redirect_url=/apps/files/ ...
6. ...Answered with HTTP Code 200, Login Page displayed

[julien-nc]

Thanks for reporting this.

• Have you enabled "Store login tokens" in the admin settings?
• Are you trying to login with the classic login form as a user who already has authenticated once with user_oidc?

If the answer for both those questions is "yes", then it is expected.
If "Store login tokens" is enabled, user_oidc wants to make sure it has the login token stored in the Php session (for users that authenticated at least once with user_oidc). If it does not find it, it can mean the Php session has died and we need to reauthenticate.

If you could set the loglevel to 0 (debug), reproduce the issue and look for lines that contain [TokenService] in nextcloud.log, it will most likely tell us why the user is logged out immediately.

[t0mcat1337]

@julien-nc
Thx for pushing me in that direction... indeed, the "Store login tokens" Option was enabled and the affected user was once authenticated via uiser_oidc.
I just disabled "Store login tokens" and now the other login methods work again (to be honest, I'm not quit sure if enabling this option is even relevant in my setup at all).
Neither I expected this option to have such an impact nor was this mentioned somewhere in the docs or this options help text, was it?

As a conclusion now I'm wondering:

1.) If enabling this option has such an impact to other login methods actually, wouldn't it be worth mentioning somewhere?
2.) Or could then every other login UI Element in the Login Dialog be hidden as it wouldn't work anyway (for users who had used OIDC once) ?
3.) Or could the behaviour of this option be modified like "JUST IF the user had used OIDC as login method, THEN store the Login Token. If the user used some other login method, ignore this option / the whole OIDC Code completely".