Webdav access bypassing OpenID Connect user backend

[ahlund]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Nextcloud with LDAP integration
2. Keycloak with LDAP user federation
3. OpenID Connect user backend installed and configured, mandatory, in Nextcloud
4. A LDAP federated user with 2FA configured in Keycloak
5. Running rclone using webdav to sync files to a number of different computers using the above mentioned user

Expected behaviour

Rclone should not be able to login and access files using only username and password

Actual behaviour

Rclone can login and access the files using only username and password, bypassing the configured OpenID Connect user backend.

Server configuration

Web server: Apache 2.4.65

Database: MariaDB

PHP version: 8.4

Nextcloud version: 31.0.9

List of activated apps

  - activity: 4.0.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.5.7
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.3.4
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - groupfolders: 19.1.8
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.5.11
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - notify_push: 1.2.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.6
  - richdocumentscode: 25.4.504
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.1.5
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_totp: 13.0.0-dev.0
  - updatenotification: 1.21.0
  - user_ldap: 1.22.0
  - user_oidc: 8.1.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0

Nextcloud configuration

{
    system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxxx:xxxx:xxxx:xxxx::xxxx",
            "xxx.xxx.xxx.xxx",
            "nextcloud.erxample.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbtype": "mysql",
        "default_phone_region": "SE",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "user_oidc": {
            "allow_multiple_user_backends": true,
            "auto_provision": false,
            "disable_account_creation": true
        },
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "logfilemode": 416,
        "loglevel": 2,
        "logdateformat": "F d, Y H:i:s",
        "lost_password_link": "disabled",
        "maintenance": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "mysql.utf8mb4": true,
        "overwrite.cli.url": "https:\/\/nextcloud.example.com",
        "session_lifetime": 7200,
        "theme": "",
        "version": "31.0.9.1",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [
            "2FA"
        ],
        "twofactor_enforced_excluded_groups": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "maintenance_window_start": 1,
        "simpleSignUpLink.shown": false,
        "app_install_overwrite": [],
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "0",
            "dbindex": 0
        },
        "memcache.locking": "\\OC\\Memcache\\Redis"
    }
}

Browser

Browser name: Rclone

Browser version: 1.67.0 (Mac), 1.60.1-DEV (Debian)

Operating system: Mac and Debian 13

Rclone Tested from Mac and Debian 13

[julien-nc]

Hey,
Are you saying your users are provisioned by user_ldap and you want them to only be able to authenticate via user_oidc?
If so, you need to configure user_ldap accordingly with a login query that will reject all users so they can't login via the direct login form (built-in login of Nextcloud).
Makes sense?

[ahlund]

Hey, Are you saying your users are provisioned by user_ldap and you want them to only be able to authenticate via user_oidc?

Yes

If so, you need to configure user_ldap accordingly with a login query that will reject all users so they can't login via the direct login form (built-in login of Nextcloud). Makes sense?

The built-in login form is not the problem (this has been disabled). The problem is access via webdav (in our case using rclone but probably any software using webdav can do this). Access via webdav using just username/password (bypassing oidc) should NOT be possible! It becomes an (undocumented?) "backdoor".

[julien-nc]

It is not because the built-in login form is not reachable by the users that user_ldap won't try to validate credentials of API requests (like WebDAV requests in your case).

I'm not saying it's about the direct login form being disabled or not. I'm saying user_ldap will still validate the authentication when using basic auth. So you might need to make sure user_ldap is configured so its login query will fail.

this has been disabled

What do you mean exactly? Do you mean that you have set user_oidc to redirect users to the IdP when they reach the login page?
occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends

user_oidc has no power over how other app's user backends are validating API request's authentication. This needs to be solved on the user_ldap side.

Keep in mind i'm trying to help here.

[joshtrichards]

Related (I think; still getting coffee in me): nextcloud/server#40838