Access the cloud from roundcube to synch address books

[quenenni]

Hello,

Our working SSO setup (LemonLdap / Nextcloud / Roundcube ) is using the plugin rcmcarddav (https://github.com/mstilkerich/rcmcarddav) in Roundcube to synchronise the cloud user addressbook within roundcube, using the bearer token.

But this working setup is using the Nextcloud plugin "Nextlcoud Oidc login" (https://github.com/pulsejet/nextcloud-oidc-login).

We decided to use this plugin User_oidc in our Nextcloud setup.
Now with the group management, everything's working well except for one thing, the connection from roundcube to synchronise the user addressbook.

The error I have in Nextcloud log:

No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured

"Code":0,
"Trace":[
  {"file":"/var/www/nextcloud-test/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},
  {"file":"/var/www/nextcloud-test/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},
  {"file":"/var/www/nextcloud-test/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},
  {"file":"/var/www/nextcloud-test/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},
  {"file":"/var/www/nextcloud-test/apps/dav/lib/Server.php","line":333,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},
  {"file":"/var/www/nextcloud-test/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},
  {"file":"/var/www/nextcloud-test/remote.php","line":166,"args":["/var/www/nextcloud-test/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud-test/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":154,"CustomMessage":"--"}}

I was able to debug the content of the request and response objects from the sabre/Dav app:

(request and response vars in 3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php)

PROPFIND /remote.php/dav HTTP/1.1
Content-Length: 215  
Prefer: return=minimal
Content-Type: application/xml; charset=UTF-8
Depth: 0
User-Agent: GuzzleHttp/6.5.5 curl/7.74.0 PHP/8.0.13
Host: cloud-test.xxxxx.coop

<?xml version="1.0"?>
<DAV:propfind xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/">
 <DAV:prop>
  <DAV:current-user-principal/>
 </DAV:prop>
</DAV:propfind>

response: 
HTTP/1.1 500 Internal Server Error

I went back to some old ticket and found this comment (mstilkerich/rcmcarddav#361 (comment)):

Concerning bearer authentication:

the nextcloud-oidc-login app is the only app I am aware of that supports bearer authentication at the DAV backend of nextcloud, so yes, you would have to switch to that app and use OIDC instead of SAML

So I'm wondering if this app is able to auth via DAV or is it indeed not possible?

PS: the app "External user authentication" is active in our cloud.

[quenenni]

I tried to find where the DAV auth via bearer token is defined in the user_oidc app.

Can it be this part?

https://github.com/pulsejet/nextcloud-oidc-login/blob/6ef0578b9dfeb91e4a737eab6a8d31eedee6977a/lib/AppInfo/Application.php#L56

        $context->registerEventListener(
            'OCA\DAV\Connector\Sabre::authInit',
            '\OCA\OIDCLogin\WebDAV\BearerAuthBackend'
        );

In oidc_login plugin (this one), I don't find anything related to a BearerAuthBackend.

I have the option 'checkBearer' set to 1

[EDIT]
I tried to import that part from the other app into this one, made some adjustments to have the right namespace and removed all references to configs to put hard values.. just to try to understand what's missing.

The files I copied from the other app to this one:

• WebDAV/BearerAuthBackend.php
• Service/LoginService.php
• Provider/OpenIDConnectClient.php

And in AppInfo/Application.php, I added the "$context->registerEventListener" as mentioned above.

The best I had was this:
"Cannot declare class OCA\OIDCLogin\WebDAV\BearerAuthBackend, because the name is already in use at /var/www/nextcloud-test/apps/user_oidc/lib/WebDAV/BearerAuthBackend.php#19"

But I have no clue why as it's declared the same way the other app did. I guess it must be the way you register the classes in your app.

I feel I'm over my head unfortunately.
I hope this will trigger your curiosity.

[quenenni]

I'm sorry to come back so quickly, but can you tell me if this is something you would integrate in the plugin in a near future?

I'm desesperately trying to update our sso nextcloud setup since july 22 but everything we tried reached a dead end.

And since a couple month now, all our users receive a warning about our server not being secure (amazing) when connecting to the cloud, but we are stuck in that version (v22).

I really need to find a working solution soon, I already spent so many days trying to figure a way to bypass the sso problems we met.