"csrf check failed" after Nextcloud session ends

[isdnfan]

Problem

I successfully integrated Nextcloud with Zitadel IdP using user_oidc but I hit an issue with allow_multiple_user_backends=0 config.

Setup

The idea was to reduce Nextcloud session lifetime so NC session ends quickly and the user must re-login using IdP to ensure user session is still valid in IdP. To ensure I configure following settings in NC:

setting	value
auto_logout	false
session_keepalive	true
session_lifetime	120
session_relaxed_expiry	false
remember_login_cookie_lifetime	0

• session lifetime could be longer I started with 15min, such extremely short value is used to hit the issue fast.

with allow_multiple_user_backends=1 the settings work fine and the user returns to login screen where hitting the button "login with IdP" allows to start another session.

the problem starts when I forced IdP login allow_multiple_user_backends=0 using occ config:app:set --value=0 user_oidc allow_multiple_user_backends which worked as expected immediately redirecting unauthorized user to IdP and allowing access upon successful authorization. But after Nextcloud session ends the user is unable to return to Nextcloud. The browser keeps bouncing between Nextcloud and IdP with requests

• Nextcloud/logout?requesttoken=123
• IdP/authorize
• Nextcloud/login?redirect_url=/logout?requesttoken=123..

keeping requesttoken constant and at some point hitting 412 "CSRF check failed"

How to reproduce

• setup Nextcloud user_oidc and some IdP
• configure short NC session timeout
• login using a browser (in my case Firefox on Windows)
• default view in my instance is files app
• do nothing and let the session open
• using F12 tools permanent exchange of push/sync messages is visible
• after Nextcloud session ends the browser starts looping between NC and IdP

Logs

I'm adding anonymized HAR file from browser dev tools showing the issue. In this log https://dev-nc.mydomain.tld is my Nextcloud and https://sso.mydomain.tld is the IdP. In my case I'm using Zitadel but the same issue happens with authentik and Keycloak as well.

dev-nc.mydomain.tld_Archive [23-12-28 20-22-20].har.zip

Nextcloud config report:

## Server configuration detail

**Operating system:** Linux 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64

**Webserver:** Apache/2.4.57 (Debian) (apache2handler)

**Database:** mysql 10.5.23

**PHP version:** 8.2.13

Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, bcmath, exif, gd, gmp, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, sysvsem, zip, Zend OPcache

**Nextcloud version:** 28.0.1 - 28.0.1.1

**Updated from an older Nextcloud/ownCloud or fresh install:** 

**Where did you install Nextcloud from:** unknown

<details><summary>Signing status</summary>

[]
</details>

<details><summary>List of activated apps</summary>

Enabled:

• activity: 2.20.0
• admin_audit: 1.18.0
• bruteforcesettings: 2.8.0
• calendar: 4.6.1
• circles: 28.0.0-dev
• cloud_federation_api: 1.11.0
• comments: 1.18.0
• contacts: 5.5.0
• contactsinteraction: 1.9.0
• dav: 1.29.1
• federatedfilesharing: 1.18.0
• federation: 1.18.0
• files: 2.0.0
• files_external: 1.20.0
• files_pdfviewer: 2.9.0
• files_reminders: 1.1.0
• files_sharing: 1.20.0
• files_trashbin: 1.18.0
• files_versions: 1.21.0
• firstrunwizard: 2.17.0
• forms: 4.0.0
• groupfolders: 16.0.1
• logreader: 2.13.0
• lookup_server_connector: 1.16.0
• mail: 3.5.0
• nextcloud_announcements: 1.17.0
• notifications: 2.16.0
• notify_push: 0.6.6
• oauth2: 1.16.3
• password_policy: 1.18.0
• photos: 2.4.0
• privacy: 1.12.0
• provisioning_api: 1.18.0
• recommendations: 2.0.0
• related_resources: 1.3.0
• richdocuments: 8.3.0
• serverinfo: 1.18.0
• settings: 1.10.1
• sharebymail: 1.18.0
• spreed: 18.0.1
• support: 1.11.0
• survey_client: 1.16.0
• systemtags: 1.18.0
• text: 3.9.1
• theming: 2.3.0
• twofactor_backupcodes: 1.17.0
• twofactor_nextcloud_notification: 3.8.0
• twofactor_totp: 10.0.0-beta.2
• twofactor_webauthn: 1.3.2
• unroundedcorners: 1.1.2
• updatenotification: 1.18.0
• user_oidc: 1.3.5
• user_status: 1.8.1
• viewer: 2.2.0
• workflowengine: 2.10.0
  Disabled:
• dashboard: 7.3.0
• encryption
• end_to_end_encryption: 1.12.5
• files_rightclick: 1.6.0
• suspicious_login: 4.2.0
• user_ldap
• weather_status: 1.3.0

</details>

<details><summary>Configuration (config/config.php)</summary>

{
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"overwritehost": "dev-nc.mydomain.tld",
"overwriteprotocol": "https",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"localhost"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "28.0.1.1",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"instanceid": "REMOVED SENSITIVE VALUE",
"loglevel": "1",
"maintenance": false,
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"password": "REMOVED SENSITIVE VALUE",
"port": 6379
},
"default_phone_region": "CH",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "ssl",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "465",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"allow_local_remote_servers": true,
"trashbin_retention_obligation": "15, 180",
"app_install_overwrite": [
"suspicious_login"
],
"serverinfo": {
"token": "lmFaJ6JXR5e8wxCuyfSn"
},
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"remember_login_cookie_lifetime": 0,
"session_keepalive": "true",
"session_lifetime": "120",
"auto_logout": "false",
"overwrite.cli.url": "https://dev-nc.mydomain.tld",
"theme": "",
"session_relaxed_expiry": "false",
"updater.release.channel": "stable",
"enabledPreviewProviders": [
"OC\Preview\MP3",
"OC\Preview\TXT",
"OC\Preview\MarkDown",
"OC\Preview\OpenDocument",
"OC\Preview\Krita",
"OC\Preview\Imaginary"
],
"preview_imaginary_url": "http://dev-nextcloud-imaginary:9000",
"preview_concurrency_all": "12",
"preview_concurrency_new": "8",
"log_rotate_size": 1048576
}

</details>

**Cron Configuration:** Array
(
    [backgroundjobs_mode] => cron
    [lastcron] => 1703793901
)


**External storages:** yes

<details><summary>External storage configuration</summary>

No mounts configured

</details>

**Encryption:** no

**User-backends:** 
 * OCA\UserOIDC\User\Backend
 * OCA\UserOIDC\User\Backend
 * OC\User\Database


**Talk configuration:** 

STUN servers
 * no custom server configured

TURN servers
 * turn:nc.mydomain.tld:3478 - udp,tcp

Signaling servers (mode: default):
 * SIP dialin is disabled
 * SIP dialout is disabled
 * no custom server configured

Recording servers:
 * Recording is enabled
 * Recording consent is set to "default"
 * no recording server configured


**Browser:** Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

[isdnfan]

found this issue which looks similar but using SAML nextcloud/server#40626

[julien-nc]

@isdnfan Thanks for the bug report. #761 is an attempt to fix this. Could you check it?

[isdnfan]

hi @julien-nc thank you for you attention. I tested the version you provided and there is an improvement in terms there is no more logout/login loop. the new version work, the user logins successfully but once the auto-logout happens user_oidc disappears somehow - clean original NC login UI appears and user_oidc doesn't start working (even when I restart the docker container) until I recover the original Application.php version.. Once it works I can apply the patch again and it works once..

I don't see anything useful in nextcloud.log

dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:51 +0000] "POST /apps/text/session/135693/sync HTTP/1.1" 200 1226 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"
dev-nextcloud-app  | ::1 - - [16/Jan/2024:21:08:52 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.57 (Debian) PHP/8.2.14 (internal dummy connection)"
dev-nextcloud-app  | ::1 - - [16/Jan/2024:21:08:53 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.57 (Debian) PHP/8.2.14 (internal dummy connection)"
dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:53 +0000] "GET /logout?requesttoken=xX6vrvXaeZSijqwWJd%2FQpwVqtwId8ZI2yonPqsGENU4%3D%3ApAuayJKZF9uT%2Bu9REu%2BxyEE7hTZ4tdFHmN%2Bby7TCV3k%3D HTTP/1.1" 303 1758 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"
dev-nextcloud-app  | 192.168.11.203 - - [16/Jan/2024:21:08:53 +0000] "GET /login?clear=1 HTTP/1.1" 200 10375 "https://dev-nc.mydomain.tld/apps/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"

and nothing in the container logs.. but the app seems to work somehow in the backend - if I have valid OIDC session - I can access my Nextcloud directly - likely the fix broke the login redirection logic

[julien-nc]

@isdnfan We think we figured out the source of the issue (or one of the sources). This is explained in nextcloud/server#43701 . Would you be ready to try it out on your instance? I can provide the new compiled scripts for your Nextcloud version. Are you still using Nextcloud 28.0.1 or did you upgrade to 28.0.2?

[isdnfan]

hi @julien-nc thank you. definitely I would test in my instance. I'm running 28.0.2 now.

[julien-nc]

So you can replace nextcloud/dist/core-main.js and nextcloud/dist/core-main.js.map by those ones (i renamed them to txt so GH accepts them). Keep the original files in case you wanna revert.

core-main.js.map.txt
core-main.js.txt

I'm not entirely sure this will fix the issue for you since you have auto_logout disabled but the symptoms on your side are very close to what the fix is addressing (being redirected multiple times to the logout page with the same requesttoken GET param).

[isdnfan]

I replaced both files in my instance and first look is really good!!

many thanks for your hard work!

---

I see /logout... followed by /login?clear=1, then redirect to the IdP, successful auth and further redirect to /login?authRequestID=.. and finally the browser hits my main page /apps/files/

---

I only tested few scenarios - leave the browser time out in files, activities and calendar app - all worked and result in clean login into the system.. the only cosmetical problem - the session doesn't return to the same app but returns to "fresh login state".

I can live with this limitation but definitely would be great if the client would return to the previous state.

[julien-nc]

That's great news, thanks for the feedback!
The fix has been merged in NC server and backported to stable28, stable27 and stable26. It will be included in the next minor releases soon (all scheduled for Feb 29th).

The problem you mention is tough to solve as the logout page is reached, we loose the information of which page you were browsing before being logged out.

Let's keep this issue open until someone confirms this is solved by the next minor release.

[phoenixtechnam]

Good day, I have the same issue. Using auto_logout=true and user_oidc plugin.

Even when logging in as native admin (non-oidc), when the forced logout kicks in, I get "CSRF check failed" and user is not logged out.

I noticed that auto-logout seems to work without error when the browser tab is active/visible. But when the browser tab is inactive, auto-logout results in "CSRF check failed".

Manual logout works without issues.

Tested on NC 29 and 30.

[sikkgit]

Hi, we're facing this same issue in Nextcloud AIO with Keycloak as IdP. Same configs as OP, with allow_multiple_user_backends=0. Logout results in loop back to Nextcloud dashboard with the user still logged in.

If allow_multiple_user_backends=1 then it logs out as expected.

[edward-ly]

@phoenixtechnam @sikkgit Did you try applying the changes made in #761, or did you download the release version of the user_oidc app?

[phoenixtechnam]

I dont think this is an issue with this app exclusively. I have the very same issue using the oidc_login app.
Tried to apply the 2 files mentioned above (core-main.js.map and core-main.js) but it breaks my NC v30.