"csrf check failed" after Nextcloud session ends #743
Description
Problem
I successfully integrated Nextcloud with Zitadel IdP using user_oidc but I hit an issue with allow_multiple_user_backends=0 config.
Setup
The idea was to reduce Nextcloud session lifetime so NC session ends quickly and the user must re-login using IdP to ensure user session is still valid in IdP. To ensure I configure following settings in NC:
| setting | value |
|---|---|
| auto_logout | false |
| session_keepalive | true |
| session_lifetime | 120 |
| session_relaxed_expiry | false |
| remember_login_cookie_lifetime | 0 |
- session lifetime could be longer I started with 15min, such extremely short value is used to hit the issue fast.
with allow_multiple_user_backends=1 the settings work fine and the user returns to login screen where hitting the button "login with IdP" allows to start another session.
the problem starts when I forced IdP login allow_multiple_user_backends=0 using occ config:app:set --value=0 user_oidc allow_multiple_user_backends which worked as expected immediately redirecting unauthorized user to IdP and allowing access upon successful authorization. But after Nextcloud session ends the user is unable to return to Nextcloud. The browser keeps bouncing between Nextcloud and IdP with requests
- Nextcloud/logout?requesttoken=123
- IdP/authorize
- Nextcloud/login?redirect_url=/logout?requesttoken=123..
keeping requesttoken constant and at some point hitting 412 "CSRF check failed"
How to reproduce
- setup Nextcloud user_oidc and some IdP
- configure short NC session timeout
- login using a browser (in my case Firefox on Windows)
- default view in my instance is files app
- do nothing and let the session open
- using F12 tools permanent exchange of push/sync messages is visible
- after Nextcloud session ends the browser starts looping between NC and IdP
Logs
I'm adding anonymized HAR file from browser dev tools showing the issue. In this log https://dev-nc.mydomain.tld is my Nextcloud and https://sso.mydomain.tld is the IdP. In my case I'm using Zitadel but the same issue happens with authentik and Keycloak as well.
dev-nc.mydomain.tld_Archive [23-12-28 20-22-20].har.zip
Nextcloud config report:
## Server configuration detail
**Operating system:** Linux 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64
**Webserver:** Apache/2.4.57 (Debian) (apache2handler)
**Database:** mysql 10.5.23
**PHP version:** 8.2.13
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, bcmath, exif, gd, gmp, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, sysvsem, zip, Zend OPcache
**Nextcloud version:** 28.0.1 - 28.0.1.1
**Updated from an older Nextcloud/ownCloud or fresh install:**
**Where did you install Nextcloud from:** unknown
<details><summary>Signing status</summary>
[]
</details>
<details><summary>List of activated apps</summary>
Enabled:
- activity: 2.20.0
- admin_audit: 1.18.0
- bruteforcesettings: 2.8.0
- calendar: 4.6.1
- circles: 28.0.0-dev
- cloud_federation_api: 1.11.0
- comments: 1.18.0
- contacts: 5.5.0
- contactsinteraction: 1.9.0
- dav: 1.29.1
- federatedfilesharing: 1.18.0
- federation: 1.18.0
- files: 2.0.0
- files_external: 1.20.0
- files_pdfviewer: 2.9.0
- files_reminders: 1.1.0
- files_sharing: 1.20.0
- files_trashbin: 1.18.0
- files_versions: 1.21.0
- firstrunwizard: 2.17.0
- forms: 4.0.0
- groupfolders: 16.0.1
- logreader: 2.13.0
- lookup_server_connector: 1.16.0
- mail: 3.5.0
- nextcloud_announcements: 1.17.0
- notifications: 2.16.0
- notify_push: 0.6.6
- oauth2: 1.16.3
- password_policy: 1.18.0
- photos: 2.4.0
- privacy: 1.12.0
- provisioning_api: 1.18.0
- recommendations: 2.0.0
- related_resources: 1.3.0
- richdocuments: 8.3.0
- serverinfo: 1.18.0
- settings: 1.10.1
- sharebymail: 1.18.0
- spreed: 18.0.1
- support: 1.11.0
- survey_client: 1.16.0
- systemtags: 1.18.0
- text: 3.9.1
- theming: 2.3.0
- twofactor_backupcodes: 1.17.0
- twofactor_nextcloud_notification: 3.8.0
- twofactor_totp: 10.0.0-beta.2
- twofactor_webauthn: 1.3.2
- unroundedcorners: 1.1.2
- updatenotification: 1.18.0
- user_oidc: 1.3.5
- user_status: 1.8.1
- viewer: 2.2.0
- workflowengine: 2.10.0
Disabled: - dashboard: 7.3.0
- encryption
- end_to_end_encryption: 1.12.5
- files_rightclick: 1.6.0
- suspicious_login: 4.2.0
- user_ldap
- weather_status: 1.3.0
</details>
<details><summary>Configuration (config/config.php)</summary>
{
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"overwritehost": "dev-nc.mydomain.tld",
"overwriteprotocol": "https",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"localhost"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "28.0.1.1",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"instanceid": "REMOVED SENSITIVE VALUE",
"loglevel": "1",
"maintenance": false,
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"password": "REMOVED SENSITIVE VALUE",
"port": 6379
},
"default_phone_region": "CH",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "ssl",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "465",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"allow_local_remote_servers": true,
"trashbin_retention_obligation": "15, 180",
"app_install_overwrite": [
"suspicious_login"
],
"serverinfo": {
"token": "lmFaJ6JXR5e8wxCuyfSn"
},
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"remember_login_cookie_lifetime": 0,
"session_keepalive": "true",
"session_lifetime": "120",
"auto_logout": "false",
"overwrite.cli.url": "https://dev-nc.mydomain.tld",
"theme": "",
"session_relaxed_expiry": "false",
"updater.release.channel": "stable",
"enabledPreviewProviders": [
"OC\Preview\MP3",
"OC\Preview\TXT",
"OC\Preview\MarkDown",
"OC\Preview\OpenDocument",
"OC\Preview\Krita",
"OC\Preview\Imaginary"
],
"preview_imaginary_url": "http://dev-nextcloud-imaginary:9000",
"preview_concurrency_all": "12",
"preview_concurrency_new": "8",
"log_rotate_size": 1048576
}
</details>
**Cron Configuration:** Array
(
[backgroundjobs_mode] => cron
[lastcron] => 1703793901
)
**External storages:** yes
<details><summary>External storage configuration</summary>
No mounts configured
</details>
**Encryption:** no
**User-backends:**
* OCA\UserOIDC\User\Backend
* OCA\UserOIDC\User\Backend
* OC\User\Database
**Talk configuration:**
STUN servers
* no custom server configured
TURN servers
* turn:nc.mydomain.tld:3478 - udp,tcp
Signaling servers (mode: default):
* SIP dialin is disabled
* SIP dialout is disabled
* no custom server configured
Recording servers:
* Recording is enabled
* Recording consent is set to "default"
* no recording server configured
**Browser:** Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0