Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Invalid LocalCache Token on a Load-Balanced System #46165

Closed
6 of 8 tasks
dsisysteme opened this issue Jun 27, 2024 · 0 comments · Fixed by #46398
Closed
6 of 8 tasks

[Bug]: Invalid LocalCache Token on a Load-Balanced System #46165

dsisysteme opened this issue Jun 27, 2024 · 0 comments · Fixed by #46398
Labels
2. developing Work in progress 29-feedback bug feature: authentication

Comments

@dsisysteme
Copy link

⚠️ This issue respects the following points: ⚠️

Bug description

Since commit d1189f9, it is no longer possible to log in to the Nextcloud platform using the user_saml plugin in a load-balanced environment without sticky sessions. The issue seems to stem from the following block:

$this->cache = $cacheFactory->isLocalCacheAvailable()
    ? $cacheFactory->createLocal('authtoken_')
    : $cacheFactory->createInMemory();

Indeed, since the token is stored in the local cache, in a round-robin load balancing scenario without sticky sessions, the token is only accessible on the application server that generated it. The second request is sent to a node that does not recognize the token, prompting the user_saml to re-authenticate, which causes a redirection loop.

Steps to reproduce

  1. load-balanced environment: 1 reverse proxy, 2 application servers, 1 MariaDB server + Redis
  2. configure the reverse proxy to load-balance requests in a round-robin fashion across the 2 application servers
  3. configure PHP to store sessions in Redis
  4. configure Nextcloud with local memcache on APCu and distributed memcache on Redis
  5. configure the user_saml plugin
  6. Log in with an account on the SSO => redirection loop

Expected behavior

We should be able to log in directly without a redirection loop

The token should not be stored in the local cache as this information needs to be known by all nodes in a cluster.

We tested the following modification by replacing the localCache with the distributedCache, and it fixes the issue:

$this->cache = $cacheFactory->isAvailable()
			? $cacheFactory->createDistributed('authtoken_')
			: $cacheFactory->createInMemory();

We have submitted a pull request to propose the change: #46109. Since this is our first time, we are creating an issue to explain our approach.

Installation method

Community Manual installation with Archive

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "dbtype": "mysql",
        "version": "29.0.3.4",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "ldapUserCleanupInterval": 0,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 1
        },
        "filesystem_check_changes": 0,
        "enable_avatars": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "share_folder": "\/Shared",
        "cron_log": true,
        "loglevel": "2",
        "maintenance": false,
        "trashbin_retention_obligation": 30,
        "trashbin_auto_expire": true,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "knowledgebaseenabled": false,
        "sharing.maxAutocompleteResults": 20,
        "sharing.minSearchStringLength": 3,
        "default_phone_region": "FR",
        "maintenance_window_start": 3,
        "activity_expire_days": "180",
        "simpleSignUpLink.shown": false,
        "default_timezone": "Europe\/Paris",
        "logtimezone": "Europe\/Paris",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\MP3",
            "OC\\Preview\\PNG",
            "OC\\Preview\\XBitmap"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - photos: 2.5.0
  - provisioning_api: 1.19.0
  - richdocuments: 8.4.3
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - user_ldap: 1.20.0
  - user_saml: 6.1.3
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - circles: 29.0.0-dev (installed 25.0.0)
  - dashboard: 7.9.0 (installed 7.0.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.3.0)
  - files_external: 1.21.0
  - files_reminders: 1.2.0 (installed 1.0.0)
  - firstrunwizard: 2.18.0 (installed 2.14.0)
  - logreader: 2.14.0 (installed 2.10.0)
  - nextcloud_announcements: 1.18.0 (installed 1.14.0)
  - password_policy: 1.19.0 (installed 1.15.0)
  - privacy: 1.13.0 (installed 1.9.0)
  - recommendations: 2.1.0 (installed 1.4.0)
  - related_resources: 1.4.0 (installed 1.0.4)
  - support: 1.12.0 (installed 1.8.0)
  - survey_client: 1.17.0 (installed 1.13.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.3.0)
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1 (installed 1.17.0)
  - user_status: 1.9.0 (installed 1.0.1)
  - weather_status: 1.9.0 (installed 1.7.0)

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2. developing Work in progress 29-feedback bug feature: authentication
Projects
None yet
Milestone
No milestone
3 participants
@joshtrichards @szaimen @dsisysteme