Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Group character limit #978

Open
danielangeloni opened this issue Nov 6, 2024 · 0 comments
Open

Group character limit #978

danielangeloni opened this issue Nov 6, 2024 · 0 comments
Labels
0. Needs triage bug Something isn't working

Comments

@danielangeloni
Copy link

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. I am using Authentik as my OIDC provider, following this guide to use a property mapping to add groups. I added a user to some extra groups and came across errors and after looking into it, it seems I found a limit on the characters for groups. Below is the group strings I have been testing, if you add a single extra character to any of the groups below you get an "Access forbidden Failed to contact the OIDC provider token endpoint" error when authenticating, removing that extra character the issue doesn't appear.
[
    "GsfJGATsssXasssZsOAsMXLaRseqasdKZ",
    "TszfSLEsbRWfsssasVbssPLaGsssERj",
    "pseSGYQsasXssssMsLBsRZMfwqEsadarsY",
    "GsdSGPPsKQjKsssesAhsnXlakiqbenuDssfaeAK",
    "WsCSGVPsAXjIsssfsFZsPVLCYsaekjebywkqlqas",
    "pszSGPPsasKksssTsAhsiNtdAsaassqLueyqbwj",
    "WsaSPPPssZTAsssEsRGsdYGsWsoqwddaeE",
    "psaSQPPsGPqWsssZsDvsaEjuebqjdAssyaqjsjs"
]

Expected behaviour

To successfully authenticate when using OIDC

Actual behaviour

Adding the extra character to any of the above group strings causes this error
Image

Server configuration

Web server: Nginx

Database: PostgreSQL

PHP version: 8.3.13

Nextcloud version: Nextcloud Hub 9 (30.0.1)

List of activated apps
  • activity: 3.0.0
  • app_api: 4.0.0
  • bruteforcesettings: 3.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • dav: 1.31.1
  • federatedfilesharing: 1.20.0
  • files: 2.2.0
  • files_downloadlimit: 3.0.0
  • files_external: 1.22.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • firstrunwizard: 3.0.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • twofactor_backupcodes: 1.19.0
  • updatenotification: 1.20.0
  • user_oidc: 6.1.2
  • viewer: 3.0.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0
Nextcloud configuration 
{
    "system": {
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.domain.com"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "30.0.1.2",
        "overwrite.cli.url": "http:\/\/nextcloud.domain.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "allow_local_remote_servers": true,
        "filelocking.enabled": true,
        "upgrade.disable-web": true,
        "filesystem_check_changes": true,
        "defaultapp": "",
        "loglevel": 2,
        "maintenance": false,
        "maintenance_window_start": 23,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "default_phone_region": "AU",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        }
    }
}

Browser

Browser name: tried on Firefox, Safari, Chrome

Browser version: varies

Operating system: Mac

Browser log 
nothing useful in the browser logs
@danielangeloni danielangeloni added 0. Needs triage bug Something isn't working labels Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielangeloni