Authentication issue with Nextcloud

classic Classic list List threaded Threaded
3 messages Options
William Gathoye William Gathoye
Reply | Threaded
Open this post in threaded view
|

Authentication issue with Nextcloud

Hello there,

I (credit goes to upstream) have been able to narrow down the
authentication issue we were experiencing with the Nextcloud desktop client.

Please note, up to know the latest ownCloud client is still working fine
except it is not keeping the SAML token after the system reboots/user
logs out.


The TDF Nextcloud instance has 2 issues:

1. XSS whitelisting

According to the logs of my Nextcloud client [1], we can see the page
answering back with the SAML token cannot be loaded properly due to a
font issue.

It appears the location of these fonts haven't been whitelisted properly
leading to the Nextcloud client webview (qt5-webengine) to not load them
to avoid a potential XSS vulnerability.

Could you please whitelist these resources locations?


2. *not* successful, http result code is 302 [2] --> the connection
issue per se

Could you please disable "Use SAML auth for the Nextcloud desktop
clients (requires user re-authentication)" in the Nextcloud server admin
settings? SAML SSO remains active without this parameter. It seems this
(unclear) parameter has been set because old desktop clients handled
saml internally/differently.


[1] https://gist.github.com/wget/6433e4dac5e1c291bb64af779b6ff3cb

[2] https://github.com/nextcloud/desktop/issues/1084#issuecomment-474478145

[3]
https://help.nextcloud.com/t/issue-login-in-with-the-desktop-client-when-using-sso-saml-with-keycloak/47063/24


--
William Gathoye
<[hidden email]>



--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy
Guilhem Moulin Guilhem Moulin
Reply | Threaded
Open this post in threaded view
|

Re: Authentication issue with Nextcloud

On Fri, 22 Mar 2019 at 22:32:02 +0100, William Gathoye wrote:
> It appears the location of these fonts haven't been whitelisted properly
> leading to the Nextcloud client webview (qt5-webengine) to not load them
> to avoid a potential XSS vulnerability.

The CSP violation looks somewhat odd to me:

    [unknown Refused to load the font 'https://auth.documentfoundation.org/saml/singleSignOn?SAMLRequest=…' because it violates the following Content Security Policy directive: "font-src 'self' data:".

There is no CSP for font resources on https://auth.documentfoundation.org .
(In fact the page doesn't have any font resource AFAICT, although I suppose
it might depend on the User-Agent.)  On https://nextcloud.documentfoundation.org
we have

    Content-Security-Policy: default-src 'none'; […]; font-src 'self' data:; […]
 
I don't understand why your client tries apply that policy when loading
resources from https://auth.documentfoundation.org .  There is a 303
redirection in the middle, and the CSP doesn't apply to the Location
target.

Also, the CSP is populated by Nextcloud itself.  Plugins can amend it,
for instance instance ‘richdocuments’ adds the LOOL domain to the
frame-src whitelist:

    https://github.com/nextcloud/server/blob/master/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
    https://github.com/nextcloud/richdocuments/blob/v3.2.4/appinfo/app.php#L70

If ‘user_saml’ was really non-functioning without loading font resources
from the SAML IdP URI (even if just on desktop clients), I would expect
to see

    $policy->addAllowedFontDomain($samlDomain)

somewhere in the source.

> 2. *not* successful, http result code is 302 [2] --> the connection
> issue per se

That's rdm#2658 right?  If so, please avoid cross-posting.

> Could you please disable "Use SAML auth for the Nextcloud desktop
> clients (requires user re-authentication)" in the Nextcloud server admin
> settings? SAML SSO remains active without this parameter.

From https://github.com/nextcloud/user_saml/blob/master/appinfo/app.php#L124
it's not exactly clear to me what that would entail.

  * Does that require authentication via application-specific passwords?
    If so, changing the setting requires some kind of consensus, and if
    users agree to disable SAML, we need a transition (and warn users)
    to avoid confusion.  You're not the only one using the desktop
    client against out instance, and most other folks are using a
    version that seems to work.  AFAICT disabling the setting would make
    their setup stop working until they add an app password.  (I guess
    they won't object if they can have long-lived sessions, but they
    still need to be consulted and warned.)

  * Does it mean that the Nextcloud server hijacks the SAML challenge
    and perform authentication on behalf of the user?  (Doesn't seem so
    based of my understanding of the code, but I'm not sure.)  If so,
    that would completely collapse the threat model.  WebSSO isn't only
    a convenience, the different front-ends don't get to see user
    credentials.  Reducing the attack surface is the whole point.

--
Guilhem.

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy
William Gathoye William Gathoye
Reply | Threaded
Open this post in threaded view
|

Re: Authentication issue with Nextcloud

Hi Guilhem,

On 23/03/2019 00:44, Guilhem Moulin wrote:

> On Fri, 22 Mar 2019 at 22:32:02 +0100, William Gathoye wrote:
>> It appears the location of these fonts haven't been whitelisted properly
>> leading to the Nextcloud client webview (qt5-webengine) to not load them
>> to avoid a potential XSS vulnerability.
> The CSP violation looks somewhat odd to me:
>
>    
> I don't understand why your client tries apply that policy when loading
> resources from https://auth.documentfoundation.org .  There is a 303
> redirection in the middle, and the CSP doesn't apply to the Location
> target.

Weird is indeed what I thought. I had hoped you had the solution though :-/

My client is the latest version published by Nextcloud on GitHub. (not
the one on their website, they are always lagging behind there).

> That's rdm#2658 right? If so, please avoid cross-posting.
Yes it is. But i think this is better to discuss things here as the
issue is less a bug to me but rather an open discussion which could lead
to a bug report or not. "Always privilege mailing lists when you can",
this is what has been said to me :)
>> Could you please disable "Use SAML auth for the Nextcloud desktop
>> clients (requires user re-authentication)" in the Nextcloud server admin
>> settings? SAML SSO remains active without this parameter.
> From https://github.com/nextcloud/user_saml/blob/master/appinfo/app.php#L124
> it's not exactly clear to me what that would entail.
>
>   * Does that require authentication via application-specific passwords?

According to the answers we can read on the Nextcloud bug report and
forums (the links I gave to you), it appears changing the settings
hasn't required changes in the way users where connecting.

But again their use case is not the one from TDF, this is why I was
thinking to have some sort of sandbox. Do you think this would be
possible to clone the current Nextcloud + saml config somewhere and try
to debug from there? I don't know if this is possible. I assume TDF has
enough resources and that 2 additional VM (SAML+Nextcloud) won't cause
any burden to the infra. If that's the case I could offer
infra/computation/storage power.

>   * Does it mean that the Nextcloud server hijacks the SAML challenge
>     and perform authentication on behalf of the user?

I don't think there is some kind of hijacking here. I have the same
opinion as you here. But this needs to be confirmed. Do you want me to
post on the Nextcloud bug issue on Github and ask if some Nextcloud dev
veteran can confirm this assumption?

Regards,

--
William Gathoye
<[hidden email]>



--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy