Error Message "OAuth: State not found in session" with Nextcloud 22

[knobhead]

Hi there,

thanks a lot for your recent work on dokuwiki-plugin-oauth and
dokuwiki-plugin-oauthgeneric 👍 Hope y'all got into the new year well!

I think I'm pretty close to get DW OAuth2 integration with my Nextcloud 22 Server up and running.
But right now I'm stuck at with this error message when I try to log-in into DW via OAuth:

OAuth: State not found in session, are you sure you stored it?

• Nextcloud authentication / permission dialogue works fine. App tokens are created correctly in his Nextcloud profile.
• DokuWiki does not create a new user in conf/users.auth.php
• When I try again, a new app token is requested and generated for this user is requested from Nextcloud.

DokuWiki Debug information

OAuth\Common\Storage\Exception\AuthorizationStateNotFoundException at /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/vendor/lusitanian/oauth/src/OAuth/Common/Storage/Session.php:155
#0 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/AbstractService.php(273): OAuth\Common\Storage\Session->retrieveAuthorizationState('Generic')
#1 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/AbstractService.php(251): OAuth\OAuth2\Service\AbstractService->retrieveAuthorizationState()
#2 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/AbstractService.php(103): OAuth\OAuth2\Service\AbstractService->validateAuthorizationState('')
#3 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/Adapter.php(227): OAuth\OAuth2\Service\AbstractService->requestAccessToken('FJazeEzNVsFRAU6...', '')
#4 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/OAuthManager.php(66): dokuwiki\plugin\oauth\Adapter->checkToken()
#5 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/OAuthManager.php(37): dokuwiki\plugin\oauth\OAuthManager->loginByService()
#6 /var/www/virtual/myusername/html/wiki/lib/plugins/oauth/auth.php(45): dokuwiki\plugin\oauth\OAuthManager->continueFlow()
#7 /var/www/virtual/myusername/html/wiki/inc/auth.php(96): auth_plugin_oauth->trustExternal('', '', false)
#8 /var/www/virtual/myusername/html/wiki/inc/init.php(229): auth_setup()
#9 /var/www/virtual/myusername/html/wiki/index.php(18): require_once('/var/www/virtua...')
#10 {main}

DokuWiki OAuth/OAuthGeneric plugin config in conf\local.php:

$conf['plugin']['oauth']['register-on-auth'] = 1;
$conf['plugin']['oauthgeneric']['key'] = '<heregoesmykey>';
$conf['plugin']['oauthgeneric']['secret'] = '<heregoesmysecret>';
$conf['plugin']['oauthgeneric']['authurl'] = 'https://myfunnydomain.de/cloud/apps/oauth2/authorize';
$conf['plugin']['oauthgeneric']['tokenurl'] = 'https://myfunnydomain.de/cloud/apps/oauth2/token';
$conf['plugin']['oauthgeneric']['userurl'] = 'https://myfunnydomain.de/cloud/ocs/v2.php/cloud/user?format=json';
$conf['plugin']['oauthgeneric']['authmethod'] = '1';
$conf['plugin']['oauthgeneric']['scopes'] = array();
$conf['plugin']['oauthgeneric']['json-user'] = 'ocs.data.id';
$conf['plugin']['oauthgeneric']['json-name'] = 'ocs.data.display-name';
$conf['plugin']['oauthgeneric']['json-mail'] = 'ocs.data.email';
$conf['plugin']['oauthgeneric']['label'] = 'Einloggen über die Cloud';
$conf['plugin']['oauthgeneric']['color'] = '#1A9EE6';

Nextcloud OAuth client configuration

Environment

• DokuWiki Release 2020-07-29 "Hogfather"
• DW Plugins are up to date (acl, authpdo, authplain, ckgedit, config, extension, gallery, info, move, oauth, oauthgeneric, popularity, prosemirror, revert, safefnrecode, styling, upgrade, usermanager, vshare, wrap)
  • oauth is from 2021-12-19
  • oauthgeneric is from 2021-12-05
• Nextcloud is running v 22.2.0
• running on a shared hosting at uberspace (CentOS IIRC)

Some other things I've checked:

• Nextcloud's log has no records regarding this topic.
• DokuWiki sign-up/self-registration is disabled.
• DokuWiki file/folder permissions are correct. (To be sure I used fixperms.php)
• PHP's session-folder is writable for the webserver/php proces
• dokuwiki-plugin-github works fine

References

Since I found it quite hard to piece together the necessary puzzle pieces, here's some references that pointed me in the (hopefully) right direction:

• https://hackmd.io/c/codimd-documentation/%2Fs%2Fcodimd-oauth-nextcloud
• https://help.nextcloud.com/t/nextcloud-oidc-oauth2-authentification/14852
• Remove (additional) CSRF check from public endpoints if a Bearer authentication header is present (OAuth 2) nextcloud/server#5694
• https://docs.nextcloud.com/server/22/admin_manual/configuration_server/oauth2.html?highlight=oauth#add-an-oauth2-application
• https://help.nextcloud.com/t/oauth2-userinfo-api/70556/13
• https://discuss.write.as/t/nextcloud-oauth/3202

As soon as I have this up and running I'd happily contribute a little "How-to Nextcloud DokuWiki OAuth Integration" tutorial somewhere. With a little help I might try to build a nextcloud-specific connector plug-in for dokuwiki-oauth.

Thanks for any hints! If you need any more information for debugging or want me to try something out, please let me know.

[splitbrain]

Hmm, when you return from nextcloud to DokuWiki after the login there. What's the URL you see? I seem to remember an issue on the old oauth plugin about nextcloud passing an empty state parameter...

[knobhead]

@splitbrain uh, you're right, &state= is empty!

https://example.org/wiki/?state=&code=UHF...n0L

Where would I start digging to fix this?
I've also been pondering Cookie and CSRF policies, but I think they should be alright...

[knobhead]

I found the issue you mentioned, but the resolution would be to write a custom adapter/service plug-in instead of using oauthgeneric?

[splitbrain]

Well, since this is a non-standard behavior (an empty string state is not the same as a non-set state) I would argue indeed that it should be fixed in a NextCloud specific plugin and not in the generic class. The fix should be relatively simple by overriding checkToken() and removing an empty state from the $INPUT object before calling the parent.

[splitbrain]

see cosmocode/dokuwiki-plugin-oauth#113 if you need help

[ilicz]

@knobhead, @splitbrain I run into the same problem and thus after studying available documentation I wrote the Nextcloud OAuth plugin based on theis OAuthgeneric one.
Feel free to test and get back to me in case of any problems
https://github.com/ilicz/dokuwiki-plugin-oauthnextcloud

[fionera]

I have the same issue when using Authentik with OIDC. Why not implement the handling of an empty state in the generic plugin?

[sunjam]

Any ideas for why access must be re-granted after logging out of Dokuwiki (when using nextcloud oauth)?

ilicz/dokuwiki-plugin-oauthnextcloud#1

[erebion]

Just came across this issue with Authentik.

[nightdread]

@knobhead Were you able to set up Dokuwiki authorization through Nextcloud?