[Nextcloud 15] Nextcloud clients cannot log in after upgrading from 15.0.0 to 15.0.2

[phish108]

Confirmed clients to fail:

Official Desktop Client:

• Nextcloud for MacOS 2.5.1
• Nextcloud for Windows 2.5.1

Mobile Clients

• Nextcloud fo iOS 2.22..7.8 (On Grant Access reports Error: Access Forbidden, Invalid Request)
• Nextcloud Android 3.4.1 (On Grant Access reports Error: Access Forbidden, Invalid Request)

Unaffected

• Web-client

Steps to reproduce

1. Install NC 15.0.0
2. Install NC client 2.5.1
3. authenticate and sync (works nice and smooth)
4. upgrade to NC 15.0.2
5. log client out (or reinstall client)
6. login with client
7. authenticate via password
8. grant access (return to landing page, return to step 6 - on mobiles, stuck at error page).
9. authenticate via token
10. grant access (return to landing page/step 9 - on mobiles, stuck at error page).

only on mobile clients
11. return to old method
12. enter credentials
13. return to landing screen for new accounts.

Web Login works as usual.

Expected behaviour

Client authenticates and synchronizes the user data

Actual behaviour

User is stuck on the client's authentication screen.

Server configuration

Operating system:

alpine linux (official docker container 15-fpm-alpine)

Web server:
NGINX

Database:
MariaDB

PHP version:
7.2.14

Nextcloud version: (see Nextcloud admin page)

15.0.2

Updated from an older Nextcloud/ownCloud or fresh install:

15.0.0 and fresh install

Where did you install Nextcloud from:

docker hub

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - accessibility: 1.1.0
  - admin_audit: 1.5.0
  - bookmarks: 0.15.1
  - calendar: 1.6.4
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - contacts: 3.0.1
  - dav: 1.8.1
  - federatedfilesharing: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - support: 1.0.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - user_ldap: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - activity
  - encryption
  - federation
  - files_external
  - files_versions

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "version": "15.0.2.0",
        "installed": true,
        "forcessl": true,
        "loglevel": 0,
        "ldapIgnoreNamingRules": false,
        "maintenance": false,
        "theme": "",
        "maxZipInputSize": 943718400,
        "allowZipDownload": true,
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "secret": "***REMOVED SENSITIVE VALUE***",
        "share_folder": "\/Shared",
        "trashbin_retention_obligation": "auto",
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpmode": "smtp",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtpport": "587",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
No (local)

Are you using encryption: yes/no
No (apart from HTTPS)

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+-------------------------------------------------------------------------------+
| Configuration                 | |
+-------------------------------+-------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | |
| homeFolderNamingRule          | |
| lastJpegPhotoLookup           | 0 |
| ldapAgentName                 | ***|
| ldapAgentPassword             | *** |
| ldapAttributesForGroupSearch  | |
| ldapAttributesForUserSearch   | |
| ldapBackupHost                | |
| ldapBackupPort                | |
| ldapBase                      | *** |
| ldapBaseGroups                | ***|
| ldapBaseUsers                 | *** |
| ldapCacheTTL                  | 600 |
| ldapConfigurationActive       | 1 |
| ldapDefaultPPolicyDN          | |
| ldapDynamicGroupMemberURL     | |
| ldapEmailAttribute            | mail |
| ldapExperiencedAdmin          | 0 |
| ldapExpertUUIDGroupAttr       | |
| ldapExpertUUIDUserAttr        | |
| ldapExpertUsernameAttr        | |
| ldapGidNumber                 | gidNumber |
| ldapGroupDisplayName          | cn |
| ldapGroupFilter               | |
| ldapGroupFilterGroups         | |
| ldapGroupFilterMode           | 0 |
| ldapGroupFilterObjectclass    | |
| ldapGroupMemberAssocAttr      | uniqueMember |
| ldapHost                      | ldapserver |
| ldapIgnoreNamingRules         | |
| ldapLoginFilter               | (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes     | |
| ldapLoginFilterEmail          | 0 |
| ldapLoginFilterMode           | 1 |
| ldapLoginFilterUsername       | 1 |
| ldapNestedGroups              | 0 |
| ldapOverrideMainServer        | 0 |
| ldapPagingSize                | 500 |
| ldapPort                      | 389 |
| ldapQuotaAttribute            | |
| ldapQuotaDefault              | |
| ldapTLS                       | 0 |
| ldapUserAvatarRule            | default |
| ldapUserDisplayName           | cn |
| ldapUserDisplayName2          | |
| ldapUserFilter                | (|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)) |
| ldapUserFilterGroups          | |
| ldapUserFilterMode            | 1 |
| ldapUserFilterObjectclass     | organizationalPerson |
| ldapUuidGroupAttribute        | auto |
| ldapUuidUserAttribute         | auto |
| turnOffCertCheck              | 0 |
| turnOnPasswordChange          | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+-------------------------------------------------------------------------------+

Client configuration

Browser:
NC Client 2.5.1 (Mozilla/5.0 (Macintosh) mirall/2.5.1final (build 20181204) (Nextcloud)

Operating system:
Mac OS 10.14.2

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

The nextcloud log keeps returning these blocks from the nextcloud client.

{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"initializing paged search for  Filter (|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)) base Array\n(\n   [0] => cn=***,dc=***,dc=***\n)\n attr Array\n(\n    [0] => \n)\n limit 500 offset 0","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***,"app":"user_ldap","method":"GET","url":"\/csrftoken","message":"Ready for a paged search","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"readAttribute: cn=***,dc=***,dc=*** found","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"initializing paged search for  Filter (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson))(uid=***)) base Array\n(\n    [0] => dc=***,dc=***\n)\n attr Array\n(\n    [0] => entryuuid\n    [1] => nsuniqueid\n    [2] => objectguid\n    [3] => guid\n    [4] => ipauniqueid\n    [5] => dn\n    [6] => uid\n    [7] => samaccountname\n    [8] => memberof\n    [9] => mail\n    [10] => cn\n    [11] => jpegphoto\n    [12] => thumbnailphoto\n)\n limit 500 offset 0","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"Ready for a paged search","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"initializing paged search for  Filter (|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)) base Array\n(\n   [0] => cn=***,dc=***,dc=***\n)\n attr Array\n(\n    [0] => \n)\n limit 500 offset 0","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"Ready for a paged search","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}
{"reqId":"hVhbFaW4umrmkIKpqr1S","level":0,"time":"2019-01-14T17:38:22+00:00","remoteAddr":"10.0.16.223","user":"61b6fb06-***","app":"user_ldap","method":"GET","url":"\/csrftoken","message":"readAttribute: cn=***,dc=***,dc=*** found","userAgent":"Mozilla\/5.0 (Macintosh) mirall\/2.5.1final (build 20181204) (Nextcloud)","version":"15.0.2.0"}

Browser log

Browser log

Under settings/logging I see this line repeating over and over.

Error | index | Doctrine\DBAL\Schema\SchemaException: There is no column with name 'object_id' on table 'oc_activity'.
-- | -- | --

[phish108]

Windows 2.5.1 clients appear to be also affected.

[victorbw]

confirmed - also having the same issue with windows client.

as far as i remember there is already an issue somewhere mentioning this, but didnt have the time to look it up...

[victorbw]

@phish108 what is the username? I may bet my liver it has a whitespace in it 🤔

[phish108]

@victorbw our usernames have no whitespaces.

I checked the backlog:
#13262 appears to be unrelated, because 15.0.0.10 worked without problems.
#13092 is related to webdav, we do not use webdav and the web-client works fine.
#13431 appears similar, but in our case it is not random.

[victorbw]

@phish108 so I've probably lost a liver, the only one I had 🤣

well, still the nc-client has to connect to the nc-server first. and if it fails its authentication at the nc-server, how will it be possible to authenticate on ldap then?

can you please double-check if the actual username (not displayname) has no whitespaces?

[kesselb]

Error | index | Doctrine\DBAL\Schema\SchemaException: There is no column with name 'object_id' on table 'oc_activity'.

nextcloud/activity#309 (comment)

[phish108]

@danielkesselberg Thank you for the pointer. After fixing the database, the issue remains, only the errors disappear.

@victorbw The client connects to the server. The user authenticates successfully with LDAP. The issue is at the step of granting access to the client after login. I doubt that this is related to LDAP.

[victorbw]

@victorbw The client connects to the server. The user authenticates successfully with LDAP. The issue is at the step of granting access to the client after login. I doubt that this is related to LDAP.

so do I - most probably its on the side of ncs authentication procedure back to the client, but I'm pretty much unsure who's the one to blame.

maybe this should be copied to https://github.com/nextcloud/desktop?

[phish108]

@victorbw I don't think that it is a client or desktop related issue for 2 reasons:

1. The all clients worked before the upgrade from 15.0.0 to 15.02 but stopped working after upgrading.
2. All recent clients (incl. Mobile) stopped authenticating with 15.0.2.

The mobile clients are slightly more informative and indicate a missing or broken API on the server (Access Forbidden, Invalid Request).

I have not tested 15.0.1

[phish108]

new errors appear

TypeError: Argument 1 passed to OC\Authentication\Token\Manager::getTokenById() must be of the type integer, null given, called in /var/www/html/apps/notifications/lib/Controller/PushController.php on line 159 at /var/www/html/lib/private/Authentication/Token/Manager.php#141

[phish108]

I digged further and found nothing in the logs. The access tokens are created correctly. However it seems that the redirect URL points to the wrong location or passes the wrong data or passes it in a way that the clients cannot pick up.

The only related change that makes sense to me appears in core/routes.php that introduces a new app token route in line 57, which is related to this commit

[ChessSpider]

very likely unrelated, however in case it isnt or just to raise awareness, v15.0.02 also breaks the user_saml plugin nextcloud/user_saml#296

[rullzer]

Can somebody provide me with test credentials to a system this happens. I tried it on 4 instances I have access to and all the clients work properly.

[victorbw]

Can somebody provide me with test credentials to a system this happens. I tried it on 4 instances I have access to and all the clients work properly.

PN!

**edit: just saw that github has removed private messaging for a while ... 👎
** let me know where I can provide you with credentials because I very much dislike to have credentials out in the public.

[victorbw]

@victorbw The client connects to the server. The user authenticates successfully with LDAP. The issue is at the step of granting access to the client after login. I doubt that this is related to LDAP.

never said it was ldap-related ;)

[KBlixt]

nextcloud/android#3430

TL;DR: try adding this to your config.php:

'overwriteprotocol' => 'https',

[phish108]

@KBlixt Thank you very much. This solves the issue.

However, the documentation was unclear to me, so I missed that point. Maybe also, because it worked with the initial version. I suggest to make it clearer that these settings are non-optional in reverse proxy (and maybe FPM) settings. A bulleted list just like its presented in https://github.com/nextcloud/server/blob/master/config/config.sample.php#L456-L463, instead of a big chunk of text.

@rullzer - thank you again for your support earlier. I will revoke the credentials again.