SSO Callback closes connection (0 bytes sent by server); used logged out of impersonation previously

(Note, this was also reported here: Connection lost during callback 路 Issue #28 路 soudis/discoursesso 路 GitHub)

Hello,

we are having a very weird issue with our Discourse SSO. Ever since one user logged out of impersonation, he is unable to log back in. This is what happens now if he tries to log in: (the user was logged into Nextcloud previously).

The Server just closes the connection. I am unable to find any error log. Not inside any of the nginx proxies, not inside Discourse, not inside Nextcloud.

Interestingly it has nothing to do with the network or device. It is just this user that fails to log in.

I also tried clearing out the SSO Data from Discourse, changed the Email Address to force creation of a new Discourse Account. The Problem still persists.

I suspect this is an issue with the Nextcloud plugin, however I don鈥檛 see any error messages by Discourse, which surprises me. (I cleared the log and tried again, no record appeared.)

Did you enable Admin - Settings - Login - verbose_discourse_connect_logging ?

1 Like

I just did. The only record is:

Verbose SSO log: Started SSO process

add_groups: 
admin: 
moderator: 
avatar_force_update: 
avatar_url: 
bio: 
card_background_url: 
confirmed_2fa: 
email: 
external_id: 
groups: 
locale: 
locale_force_update: 
location: 
logout: 
name: 
no_2fa_methods: 
nonce: <removed>
profile_background_url: 
remove_groups: 
require_2fa: 
require_activation: 
return_sso_url: https://hub.diehumanisten.de/session/sso_login
suppress_welcome_message: 
title: 
username: 
website: 

Is this issue still ongoing @simon.michalke?

yes, we just tested it again and it still persists.

1 Like

Okay, now we have a REAL issue. The problem seems to be spreading to other user. And the second one is not an admin and can therefore not use the workaround.

If I want to contact (paid) support, who should I talk to in my case?

Was this the right answer to your issue in the end? :crossed_fingers:

Yes. Nextcloud SSO only supports GET and not POST-based login. Our nginx proxy silently dropped the request since we had too many groups filling up the request header.

Our current workaround is manually patching the Plugin to not include groups:

We will switch to keycloak for authentication soon.

2 Likes