OIDC "Login with Cloudron" into Nextcloud suddenly broken?

whitespace

Since a few hours ago users are not able to login into Nextcloud via OIDC.

Nothing I tried worked so far.

1. User ist logged in on dashboard.
2. User goes to Nextcloud URL
3. "Login with Cloudron" is offered
4. User clicks on "login with Cloudron"
5. Internal Server error appears

( image url)

Group provisioning is on, by the way.

Here is what I see in the logs:

A{"reqId":"1sHMHUYVvR0CKguCIsTd","level":3,"time":"2025-04-02T19:36:25+00:00","remoteAddr":"xx.xxx.xxx.xxx","user":"<***redactedforprivacy***>","app":"index","method":"GET","url":"/apps/user_oidc/code?code=<***redactedforprivacy***>&state=Z1XZJW6NB8D2DUNTYOIN63RXUF6KRXUP&iss=https%3A%2F%2F<***redactedforprivacy***>%2Fopenid","message":"array_diff(): Argument #2 must be of type array, stdClass given in file '/app/code/lib/private/Share20/ShareDisableChecker.php' line 59","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3.1 Safari/605.1.15","version":"31.0.2.1","exception":{"Exception":"Exception","Message":"array_diff(): Argument #2 must be of type array, stdClass given in file '/app/code/lib/private/Share20/ShareDisableChecker.php' line 59","Code":0,"Trace":[{"file":"/app/code/lib/private/AppFramework/App.php","line":161,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/code/lib/private/Route/Router.php","line":307,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/app/code/lib/base.php","line":1025,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/app/code/index.php","line":24,"function":"handleRequest","class":"OC","type":"::"}],"File":"/app/code/lib/private/AppFramework/Http/Dispatcher.php","Line":146,"Previous":{"Exception":"TypeError","Message":"array_diff(): Argument #2 must be of type array, stdClass given","Code":0,"Trace":[{"file":"/app/code/lib/private/Share20/ShareDisableChecker.php","line":59,"function":"array_diff"},{"file":"/app/code/lib/private/Share20/Manager.php","line":1976,"function":"sharingDisabledForUser","class":"OC\\Share20\\ShareDisableChecker","type":"->"},{"file":"/app/data/apps/files_sharing/lib/MountProvider.php","line":64,"function":"sharingDisabledForUser","class":"OC\\Share20\\Manager","type":"->"},{"file":"/app/code/lib/private/Files/Config/MountProviderCollection.php","line":72,"function":"getMountsForUser","class":"OCA\\Files_Sharing\\MountProvider","type":"->"},{"file":"/app/code/lib/private/Files/Config/MountProviderCollection.php","line":129,"function":"getMountsFromProvider","class":"OC\\Files\\Config\\MountProviderCollection","type":"->"},{"file":"/app/code/lib/private/Files/SetupManager.php","line":204,"function":"addMountForUser","class":"OC\\Files\\Config\\MountProviderCollection","type":"->"},{"file":"/app/code/lib/private/Files/SetupManager.php","line":311,"function":"OC\\Files\\{closure}","class":"OC\\Files\\SetupManager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/app/code/lib/private/Files/SetupManager.php","line":203,"function":"setupForUserWith","class":"OC\\Files\\SetupManager","type":"->"},{"file":"/app/code/lib/private/Files/Filesystem.php","line":332,"function":"setupForUser","class":"OC\\Files\\SetupManager","type":"->"},{"file":"/app/code/lib/private/Cache/File.php","line":37,"function":"initMountPoints","class":"OC\\Files\\Filesystem","type":"::"},{"file":"/app/code/lib/private/Cache/File.php","line":158,"function":"getStorage","class":"OC\\Cache\\File","type":"->"},{"file":"/app/code/lib/base.php","line":860,"function":"gc","class":"OC\\Cache\\File","type":"->"},{"function":"{closure}","class":"OC","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/app/code/lib/private/Hooks/EmitterTrait.php","line":88,"function":"call_user_func_array"},{"file":"/app/code/lib/private/Hooks/PublicEmitter.php","line":22,"function":"emit","class":"OC\\Hooks\\BasicEmitter","type":"->"},{"file":"/app/code/lib/private/User/Session.php","line":350,"function":"emit","class":"OC\\Hooks\\PublicEmitter","type":"->"},{"file":"/app/data/apps/user_oidc/lib/Controller/LoginController.php","line":526,"function":"completeLogin","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/app/code/lib/private/AppFramework/Http/Dispatcher.php","line":200,"function":"code","class":"OCA\\UserOIDC\\Controller\\LoginController","type":"->"},{"file":"/app/code/lib/private/AppFramework/Http/Dispatcher.php","line":114,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/code/lib/private/AppFramework/App.php","line":161,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/app/code/lib/private/Route/Router.php","line":307,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/app/code/lib/base.php","line":1025,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/app/code/index.php","line":24,"function":"handleRequest","class":"OC","type":"::"}],"File":"/app/code/lib/private/Share20/ShareDisableChecker.php","Line":59},"message":"array_diff(): Argument #2 must be of type array, stdClass given in file '/app/code/lib/private/Share20/ShareDisableChecker.php' line 59","exception":{},"CustomMessage":"array_diff(): Argument #2 must be of type array, stdClass given in file '/app/code/lib/private/Share20/ShareDisableChecker.php' line 59"}}

jdaviescoates

Still working for me. Which versions of Cloudron and the Nextcloud package are you on?

Have you recently updated any plugins? Mostly it's incompatible plugins that break Nextcloud

whitespace

Nextcloud:
Nextcloud 31.0.2
com.nextcloud.cloudronapp@5.4.1

Cloudron:
v8.3.1 (Ubuntu 22.04.2 LTS)

BrutalBirdie

Please try a different browser. Everytime I see Safari I have a gut feeling. . .
If that is not it.
Did you recently update the nextcloud app? Did you try a restore if that solves your issue?

whitespace

@BrutalBirdie

Same error log in Firefox.

The problem started before the update. I updated to the latest version in hope of a fix. To no avail.

This part of the error points to ShareDisableChecker.php. I don't know what to do with that.

/app/code/lib/private/Share20/ShareDisableChecker.php' line 59","userAgent":

Looking into Nextcloud's code I see this on line 59:

  $remainingGroups = array_diff($usersGroups, $excludedGroups);

Source:
https://github.com/nextcloud/server/blob/master/lib/private/Share20/ShareDisableChecker.php#L59

---

I assume it has something to do with Users Groups then. But this is as far as I get.

Group provisioning on Nextcloud OIDC plugin is enabled.

BrutalBirdie

@whitespace said in OIDC "Login with Cloudron" into Nextcloud suddenly broken?:

The problem started before the update.

If so, what where your latest changes to the Nextcloud? Maybe you did some setting change?
Maybe share the app log for fruther investigation.

whitespace

@BrutalBirdie

I changed which groups can manage users within Nextcloud. That is all.
Some users had lost their admin rights which I regranted them. I made a post a few hours ago that shows how I did this.

One thing that I noticed is that users I put into a Nextcloud group within Nextcloud did not stay there after re-logins at first. Then all of a sudden no user was able to login as described.

BrutalBirdie

Ah soo this issue is linked to https://forum.cloudron.io/topic/13593/oidc-regex-removed-nc-admin-group.

jdaviescoates

@whitespace said in OIDC "Login with Cloudron" into Nextcloud suddenly broken?:

One thing that I noticed is that users I put into a Nextcloud group within Nextcloud did not stay there after re-logins at first. Then all of a sudden no user was able to login as described.

Sounds like your fix broke it.

@whitespace said in OIDC "Login with Cloudron" into Nextcloud suddenly broken?:

One thing that I noticed is that users I put into a Nextcloud group within Nextcloud did not stay there after re-logins at first.

This was a bug with one version, but then the next version resolved it. But I think the broken version was also then recalled, so I'm surprised you hit it again. Unless you'd already updated to it before it was revoked, hadn't spotted the issue, then spotted it and tried to fix the issue yourself with the regex thing? Then updated again but it was still broken? If so, if I were you what I'd probably try is: make a clone from a backup of Cloudron package 4.23.4. Then update that until the latest version and see if it's all working fine. If so, do the same with your existing one, or just change the new updated clone to be the URL of the now broken one (after changing that to something else first, obviously).

whitespace

Good Morning and thank you for supporting my thought process.

I restored from the last functioning backup and was able to login. Of course we are missing 24 hours of synced data but this is not a big issue. Backups are there and local folders are slowly getting synced up into nc.

Now, I was able to make a certain profile nc admin again via occ. This gave me the chance to get into the config of the Open ID Connect app inside nc.

Right now I suppose the problem occurs due to a conflict of group provisioning. We have OIDC users and their groups are being provisioned into nc. We also have legacy nc native groups. If the conflict really lies within the group provisioning, I am not sure what to do next.

Do you recommend to turn off group provisioning until it is clear?

---

On the weekend I will clone the working copy and update it to see if the issue is caused by the update or by something else. This is my strategy so far.

whitespace

Just updated the last working version to the newest package. Everything is fine. I guess the cause was the strange group provisioning confusion I caused.

Smooth ride so far.