Failed to provision user

[dacrudg]

Hi,

I have an existing Nextcloud with users already created from LDAP. I'm using Authelia for SSO, and wanting to login through Authelia and it bring up the existing users Files, Mail, etc. (Not create a new user).

I'm using the mappings-id setting for user_oidc to match the same one LDAP uses, and I also have auto_provision = false in config.php (To let LDAP take user creation). It always gives me the error below.
I've tried every setting for mappings-id as well (preferred_username, uid, mail, etc).

"Access Forbidden"
Failed to provision the user

I can't see to find any log files or where to start debugging this. I have found another user that had the same issue (#869) and set the mappings-id for users to preferred_username but that doesn't do anything for me.
If I take auto_provision = false out of Nextcloud then it will work, but it creates a totally new user in Nextcloud and doesn't use the existing user from LDAP.
It seems if auto_provision = false is set in Nextcloud then nothing will work to even login, and always gives the "Failed to provision the user" error.

I have also unchecked "Use unique user ID" box and tried with it. It has no difference. This is on user_oidc: 6.0.0 and user_oidc: 5.0.3

Any help would be much appreciated. Thank you

[dacrudg]

I modified the LoginController.php where this "Failed to provision" error occurs to dump the userId to a file username.txt, and it returns "root" in the file.
I'm not sure where it is getting "root" from as $userId

           // get user ID attribute
            $uidAttribute = $this->providerService->getSetting($providerId, ProviderService::SETTING_MAPPING_UID, 'sub');
            $userId = $idTokenPayload->{$uidAttribute} ?? null;
            $fp = fopen("username.txt",'a+');
            $fwrite = fwrite($fp, "," . $userId);
            if ($userId === null) {
                    $message = $this->l10n->t('Failed to provision the user');
                    echo $uidAttribute;
                    return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'failed to provision user']);
            }

[dacrudg]

OK, now I've confirmed it is setting userId properly in LoginController.php until it gets here:
userId is correct at the beginning.

            $this->userManager->search($userId);
            $this->ldapService->syncUser($userId);
            $userFromOtherBackend = $this->userManager->get($userId);

userFromOtherBackend becomes null at the end here

[ToXinE]

same here. I add authentik but I want nextcloud to use the users already created in authentik and not create new ones.

Edit:
I managed to solve my problem following https://docs.goauthentik.io/integrations/services/nextcloud/ and especiallly the part that add an attribute to each user you want to map in authentik :

To connect to an already existing Nextcloud user, set the "nextcloud_user_id" property in the user's attributes. This must be set for each individual user.

The value of nextcloud_user_id must match the field username of the user on the Nextcloud instance. On Nextcloud, go to Users to see the username of the user you are trying to connect to (Under user's Display name). If set to a value, for example goauthentik, it will try to connect to the goauthentik user on the Nextcloud instance. Otherwise, the user's UUID will be used.

[edward-ly]

@dacrudg Did the above mapping work for you? If so, we'll consider this issue closed.

[kreutpet]

hi ,
i do face similar issues with authentik and nextcloud integration.
i do have existing user with equal username in nextcloud and in authentik

thanks for pointing to the mapping
i followed the the steps https://dae.me/blog/2705/authentik-custom-username-oauth-apache-guacamole-property-mapping/

In Authentik, go to Customisation -> Property Mappings -> Create -> Scope Mapping. Set:

Name: Nextcloud user
Scope name: nextcloud_user_id
Expression:
return {
"preferred_username": request.user.attributes.get("nextcloud_user_id", "")
}

In Authentik, go to Providers -> click the Edit button of your Nextcloud provider, then expand “Advanced protocol settings” and in Scopes:

deselect authentik default OAuth Mapping: OpenID ‘profile’
select nextcloud userid scope
do not deselect other two selected scopes

In Authentik, go to Users -> edit user
In Attribute add
settings:
locale: en
nextcloud_user_id: ### your username in nextcloud

after that the login pointed to the already existing user

[xyko0]

Hello,
I face the same issue with Authelia 😢
Any thoughts about how to do it with it ?