BaseURL problem with NC & Keycloak behind Nginx reverse proxy

[enigmaticsc]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Install Keycloak behind / via Nginx
2. Install NC (31+) behind / via Nginx
3. Attempt SAML authentication

Expected behaviour

User login should work

Actual behaviour

error message generated from php-saml: https://host/nc subdir/apps/user_saml/saml/apps/user_saml/saml/acs instead of https://host/nc subdir/apps/user_saml/saml/acs

Server configuration

Web server: Apache (Docker)

Database: PostgreSQL

PHP version: Per Docker image

Nextcloud version: exists from V30+

List of activated apps

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

Browser

Browser name: Firefox/Chrome/Safari/…

Browser version: 124/125/…

Operating system: Windows/Ubuntu/Mac/…

Browser log

Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...

I've traced this back through the PHP and the fundamental issue seems to be that SetBaseURL is never called in the constructor and somehow (yet to determine how), the $baseurl in php-saml starts as https://host/nc subdir/app/user_saml/saml as opposed to simply https://host/nc subdir. So when the acs part of the URL gets added in Utils.php getSelfRoutedURLNoQuery() function, it adds the extra bit on.

I've tried using the php-saml settings.php file to override the baseurl but this doesn't seem to have an impact in this scenario.

if I override $route in Utils.php getSelfRoutedURLNoQuery() just before the line " $selfRoutedURLNoQuery = $selfURLhost . $route;" then it works fine. Obviously this isn't sustainable. I obviously have all the relevant config.php entries for NC as a subdir and this all works fine with no issues.

This all worked fine around V29 of NC (I can't remember which version as I had it on autoupdate at the time. It seems to correlate to SAML-Toolkits/php-saml#249 if this helps.

[enigmaticsc]

After a little more investigation (and forgive my basic PHP/NC development experience, I tend to develop in other environments), I think the root cause may stem from SAMLSettings.php line 128 in v7.1.1 'baseurl' => $this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.base'), ... if I understand this correctly, it is assuming the baseurl to be the url of the settings app hence the extra /app/user_saml/saml . I don't know enough about NC development to know if this can be overridden in config.php (which obviously has the correct base url in overwrite.cli.url already in it).

Hope this is helpful.