[Bug]: Invalid LocalCache Token on a Load-Balanced System

[dsisysteme]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Since commit d1189f9, it is no longer possible to log in to the Nextcloud platform using the user_saml plugin in a load-balanced environment without sticky sessions. The issue seems to stem from the following block:

$this->cache = $cacheFactory->isLocalCacheAvailable()
    ? $cacheFactory->createLocal('authtoken_')
    : $cacheFactory->createInMemory();

Indeed, since the token is stored in the local cache, in a round-robin load balancing scenario without sticky sessions, the token is only accessible on the application server that generated it. The second request is sent to a node that does not recognize the token, prompting the user_saml to re-authenticate, which causes a redirection loop.

Steps to reproduce

1. load-balanced environment: 1 reverse proxy, 2 application servers, 1 MariaDB server + Redis
2. configure the reverse proxy to load-balance requests in a round-robin fashion across the 2 application servers
3. configure PHP to store sessions in Redis
4. configure Nextcloud with local memcache on APCu and distributed memcache on Redis
5. configure the user_saml plugin
6. Log in with an account on the SSO => redirection loop

Expected behavior

We should be able to log in directly without a redirection loop

The token should not be stored in the local cache as this information needs to be known by all nodes in a cluster.

We tested the following modification by replacing the localCache with the distributedCache, and it fixes the issue:

$this->cache = $cacheFactory->isAvailable()
			? $cacheFactory->createDistributed('authtoken_')
			: $cacheFactory->createInMemory();

We have submitted a pull request to propose the change: #46109. Since this is our first time, we are creating an issue to explain our approach.

Installation method

Community Manual installation with Archive

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "dbtype": "mysql",
        "version": "29.0.3.4",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "ldapUserCleanupInterval": 0,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 1
        },
        "filesystem_check_changes": 0,
        "enable_avatars": false,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "share_folder": "\/Shared",
        "cron_log": true,
        "loglevel": "2",
        "maintenance": false,
        "trashbin_retention_obligation": 30,
        "trashbin_auto_expire": true,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "knowledgebaseenabled": false,
        "sharing.maxAutocompleteResults": 20,
        "sharing.minSearchStringLength": 3,
        "default_phone_region": "FR",
        "maintenance_window_start": 3,
        "activity_expire_days": "180",
        "simpleSignUpLink.shown": false,
        "default_timezone": "Europe\/Paris",
        "logtimezone": "Europe\/Paris",
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\MP3",
            "OC\\Preview\\PNG",
            "OC\\Preview\\XBitmap"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - photos: 2.5.0
  - provisioning_api: 1.19.0
  - richdocuments: 8.4.3
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - user_ldap: 1.20.0
  - user_saml: 6.1.3
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - circles: 29.0.0-dev (installed 25.0.0)
  - dashboard: 7.9.0 (installed 7.0.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.3.0)
  - files_external: 1.21.0
  - files_reminders: 1.2.0 (installed 1.0.0)
  - firstrunwizard: 2.18.0 (installed 2.14.0)
  - logreader: 2.14.0 (installed 2.10.0)
  - nextcloud_announcements: 1.18.0 (installed 1.14.0)
  - password_policy: 1.19.0 (installed 1.15.0)
  - privacy: 1.13.0 (installed 1.9.0)
  - recommendations: 2.1.0 (installed 1.4.0)
  - related_resources: 1.4.0 (installed 1.0.4)
  - support: 1.12.0 (installed 1.8.0)
  - survey_client: 1.17.0 (installed 1.13.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.3.0)
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1 (installed 1.17.0)
  - user_status: 1.9.0 (installed 1.0.1)
  - weather_status: 1.9.0 (installed 1.7.0)

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response