WWW-Authenticate response header issues when authenticating mobiles apps with oauth2 on apache + php5.6-fpm

10
webserver_issue

#1

I know php fpm isn't recommended but for old app compatibility I'm running owncloud with apache and php fpm.

When accessing /remote.php/webdav with php-fpm and without I get distinct results for WWW-Authenticate header, which fail to auth with mobile clients

With php5.6-fpm

curl -i -X GET https://.../remote.php/webdav
WWW-Authenticate: Basic realm="ownCloud", Bearer realm="ownCloud"

Without php5.6-fpm, with mod_php

curl -i -X GET https://.../remote.php/webdav
WWW-Authenticate: Basic realm="ownCloud"
WWW-Authenticate: Bearer realm="ownCloud"

The "only" difference is the presence or not of php5.6-fpm. I've read many things about auth header with fpm, but nothing about what I'm going through. Nothing about how header are managed.

I've found that

lib/composer/sabre/http/lib/Auth/Bearer.php:51
lib/composer/sabre/http/lib/Auth/Basic.php:58

are responsible for call addHeader function which is defined on

lib/composer/sabre/http/lib/Message.php:235

Since the code method is the same, something misconfigured or misbehaving with my web server

Expected behaviour

Two WWW-Authenticate headers

Actual behaviour

One WWW-Authenticate header with content append

Server configuration

Operating system:
Ubuntu 14.04.5 LTS

Web server:
Apache/2.4.33 (Ubuntu)

Database:
mysqld Ver 5.5.54-1trusty for debian-linux-gnu on x86_64 ((Ubuntu), wsrep_25.20)
galera-3 25.3.23+1trusty

PHP version:
PHP 5.6.34-1+ubuntu14.04.1+deb.sury.org+1 (fpm-fcgi)

ownCloud version: (see ownCloud admin page)
10.0.4

Updated from an older ownCloud or fresh install:
Updated from 7, then from 9

Where did you install ownCloud from:
tar.gz from owncloud.org

The content of config/config.php:

    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
         "allow_user_to_change_display_name": false,
        "appstoreenabled": false,
        "asset-pipeline.enabled": true,
        "custom_csp_policy": "default-src 'self'; script-src  'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *; img-src 'self' blob: *; font-src *  'self' data:; media-src *",
        "datadirectory": "\/var\/www\/cncCloud\/data",
        "default_language": "pt_BR",
        "dbtype": "mysql",
        "dbname": "owncloud",
        "dbhost": "proxy-dev-01",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "enable_avatars": false,
        "forcessl": true,
        "has_internet_connection": false,
        "installed": true,
        "knowledgebaseenabled": false,
        "log_type": "syslog",
        "logfile": "",
        "loglevel": "0",
        "logtimezone": "America\/Recife",
        "lost_password_link": "disabled",
        "mail_from_address": "noreply",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "maintenance": false,
        "session_lifetime": "21600",
        "trashbin_retention_obligation": "30, auto",
        "memcached_servers": [
            [
                "web-dev-01",
                "11211"
            ],
            [
                "web-dev-02",
                "11211"
            ]
        ],
        "skeletondirectory": "",
        "updatechecker": false,
        "version": "10.0.4.4",
        "versions_retention_obligation": "auto"
    }
}

**List of activated apps:**

Enabled:
  - account_closure: 0.0.1
  - activity: 2.3.6
  - anolis_openstack: 0.0.1
  - comments: 0.3.0
  - configreport: 0.1.1
  - customgroups: 0.3.6
  - dav: 0.3.2
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - feedback: 1.1
  - files: 1.5.1
  - files_external: 0.7.1
  - files_pdfviewer: 0.8.2
  - files_restriction: 1.0.0
  - files_sharing: 0.10.1
  - files_texteditor: 2.2.1
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - folder_uploader: 0.0.1
  - gallery: 16.0.2
  - interactive_tutorial: 1.0
  - notifications: 0.3.2
  - oauth2: 0.2.1
  - provisioning_api: 0.5.0
  - richdocuments: 2.0.5
  - systemtags: 0.3.0
  - templateeditor: 0.1
  - theme-edudrive: 1.0.0
  - updatenotification: 0.2.1
  - user_shib: 0.1

Are you using external storage, if yes which one:
yes, openstack swift

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one:
Yes, Shibboleth


#2

Do desktop and the web work properly?

Accordingly to apache docs as well as some RFCs, comma-separated values can be used to provide multiple values to the same header, so the header should be considered as valid and should be processed fine.
There might be a problem with the mobile clients


#3

Maybe you could consider to update to the recent version 10.0.8 and try again? 10.0.4 looks quite outdated.


#4

Yes, desktop and web work properly.

I do think is a problem with mobile, I'll investigate and maybe I can submit a bug fix


#5

as @jvillafanez said a header with comma separated values is valid. so probably is a problem with mobile client. anyway, I'll upgrade my server


#6

Hey @guimaluf, thanks a bunch for your detailed report! I've just been able to reproduce with the Android app. Apparently is the only one displaying this wrong behavior.

Will investigate further how the android-library handles this scenario and open an issue there. If you wanna take over from there you're more than welcome to contribute with a fix!

Thanks again!


#7

Here we go: