Skip to content

L’API ne correspond pas à ce qu’attend Nextcloud

Problème

L’API actuellement définie ne correspond pas aux échanges que fait nextcloud :

curl https://lookup-server.apps.education.fr/users?search=daniel.dehennin 
{"message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required."}

Nextcloud n’envoie jamais de clef.

Protocole

Recherche

Depuis une capture tcpdump, j’obtiens les échanges suivants :

Requête nextcloud : GET /users?search=dan HTTP/1.1 
Host: lab15.labs.eole.education
User-Agent: Nextcloud Server Crawler
Accept-Encoding: gzip
Réponse du lookup-server 
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 19 Sep 2024 09:29:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip

[{"federationId":"daniel@lab9.labs.eole.education","name":{"value":"daniel","verified":0},"email":{"value":"daniel.dehennin@ac-dijon.fr","verified":0},"userid":{"value":"daniel","verified":0}},{"federationId":"dad@lab7.labs.eole.education","name":{"value":"dad","verified":0},"email":{"value":"daniel.dehennin@region-academique-bourgogne-franche-comte.fr","verified":0},"userid":{"value":"dad","verified":0}}]

À noter que la recherche utilisateur peut prendre d’autres paramètres que search= :

  • exact=1 pour une correspondance exacte, utilisée par nextcloud pour son processus d’enregistrement
  • keys=[…] pour rechercher sur sur certains paramètres uniquement (userid, email, name)
  • exactCloudId=1 pour rechercher un identifiant fédéré tel que daniel@lab9.labs.eole.education

Je pense que l’on peut mettre à 1 les valeurs de verified pour que nextcloud considère que les comptes aient un bon karma

Enregistrement

En mode GlobalScale, un nextcloud enregistre ces utilisateurs dans LookupServer avec un POST :

POST /gs/users HTTP/1.1 
Host: lab15.labs.eole.education
User-Agent: Nextcloud Server Crawler
Accept-Encoding: gzip
Content-Length: 352

{"authKey":"patPulxMdobjZcDYvTTiyNqONL1XHLSApvS8DGWkuv70BnHiYgzygw3nptwk1qoB","users":{"daniel@lab9.labs.eole.education":{"userid":"daniel","name":"daniel","address":"","website":"","email":"daniel.dehennin@ac-dijon.fr","avatar":"","phone":"","twitter":"","fediverse":"","organisation":"","role":"","headline":"","biography":"","profile_enabled":"1"}}}
Réponse du LookupServer 
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 19 Sep 2024 09:27:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip

Soit :

  • on considère que cette partie là peut-être oubliée (réponse 200 quoi qu’il advienne)
  • on en profite pour préenregistrer le compte dans laboite dans le cas d’une connexion directe sur nextcloud après avoir créé le compte dans keycloak sans passer par laboite

Pour tester

Avec 3 comptes :

  • user1
    • mail: user1@exemple.net
    • nclocator: nuage1
  • user2:
    • mail: user2@example.org
    • nclocator: nuage2
  • foo:
    • mail: foo@example.net
    • nclocator: nuage1
curl https://lookup-server/users?search=bidule 
[]
curl https://lookup-server/users?search=user1 
[
  {
    "federationId": "user1@nuage1",
    "name": {
      "value": "user1",
      "verified": 1
    },
    "email": {
      "value": "user1@example.net",
      "verified": 1
    },
    "userid": {
      "value": "user1",
      "verified": 1
    }
  }
]
curl https://lookup-server/users?search=user 
[
  {
    "federationId": "user1@nuage1",
    "name": {
      "value": "user1",
      "verified": 1
    },
    "email": {
      "value": "user1@example.net",
      "verified": 1
    },
    "userid": {
      "value": "user1",
      "verified": 1
    }
  },
  {
    "federationId": "user2@nuage2",
    "name": {
      "value": "user2",
      "verified": 1
    },
    "email": {
      "value": "user2@example.org",
      "verified": 1
    },
    "userid": {
      "value": "user2",
      "verified": 1
    }
  }
]
curl https://lookup-server/users?search=example 
[
  {
    "federationId": "user1@nuage1",
    "name": {
      "value": "user1",
      "verified": 1
    },
    "email": {
      "value": "user1@example.net",
      "verified": 1
    },
    "userid": {
      "value": "user1",
      "verified": 1
    }
  },
  {
    "federationId": "user2@nuage2",
    "name": {
      "value": "user2",
      "verified": 1
    },
    "email": {
      "value": "user2@example.org",
      "verified": 1
    },
    "userid": {
      "value": "user2",
      "verified": 1
    }
  },
  {
    "federationId": "foo@nuage1",
    "name": {
      "value": "foo",
      "verified": 1
    },
    "email": {
      "value": "foo@example.net",
      "verified": 1
    },
    "userid": {
      "value": "foo",
      "verified": 1
    }
  }
]
curl https://lookup-server/users?search=user&exact=1 
[]
curl https://lookup-server/users?search=user1@nuage1&exactCloudId=1 
{
  "federationId": "user1@nuage1",
  "name": {
    "value": "user1",
    "verified": 1
  },
  "email": {
    "value": "user1@example.net",
    "verified": 1
  },
  "userid": {
    "value": "user1",
    "verified": 1
  }
}
curl https://lookup-server/users?search=user1@nuage1 
[]
Edited by Daniel Dehennin