API Requests blocked by SSO

Adainish · January 29, 2024, 5:18pm

Hi,

We’ve got a dockerised instance of YunoHost running that has the Nextcloud application installed (With the sub application of Deck)

While attempting to access the API for deck, a reoccuring SSO loop occurs, where the URL will always redirect to YunoHost (And be blocked by the SSO) over actually getting to touch the api url needed.

Is there a way to tweak the SSO to allow the access of the desired API url without it being intercepted by the SSO?

The following return info is provided on first attempting to access the api:

taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982796118Z Failed with status code 302: <html>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982855665Z <head><title>302 Found</title><script type="text/javascript" src="/ynh_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynh_overlay.css"><script type="text/javascript" src="/ynhtheme/custom_portal.js"></script><link type="text/css" rel="stylesheet" href="/ynhtheme/custom_overlay.css"></head>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982862051Z <body>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982865478Z <center><h1>302 Found</h1></center>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982868910Z <hr><center>nginx</center>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982872107Z </body>
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.982875064Z </html>

followed by an infinite loop, even when following the URL and attempting to login. The original URL string provided is never accessible. Preventing API access.
This API is accessible when not running behind yunohost (As there seems to be no SSO preventing access)

taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.984247940Z   File "/usr/local/lib/python3.11/site-packages/httpx/_models.py", line 749, in raise_for_status
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.987108529Z     raise HTTPStatusError(message, request=request, response=self)
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.987136104Z httpx.HTTPStatusError: Redirect response '302 Moved Temporarily' for url 'https://xxx.xxx.nl/nextcloud/index.php/apps/deck/api/v1.1/boards'
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.987139934Z Redirect location: 'https://xxx.xxx.nl/yunohost/sso/?r=aHR0cHM6Ly95bmguZWR3aC5ubC9uZXh0Y2xvdWQvaW5kZXgucGhwL2FwcHMvZGVjay9hcGkvdjEuMS9ib2FyZHM='
taigadeskbridge-taigadesksync-1  | 2024-01-29T15:54:00.987143515Z For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302

Kind Regards!

wbk · January 29, 2024, 5:31pm

Hi Adainish,

Welcome to the forums!

Does that only happen for Deck?

I’m not quite sure where to start looking, but I had trouble with redirections and SSO last month where it was solved by

Good luck!

jarod5001 · January 29, 2024, 10:06pm

Just to be sure, are nextcloud and nextcloud api listed in the visitors permissions? (users > manage groups and permissions > visitors)

Adainish · January 30, 2024, 12:54pm

Hiya,
Granting access does allow access for the standard API url I’m trying to access! However, any OCS access is still blocked.

Here is the curl utilised, as well as the response

curl -X POST 'https://xxx.xxx.nl/ocs/v2.php/apps/deck/api/v1.0/cards/7/comments' -H 'Accept: application/json' -H 'OCS-APIRequest: true'  -H 'Content-Type: application/json;charset=utf-8' -u secureusername:securepassword --data '{"message":"My message to dev","parentId":null}'
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

This does not occur behind an instance not ran using yunohost.

Kind Regards!

[Edit]
31/1/2024

After granting proper permissions and calling OCS related API calls through the dedicated domain path of /nextcloud no issues were leftover.

{api_url}/nextcloud/ocs/v2.php/apps/deck/api/v1.0/