Displayname not updated anymore

[quenenni]

Hello,

Since I upgraded the user_oidc app from v1.3.2 to v5.0.2, the displayname is not updated anymore in Nextcloud profil if it is modified in our Ldap.
The modification of the mail address or adding/removing a group in the LDAP are still working fine.

Our Nextcloud is still in v25.0.6 (we are planning to update it, but first we updated the applications and this problems needs to be resolved before going on)

In the nextcloud log, I can see it has the correct new display name:

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXXX&session_state=YYYYYY&code=ZZZZZZ","message":"Parsed the JWT payload: {\"at_hash\":\"CYT3eT7iWHG79mu0hvVYF5cYsDfxQOjUa4X5UeReV4w\",\"name\":\"<CORRECT NEW DISPLAYNAME>\",\"nonce\":\"EKWKQCZAR9C5GPX6TNY9O7NP00RO4Z1V\",\"adminN\":0,\"acr\":\"loa-2\",\"sub\":\"<MY ID>\",\"exp\":1713371794,\"adminN_bool\":true,\"aud\":[\"rp-nextcloud\"],\"azp\":\"rp-nextcloud\",\"email\":\"aa@bb.coop\",\"iss\":\"https:\\/\\/auth.mydomain.coop\",\"nextCloudQuota\":\"10737418240\",\"iat\":1713370354,\"auth_time\":1713370349,\"groupsNc\":[\"groupTest2\",\"groupTest\",\"admin\"]}","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"<MY ID>","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXX&session_state=YYYYY&code=ZZZZZ","message":"$user->canChangeAvatar() is true","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

{"reqId":"1Hm7AArzOPJtAhg78FDx","level":0,"time":"April 17, 2024 18:12:34","remoteAddr":"1.2.3.4","user":"<MY ID>","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=XXXXX&session_state=YYYYY&code=ZZZZZ","message":"Redirecting user","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"25.0.6.1","data":{"app":"user_oidc"}}

The ,\"name\":\"<CORRECT NEW DISPLAYNAME>\" shows the right new value and name is the correct mapped attribute name.

I checked in the DB and I found the old display name in 3 tables:

• oc_users
• oc_user_oidc
• oc_accounts

I modified manually the value in the tables oc_user and oc_user_oidc without any change in the cloud interface.
I modified the value in oc_accounts and it changed in the cloud interface.

But any of these values are updated when I modified a display name in the Ldap and logout / login in the cloud.

The user_oidc config in the Db :

user_oidc | allow_multiple_user_backends    | 0
| user_oidc | enabled                         | yes
| user_oidc | installed_version               | 5.0.2
| user_oidc | provider-3-bearerProvisioning   | 1
| user_oidc | provider-3-checkBearer          | 1
| user_oidc | provider-3-extraClaims          | n_nc 
| user_oidc | provider-3-groupProvisioning    | 1 
| user_oidc | provider-3-jwksCache            | {"keys":[{"e":"AQAB","kid":"UqD2O/EF7ZFhT4FcbLIJ8Q","kty":"RSA","use":"sig","n":"<long key>"}]} |
| user_oidc | provider-3-jwksCacheTimestamp   | 1713368828
| user_oidc | provider-3-mappingAddress       | 
| user_oidc | provider-3-mappingAvatar        | 
| user_oidc | provider-3-mappingBiography     | 
| user_oidc | provider-3-mappingCountry       | 
| user_oidc | provider-3-mappingDisplayName   | name
| user_oidc | provider-3-mappingEmail         | email
| user_oidc | provider-3-mappingFediverse     | 
| user_oidc | provider-3-mappingGender        | 
| user_oidc | provider-3-mappingGroups        | groupsNc 
| user_oidc | provider-3-mappingHeadline      | 
| user_oidc | provider-3-mappingLocality      |  
| user_oidc | provider-3-mappingOrganisation  |   
| user_oidc | provider-3-mappingPhonenumber   |  
| user_oidc | provider-3-mappingPostalcode    |   
| user_oidc | provider-3-mappingQuota         | nextCloudQuota 
| user_oidc | provider-3-mappingRegion        | 
| user_oidc | provider-3-mappingRole          | 
| user_oidc | provider-3-mappingStreetaddress |
| user_oidc | provider-3-mappingTwitter       |
| user_oidc | provider-3-mappingUid           | sub 
| user_oidc | provider-3-mappingWebsite       |
| user_oidc | provider-3-providerBasedId      | 0
| user_oidc | provider-3-sendIdTokenHint      | 1
| user_oidc | provider-3-uniqueUid            | 0 
| user_oidc | types                           | authentication

And I added today these 2 settings in nextcloud config.php file, but I don't think they are needed.
And nothing changed.

  'user_oidc' => [
    'auto_provision' => true,
    'userinfo_bearer_validation' => true,
  ]

Any idea where that could come from?

Thank you

[quenenni]

Bumpy bump.

Can someone point me to the right file/function where the test between the current name and the one received in the token are analyzed?

[yeoldegrove]

I have a similar issue but I am using keycloak directly (without LDAP behind it). In the log "reqId": ... also shows me the updated displayname, but it never gets changed (even after logging off/on).

Another thing that I noticed is when I use the OCS API to query the changed user, the following is displayed:

{
  "ocs": {
    "meta": {
      "status": "ok",
      "statuscode": 100,
      "message": "OK",
      "totalitems": "",
      "itemsperpage": ""
  },
  "data": {
    "enabled": true,
    "storageLocation": "/var/www/html/data/07c95427-25d2-41f5-951b-f327809836b4",
    "id": "07c95427-25d2-41f5-951b-f327809836b4",
    ...
    "backend": "user_oidc",
    "displayname": "New Name",
    "display-name": "New Name",
    ...
    "backendCapabilities": {
      "setDisplayName": false,
      "setPassword": false
    }
  }
}

Noticed the part about backendCapabilities->setDisplayName->false.

Yet another thing I noticed is that the code to change the displayname is indeed triggered:

{"reqId":"xxx","level":0,"time":"2024-07-01T21:37:07+00:00","remoteAddr":"xx.xx.xx.xx","user":"--","app":"user_oidc","method":"GET","url":"/apps/user_oidc/code?state=xxx&session_state=xxx&iss=https%3A%2F%2Fauth.xxx.com%2Fauth%2Frealms%2Fmyrealm&code=xxx","message":"Displayname mapping event dispatched","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"28.0.6.1","data":{"app":"user_oidc"}}

user_oidc/lib/Service/ProvisioningService.php

Line 156 in 1603f66

$this->logger->debug('Displayname mapping event dispatched');

[edward-ly]

Hi, are you still able to reproduce this on the latest Nextcloud and user_oidc versions? If so, we'll try to find time to reproduce and maybe fix this.

[yeoldegrove]

@edward-ly My last understanding was - and this is true also in the latest version - that "Displayname" is not changeable for users provisioned by user_oidc. This is why I now create the users "by hand" and use existing users with user_oidc.

[mothlyme]

Can confirm that the bug still exists. I am on Nextcloud 29,0.8 and display names are not updated from the OIDC provider.
The displayname does not get updated in both the tables oc_accounts and oc_user_oidc when changed in Authentik.
With the logging level set to debug I can also confirm the display name change being triggered, the message Displayname mapping event dispatched is written to the logs.

[uqtdev]

Still an issue. Newly provisioned users just use their username as their name, and already existing users are not updated. Running Authentik 2024.12.2 for SSO and Nextcloud is on 30.0.5

[julien-nc]

@uqtdev I think #1052 should fix this. Is there any way you could apply this PR's patch and check if it fixes your issue?
Otherwise it will be included in the next release.

[quenenni]

I updated the user_oidc app to v7.1.0 today and the names are updated in the cloud (after a change in the Ldap db).

As I didn't follow this problem these last couple months, and reading the laast notes didn't give me clues if it was supposed to be fixed or not, so I'm not sure if this was fixed in this version or a previous one.

But I wanted to let you know it's working for me today.

Thanks a lot.