Nextcloud: [user_oidc] Unencrypted Communications

The OpenID Connect User Backend allows users to login to Nextcloud using SSO and is - according to the policy - part of the main scope of this program. The implementation supports plain HTTP without TLS and transfers sensitive information such as OIDC client_secrets in an unencrypted manner.

According to the OpenID Connect specification, “to protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a ciphersuite that provides confidentiality and integrity protection”.

I did not find anything related to this within your threat model (which is unavailable at the moment btw. - therefore I am referring to this snapshot: https://web.archive.org/web/20220320042405/https://nextcloud.com/security/threat-model).

Steps to reproduce

0. Setup Nextcloud using the docker image:

docker run -p 8081:80 nextcloud:latest

1. Enable user_oidc module via http://localhost:8081/settings/apps/integration/user_oidc
2. Configure plugin via http://localhost:8081/settings/admin/user_oidc - add a provider with arbitrary identifier, client_id and client_secret. Include a burp collaborator URL with http:// scheme:
   {F1894137}
3. In a private window, visit http://localhost:8081/login an click the login button “test”.
4. Observe incoming request using plain HTTP:
   {F1894136}

In a working SSO setup, sensitive information such as the client_secret is sent in plain text by Nextcloud, as can be seen in the following screenshot (Token Request issued by Nextcloud):
{F1894138}

Fix

The user_oidc should enforce HTTPS in its default configuration.

Impact

Sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS.