Track upstream: Bearer token authentication failing for app-specific APIs (user_oidc#1221)

[cbcoutinho]

Upstream Issue

Upstream Repository: nextcloud/user_oidc
Status: 🟡 Open (Issue #1221)
Priority: High

Problem

Bearer token authentication fails for app-specific APIs (Notes, Calendar, Contacts, Deck, Tables) with 401 Unauthorized errors, even though OCS APIs work correctly.

Root Cause

The CORSMiddleware in Nextcloud logs out sessions created by Bearer token authentication when CSRF tokens are missing, which breaks API requests to endpoints with @CORS annotations.

Error Without Patch

When using Bearer token authentication:

401 Unauthorized

Error occurs on requests to:

• /apps/notes/api/* - Notes API
• /remote.php/dav/calendars/* - Calendar (CalDAV)
• /remote.php/dav/addressbooks/* - Contacts (CardDAV)
• /apps/deck/api/* - Deck API
• All other app-specific APIs

Note: OCS APIs (/ocs/v2.php/*) work correctly without the patch.

Current Workaround

We apply patch 0001-Fix-Bearer-token-authentication-causing-session-logo.patch which sets the app_api session flag during Bearer token authentication to bypass CSRF checks.

Patch Location: app-hooks/post-installation/0001-Fix-Bearer-token-authentication-causing-session-logo.patch

Applied to: lib/User/Backend.php in user_oidc app at lines ~243, ~310, ~315, and ~337

Resolution

This issue can be closed when:

• Upstream issue #1221 is resolved with a fix
• Fix is released in an official version of user_oidc app
• We verify the fix works with our integration tests
• We remove our patch from the codebase

References

• Upstream Issue: Fix Bearer token authentication for non-OCS endpoints nextcloud/user_oidc#1221
• Documentation: docs/oauth-upstream-status.md
• Patch File: app-hooks/post-installation/0001-Fix-Bearer-token-authentication-causing-session-logo.patch
• Integration Tests: tests/server/test_oauth*.py