twofactor_totp
twofactor_totp copied to clipboard
nextcloud
2FA: Invalid QR code on any device/browser
Steps to reproduce
- enable 2FA
- try to login wih a user that has never logged in before
- the QR code is invalid and there is no TOTP secret
Server configuration
Operating system: Ubuntu 20.04
Web server: nextcloud docker wth Nginx Proxy Manager in front
Database: mariadb 10.5
PHP version: 8.0.14
Version: Nextcloud Hub II (23.0.0)
Updated from an older version or fresh install: transferred from another server with the same version
List of activated apps: Enabled: accessibility: 1.9.0, activity: 2.15.0, admin_audit: 1.13.0, bruteforcesettings: 2.3.0, calendar: 3.0.4, circles: 23.0.0, cloud_federation_api: 1.6.0, comments: 1.13.0, contacts: 4.0.7, contactsinteraction: 1.4.0, dashboard: 7.3.0, dav: 1.21.0, federatedfilesharing: 1.13.0, federation: 1.13.0, files: 1.18.0, files_external: 1.15.0, files_pdfviewer: 2.4.0, files_retention: 1.12.0, files_rightclick: 1.2.0, files_sharing: 1.15.0, files_trashbin: 1.13.0, files_versions: 1.16.0, files_videoplayer: 1.12.0, firstrunwizard: 2.12.0, gpxpod: 4.3.0, logreader: 2.8.0, lookup_server_connector: 1.11.0, maps: 0.1.10, nextcloud_announcements: 1.12.0, notes: 4.2.0, notifications: 2.11.1, oauth2: 1.11.0, onlyoffice: 7.2.1, password_policy: 1.13.0, phonetrack: 0.6.9, photos: 1.5.0, privacy: 1.7.0, provisioning_api: 1.13.0, ransomware_protection: 1.12.0, recommendations: 1.2.0, serverinfo: 1.13.0, settings: 1.5.0, sharebymail: 1.13.0, support: 1.6.0, survey_client: 1.11.0, systemtags: 1.13.0, tasks: 0.14.2, text: 3.4.0, theming: 1.14.0, twofactor_backupcodes: 1.12.0, twofactor_totp: 6.2.0, updatenotification: 1.13.0, user_status: 1.3.1, viewer: 1.7.0, weather_status: 1.3.0, workflowengine: 2.5.0; Disabled: encryption, sharerenamer, spreed, user_ldap
The content of config/config.php:
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"nc.pirlix.com",
"nc2.pirlix.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/nc.pirlix.com",
"dbtype": "mysql",
"version": "23.0.0.10",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"theme": "",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "tls",
"maintenance": false,
"loglevel": 0,
"app_install_overwrite": [
"gpxpod"
],
"encryption.legacy_format_support": false,
"encryption.key_storage_migrated": false,
"updater.release.channel": "stable",
"default_phone_region": "IT",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"overwriteprotocol": "https",
"mysql.utf8mb4": true,
"twofactor_enforced": "true",
"twofactor_enforced_groups": [],
"twofactor_enforced_excluded_groups": []
}
}
Client configuration
Browser: Firefox latest version, Chrome latest version, Nextcloud app on iOS latest version
Operating system: Windows 10, iOS
Logs
Web server error log
I don't know where are the logs of the web server inside the Nextcloud docker container
Server log (data/nextcloud.log)
{"reqId":"RiON3GWYBGqVl6fuNSxR","level":0,"time":"2022-01-03T09:23:37+00:00","remoteAddr":"111.222.333.444","user":"--","app":"maps","method":"POST","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10"}
{"reqId":"eSOhmUkbQhYFgw8z5iEV","level":0,"time":"2022-01-03T09:23:38+00:00","remoteAddr":"111.222.333.444","user":"Vale","app":"maps","method":"GET","url":"/login/setupchallenge","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10"}
{"reqId":"eSOhmUkbQhYFgw8z5iEV","level":3,"time":"2022-01-03T09:23:38+00:00","remoteAddr":"111.222.333.444","user":"Vale","app":"PHP","method":"GET","url":"/login/setupchallenge","message":"Undefined array key \"redirect_url\" at /var/www/html/core/templates/twofactorsetupselection.php#36","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10","exception":{"Exception":"Error","Message":"Undefined array key \"redirect_url\" at /var/www/html/core/templates/twofactorsetupselection.php#36","Code":0,"Trace":[{"file":"/var/www/html/core/templates/twofactorsetupselection.php","line":36,"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::","args":[2,"Undefined array key \"redirect_url\"","/var/www/html/core/templates/twofactorsetupselection.php",36]},{"file":"/var/www/html/lib/private/Template/Base.php","line":180,"args":["/var/www/html/core/templates/twofactorsetupselection.php"],"function":"include"},{"file":"/var/www/html/lib/private/Template/Base.php","line":150,"function":"load","class":"OC\\Template\\Base","type":"->","args":["/var/www/html/core/templates/twofactorsetupselection.php",{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/private/legacy/OC_Template.php","line":179,"function":"fetchPage","class":"OC\\Template\\Base","type":"->","args":[{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/public/AppFramework/Http/TemplateResponse.php","line":204,"function":"fetchPage","class":"OC_Template","type":"->","args":[{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":171,"function":"render","class":"OCP\\AppFramework\\Http\\TemplateResponse","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\TwoFactorChallengeController"},"setupProviders"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\TwoFactorChallengeController","setupProviders",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.TwoFactorChallenge.setupProviders"}]},{"file":"/var/www/html/lib/base.php","line":1006,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/login/setupchallenge"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}}
{"reqId":"xVKdLibkyLYX2b99vsnr","level":0,"time":"2022-01-03T09:23:39+00:00","remoteAddr":"111.222.333.444","user":"admin","app":"maps","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0","version":"23.0.0.10"}
Browser log
index.js:46 No OC found
Nr @ index.js:46
value @ gettext.js:45
(anonymous) @ l10n.js:3
(anonymous) @ main.js?v=99cc2523-0:160
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:27
n @ bootstrap:19
(anonymous) @ main.js:1
(anonymous) @ main.js?v=99cc2523-0:891
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ main.js?v=99cc2523-0:1
index.es.js:2337 Proxying an event bus of version 2.1.1 with 1.3.0
e @ index.es.js:2337
(anonymous) @ index.es.js:3314
(anonymous) @ main.js?v=99cc2523-0:285
n @ bootstrap:19
(anonymous) @ requesttoken.js:11
n @ bootstrap:19
(anonymous) @ index.js:25
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:776
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:1336
n @ bootstrap:19
(anonymous) @ main.js:1
(anonymous) @ main.js?v=99cc2523-0:891
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ main.js?v=99cc2523-0:1
jquery-migrate.min.js:2 JQMIGRATE: Migrate is installed, version 3.3.2
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ jquery.js:10336
(anonymous) @ jquery.js:28
0 @ jquery.js:14
n @ bootstrap:19
784 @ files_client.js?v=99cc2523-0:64
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ files_client.js?v=99cc2523-0:1
globals.js:62 $ is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ jquery.js:10339
(anonymous) @ jquery.js:28
0 @ jquery.js:14
n @ bootstrap:19
784 @ files_client.js?v=99cc2523-0:64
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ files_client.js?v=99cc2523-0:1
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ script.js?v=99cc2523-0:492
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ files.js?v=99cc2523-0:122
session-heartbeat.js:101 session heartbeat polling started
I don't know how to save the broswer network log, so...her it is:
I can confirm this bug on our local installation. Existing users can still log in, however when new Users (from the LDAP-Backend) are required to set up their TOTP-App, the resulting QR-Code will show as invalid in FreeOTP+
The log shows the following info:
{"reqId":"QTd5m8VvMXcUMHy5zpim","level":3,"time":"2022-01-18T12:47:48+00:00","remoteAddr":"192.168.89.98","user":"4BEF69CD-29F2-4C51-A670-D8DA0496FE3B","app":"PHP","method":"GET","url":"/login/setupchallenge","message":"Undefined array key "redirect_url" at /var/www/html/core/templates/twofactorsetupselection.php#36","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36","version":"23.0.0.10","exception":{"Exception":"Error","Message":"Undefined array key "redirect_url" at /var/www/html/core/templates/twofactorsetupselection.php#36","Code":0,"Trace":[{"file":"/var/www/html/core/templates/twofactorsetupselection.php","line":36,"function":"onError","class":"OC\Log\ErrorHandler","type":"::"},{"file":"/var/www/html/lib/private/Template/Base.php","line":180,"args":["/var/www/html/core/templates/twofactorsetupselection.php"],"function":"include"},{"file":"/var/www/html/lib/private/Template/Base.php","line":150,"function":"load","class":"OC\Template\Base","type":"->"},{"file":"/var/www/html/lib/private/legacy/OC_Template.php","line":179,"function":"fetchPage","class":"OC\Template\Base","type":"->"},{"file":"/var/www/html/lib/public/AppFramework/Http/TemplateResponse.php","line":204,"function":"fetchPage","class":"OC_Template","type":"->"},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":171,"function":"render","class":"OCP\AppFramework\Http\TemplateResponse","type":"->"},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/var/www/html/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::"},{"file":"/var/www/html/lib/base.php","line":1006,"function":"match","class":"OC\Route\Router","type":"->"},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/html/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"id":"61e6bc95f1496"}
This installation has been around since NC19, and we have had TOTP activated ever since.
If you need additional information, i would be happy to help.
Thank you for your work!
I had the same issue but for me it was solved by fixing the servertime and mounting /etc/localtime into the docker container as there was a time drift of 6 minutes.
For longtime solution I installed and configured chrony as NTP synchronization daemon.
Hello Andrwe,
I had the same issue but for me it was solved by fixing the servertime and mounting
/etc/localtimeinto the docker container as there was a time drift of 6 minutes. For longtime solution I installed and configured chrony as NTP synchronization daemon.
I do not think that this is the same issue. I have installed Nextcloud on its own Vbuntu 21.10 VM, and have time-synchronization working. If the time on the server would be wrong, the TOTP-codes generated for the other users would no longer be correct.
In this case, only the first-time-setup of the TOTP does not work, and there are informations missing to generate a full token, as can be seen by the error thrown in the log.
Thank you though for your help in trying to solve our problem!
I have the same problems here. For local users it is works. Not for ldap users.
Hello! Totp2fa I scan the QR code with my phone, the numbers do not pass, I tried in different ways.. Here is the log: {"reqId":"eTqzi3YcssUoEodb7mVc","level":2,"time":"2024-01-11T14:31:21+00:00","remoteAddr":"95.71.84.233","user":"ncadmin","app":"suspicious_login","method":"POST","url":"/login","message":"Could not predict suspiciousness: No models found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"28.0.1.1","data":{"app":"suspicious_login"}}
Hello,
I managed to solve with the NTP server configured, using
- Google authenticator
- TOTP auth
- With FreeOTP I get a QR invalid error.
I also had that error notification.
This is my nextcloud version
TOTP enabled!
Thanks for the advice, it really helped, thank you so much, you helped out!
Thanks for the advice, it really helped, thank you so much, you helped out!
LMAO, hahaha it really worked for you? i can't believe it.
In the end my problem like yours was the time, which must be the same on both server and client and so on.
Thank you very much! Everything works fine. To be honest, I didn't even think about it, I thought that the problem was completely different, I wouldn't have figured it out myself.