twofactor_totp
twofactor_totp copied to clipboard
nextcloud
Login with App-Password in Thunderbird/sabre-dav fails after activating TOTP
Hi *,
I use Thunderbird/Tbsync/sabre-dav with an app-password. That works as long as I do not activate two-factor-authentication TOTP.
As soon as I activate that, Thunderbird/Tbsync/sabre-dav cannot login anymore. The log of Nextcloud says: 'OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden: '
As soon as I deactivate TOTP, login and sync with the same app-password work again perfectly.
Synchronization of the official Nextcloud-clients works also during TOTP.
What do I do wrong? Is there help? Which additional information can I provide?
Best regards Axl
Are you sure Thunderbird does not use your login password somewhere? That exception should not be thrown with app passwords.
Hmm... I copied the app-password in the field that popped up in TbSync/sabre-dav when I signed in without TOTP. And it worked. Then I switched on TOTP and it continuously asked me for a password. I entered it but it kept on asking without letting me in.
Now I checked a similar setup on my Work-Laptop, Windows 10. This works now.
The other setup is Ubuntu and I don't have access to it right now. At least it seems not to be something fundamentally wrong. Maybe it's really an error similar what you describe. I will check that over the weekend.
Thank you for now.
I have to renounce my statement of success above.
After an hour I get here with the Windows 10 setup the same behavior:
- TbSync/sabre-dav cannot synchronize any more. Asks for the password. After getting the right app-password it keeps asking for it and cannot login. :-( Strange enough that it worked for a few minutes.
That is indeed strange. Is the app password still working? Could you check the web interface and see if it is still listed and/or try with another application?
TBH this is very unexpected and I have not seen any similar report although this 2FA/app password code is three years old and AFAIK we haven't changed any of the "password login forbidden" logic.
What kind of user back-end do you use on your Nextcloud?
The app-password is still working. Because when I switch off 2FA the client (TB/sabre-dav) works normally with out doing anything else. I see the client in the web interface. For example the Nextcloud clients in Ubuntu and Windows 10 work perfectly with the app-passwords even when 2FA is switched on.
Excuse me, what do you mean with backend? Nextcloud 14 runs on a Raspberry Pi with mysql 10.1.37.
Okay, I suspected that the app password might have gotten invalidated. This happens when either the password is changed externally (with a user back-end like LDAP) or when the user back-end is unavailable. But that does not seem to be the case on your system.
Yes. And it happens with two different app passwords. I have one for my personal laptop and one for my work laptop. And it happens with both. And only with Thunderbird/TbSync/sabre-dav. The sync of the Gnome-apps with the online accounts in Gnome and the nextcloud-client work perfectly with these app-passwords. What can I do, what information can I provide to support the debug?
I seem to have relevant case: my davs based connection through a file explorer (nautilus) fails, when there's TOTP enabled. Adding app password doesn't change anything, by disabling TOTP on my account, I can normally connect via davs connection again.
Thank you for coming back. I switched TOTP off in my setup and have currently no time to test it otherwise. In theory it is still relevant and as soon as I find some time I can test it. But I think it does not make sense to just confirm the old status in case there is no change. I would prefer testing an improvement instead.
One way to debug this could be the use of a http proxy that logs all traffic. Maybe there's something in there that gives insights. I still don't know why this is an issue on your instance. It works just for for almost all other users.
I can also comment that using an app password does not appear to work using the NextCloud desktop sync app ( 2.5.3 ). From the user security page it shows the app password was used successfully but it will not complete the login.
I should also comment that when using the full login method via the Nextcloud desktop sync app it results in the same login prompt despite successfully logging in.
I have the same issue. Not sabre-DAV, but CalDAV and CardDAV. I am on Windows 10x64, TbSync v2.11.1 beta release, Thunderbird 68.5.0 x64. Sync worked fine without TOTP. When I turn on TOTP, I am prompted for a password in TbSync. When I enter a "backup code" (app password), sync fails.
When I enter a "backup code" (app password), sync fails.
Wait. That is not the same. Backup codes are one-time codes you can use in a browser session. For any client connections you have to generate app passwords from your personal security settings.
Thanks Christoph. As you can see, I am not an IT expert. I am using CalDAV and CardDAV on a Woekeli NextCloud server, connecting to Thunderbird Lightning CardBook running in Windows 10 x64. A quick web search does not show me how to generate app passwords. Do you have a pointer?
See https://docs.nextcloud.com/server/stable/user_manual/session_management.html#managing-devices :)
Hi there. I'm trying to sync with tbsync 2.11 provider for caldav 1.11 and thunderbird 68.6.0
If I try to use totp in nextcloud I can login into tbsync with the app password, but if I want to show the calendars in thunderbird, all the calendar are deactivated. I can not activate them. In tbsync all the calandar are synchronized and I become the request, that all is ok.
If I deactivate totp in nextcloud, all is ok and the function is ok.
I tryed to delete all the passwords and the cache without changes. Who can help
@georgehrke do you know of any limitations of app passwords and DAV?
What du you mean? I use the app-passwords in the security-settings. I don't use the security codes like the other one here in this thread for login without the number-code. I know, this code only can use one time, but the app-passwords should be for that problem. Isn't it?.
@ChristophWurst No, not aware of any other bug reports and I'm using app passwords with DAV on multiple instances.
@janste1978 In case you synced your calendars with Thunderbird before enabling App Passwords and Two Factor, please make sure to properly remove the old saved passwords in Thunderbird. It's settings -> Privacy & security -> Passwords -> Saved Passwords ...
I have the same issue on Thunderbird with tbsync and on Outlook with Caldav Synchronizer. With enabled TOTP and using an app password, I get the following error when trying to sync:
URL: https://[mydomain]/remote.php/dav (PROPFIND) Request: <d:propfind xmlns:d="DAV:"><d:prop><d:current-user-principal /></d:prop></d:propfind> Response:
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns"> <s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception> <s:message/> <o:hint xmlns:o="o:">password login forbidden</o:hint> </d:error>
I tried to de-activate and active TOTP and set a new app password afterwards, same result.
Well, that exception is thrown in exactly two places:
https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L452 https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L455
isTokenPassword seems to be returning false there. Maybe @ChristophWurst has some hints how to debug that.
What is the reason for the exception at https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L534?
They are thrown in plenty places in https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php
Mostly if the QBMapper threw a DoesNotExistException and if ICrypt::decrypt throws an exception: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php#L333
To add: I am able to access the Nextcloud calendar via iOS (also using app passwords) and add appointments that show up on the Nextcloud web calendar.
@necrevistonnezr Did you delete all related passwords from the Thunderbird password store before moving to app-passwords? If not, Lightning is probably trying to connect with an old password. (see https://support.mozilla.org/en-US/questions/1005341 how to find the password store.)
Mostly if the
QBMapperthrew aDoesNotExistExceptionand ifICrypt::decryptthrows an exception: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php#L333
See https://github.com/nextcloud/server/pull/21122. That should help a bit and I think the patch might apply on older releases as that code did not change much recently.