core
core copied to clipboard
owncloud
App token gets randomly lost when 2FA enabled
Steps to reproduce
- Enable TOTP (plugin 2-Factor Authentication by Christoph Wurst - ver. 0.7.0)
- Create an App Password / Token for owncloud desktop client (using Mac OS desktop client ver. 2.6.3 vuild 13765, but this happens also with all other clients, es. Android/iOS/Windows ones)
- Wait some days using the app till the actual behaviour takes place
Expected behaviour
App-password should stay there until deleted manually and apps should not ask for a new password once setup.
Actual behaviour
After some times (1 days or more, it is random) the app doesn't authenticate anymore with the token provided and ask to fill a new password. Checking in OC WebInterface shows no more app-password listed and a new one has to be created.
Server configuration
Operating system Ubuntu 16.04.6 LTS 64bit
Web server: Apache/2.4.18 (Ubuntu)
Database: mysql Ver 14.14 Distrib 5.7.31, for Linux (x86_64)
PHP version: HP 7.1.33-16+ubuntu16.04.1+deb.sury.org+1
ownCloud version: (see ownCloud admin page) 10.4.1.3
Updated from an older ownCloud or fresh install: updated
Where did you install ownCloud from: official repo
Signing status (ownCloud 9.0 and above): No errors found
The content of config/config.php:
{ "system": { "updatechecker": false, "instanceid": "oc0ub6smfwnj", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "10.0.0.20", "REMOVED SENSITIVE VALUE" ], "datadirectory": "/var/www/owncloud/data", "overwrite.cli.url": "http://10.0.0.20/owncloud", "dbtype": "mysql", "version": "10.4.1.3", "dbname": "owncloud", "dbhost": "localhost", "dbtableprefix": "oc_", "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "logtimezone": "Europe/Rome", "installed": true, "ldapIgnoreNamingRules": false, "loglevel": 1, "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_domain": "REMOVED SENSITIVE VALUE", "maintenance": false, "appstore.experimental.enabled": true, "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "25", "ldapUserCleanupInterval": "5", "singleuser": false, "memcache.local": "\OC\Memcache\Redis", "redis": { "host": "localhost", "port": 6379, "timeout": 0, "password": "REMOVED SENSITIVE VALUE" }, "filelocking.enabled": true, "memcache.locking": "\OC\Memcache\Redis" } }
List of activated apps:
nabled:
- activity: 2.5.3
- comments: 0.3.0
- configreport: 0.2.0
- dav: 0.5.0
- encryption: 1.4.0
- federatedfilesharing: 0.5.0
- federation: 0.1.0
- files: 1.5.2
- files_external: 0.7.1
- files_mediaviewer: 1.0.2
- files_pdfviewer: 0.11.1
- files_sharing: 0.12.0
- files_texteditor: 2.3.0
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- firstrunwizard: 1.2.0
- gallery: 16.1.1
- market: 0.5.0
- notifications: 0.5.0
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- twofactor_totp: 0.7.0
- updatenotification: 0.2.1
- user_ldap: 0.15.2 Disabled:
- external
- ownbackup
- passman
- user_external
Are you using external storage, if yes which one: local/smb/sftp/... no
Are you using encryption: yes/no yes
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... Active Directory
LDAP configuration (delete this part if not used)
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | | +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | CN=ldapquery,REMOVED SENSITIVE VALUE,DC=locale | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | OU=REMOVED SENSITIVE VALUE,DC=locale | | ldapBaseGroups | DC=REMOVED SENSITIVE VALUE,DC=locale | | ldapBaseUsers | DC=REMOVED SENSITIVE VALUE,DC=locale | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | objectguid | | ldapExpertUsernameAttr | | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=group))(|(cn=REMOVED SENSITIVE VALUE-Owncloud)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE)(cn=REMOVED SENSITIVE VALUE))) | | ldapGroupFilterGroups | REMOVED SENSITIVE VALUE-Owncloud;REMOVED SENSITIVE VALUE | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | group | | ldapGroupMemberAssocAttr | member | | ldapHost | ldap://REMOVED SENSITIVE VALUE | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user))(|(|(memberof=CN=REMOVED SENSITIVE VALUE-Owncloud,OU=REMOVED SENSITIVE VALUE,DC=locale)(primaryGroupID=6669))(|(memberof=CN=REMOVED SENSITIVE VALUEDC=locale)(primaryGroupID=6645))(|(memberof=CN=REMOVED SENSITIVE VALUE,DC=locale)(primaryGroupID=6118))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid)(displayName=%uid)(distinguishedName=%uid)(givenName=%uid)(mail=%uid)(name=%uid)(sAMAccountName=%uid)))) | | ldapLoginFilterAttributes | cn;displayName;distinguishedName;givenName;mail;name;sAMAccountName | | ldapLoginFilterEmail | 1 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapNetworkTimeout | 2 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user))(|(|(memberof=CN=REMOVED SENSITIVE VALUE-Owncloud,OU=REMOVED SENSITIVE VALUE,DC=locale)(primaryGroupID=6669))(|(memberof=CN=REMOVED SENSITIVE VALUE,DC=locale)(primaryGroupID=6645))(|(memberof=CN=REMOVED SENSITIVE VALUE,DC=locale)(primaryGroupID=6118)))) | | ldapUserFilterGroups | REMOVED SENSITIVE VALUE-Owncloud;REMOVED SENSITIVE VALUE | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | organizationalPerson;person;top;user | | ldapUserName | samaccountname | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Client configuration
Browser: Firefox 78.0.2
Operating system: Mac OS X 10.15.5
Logs
Web server error log
no useful logs here.
ownCloud log (data/owncloud.log)
once app looses password token, the error in log is just:
{"reqId":"283e54a3-714a-4b9d-a36a-90224ce6bc05","level":2,"time":"2020-07-29T10:48:09+02:00","remoteAddr":"REMOVED SENSITIVE VALUE","user":"--","app":"core","method":"PROPFIND","url":"/remote.php/dav/files/4ECEF78B-E147-4C7D-9F1F-36A796F77C45/","message":"Login failed: 'REMOVED SENSITIVE VALUE' (Remote IP: 'REMOVED SENSITIVE VALUE')"}
Can confirm. In my case when multiple token are instantiated, only the one used by the application is lost.
The following images point out what I am facing.
First, I create a new 'token 'name-1' for owncloud windows client.
Then, I create a new token 'name-2' (unused) 
After some time the token 'name-1' for owncloud windows client gets lost.
What can cause the first token to be invalidated without any action?
Same here with DAVx5 on Android. It rarely happens, but it happens. Tokens just disappear.
On the other hand it never happens with CalDavSynchronizer for MS Outlook. We've got 15 employees equipped that way for over 2 years. No complaints whatsoever.
I can confirm the case. I'm at the point when each of app tokens is lost just after creation, only for one account, works OK for other accounts. Version 10.0.10.
I have similar problem. My tokens vanished after day, repatly. 2FA is uninstalled and same. This happend with users witch existed with 2FA, new users after uninstalled 2FA is ok. How can be possible remove tokens with any 3rd app? I thought for remove is trash button only.
I am encountering the same issue even without 2FA enabled. Is there any workaround?
