Fido2/Webauthn - Users are constantly logged out automatically after a short time

[osm-frasch]

After the update to Nextcloud 21 there is a problem with Webauthn/Fido2.

Login via web interface works as usual with the Security-Sticks but:
==> They are logged out of the system after a few minutes.
(Warning | core | Login failed:...)
==> Normal work in Nextcloud is no longer possible

Our security keys are configured as Webauthn + U2F.
This has now worked great for half a year

Users with TOTP login as 2nd factor are not affected.
This is a big problem for us as we have a number of users with Fido2 access.

Test:
I have deleted the webauthn key on the stick and now only use the U2F on the security stick.
This works perfectly. This means that it is really due to the webauthn/Fido2.

PHP version:
PHP 7.3.27

Nextcloud version:
Nextcloud 21.0.1

Updated from an older Nextcloud/ownCloud or fresh install: older Version of Nextcloud

Nextcloud log
Warning core Login failed: ''
Warning core Renewing session token failed

There is already a similar bugreport and discussion here: #26502

[osm-frasch]

Sorry to ask, but has anything happened on this or is more info needed? Since Nextcloud has so explicitly advertised the Fido2 feature publicly and companies like ours now have over 200 Fido2 keys in use, it would be great if there was a solution to this problem.

[olivn]

@osm-frasch
No solution but at least the workaround described in #26502 (comment) is working for me.

[son1c]

Does anyone tried 21.0.2 already?

[osm-frasch]

Does anyone tried 21.0.2 already?

not yet. I will update it tomorrow evening and give feedback then.

[osm-frasch]

So, I have updated to 21.0.2 - everything went smoothly.
I had only set up my Yubikey sticks as U2F for the last few weeks, i.e. since the Fido2 bug appeared.
This works without any problems.

I now have set up the Yubikey as Webauthn/Fido2 again.

The following:

1. Setting up the stick works without problems
2. But logging in no longer works at all.
3. If I click on "Log in with a device" on the login page, then enter my user name and tap the stick with a finger ... nothing happens.

Absolutely nothing. The same stick works wonderfully with U2F. I have tried this with current versions of Firefox and Chrome.

Unless I've missed something, this would be more of a worsening of the old bug.
Because before I could at least still log in under webauthn/fido2.
However, I was automatically logged out after a short time, which made it impossible to work with Nextcloud.

I ask Nextcloud to take care of this problem as a matter of urgency.
The Webauthn/Fido2 feature was heavily advertised in the 19's version. It worked fine for 2 NC releases.
Companies like our education centre have bought a lot of sticks to take advantage of the increased security and convenience of Fido2.

Please use "thumbs up" if you experience the same problem in NC 21.0.2 or provide additional information.

[son1c]

I have exactly the same behavior on my installation.
i tryed the Webauth Plugin additionaly with the same result.

[osm-frasch]

Does this mean that Webauthn/Fido2 generally no longer works in Nextcloud? Is there any statement on this from the developers?

[son1c]

I think that it is "just" broke.
If there is no support for this any longer, there would no possibility to add Webauthn/Fido2 Keys.

[son1c]

I recognize a error massage from the MariaDB I use when I try to login:

Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing a query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '9' for key 'PRIMARY'

but oc_webauth got no duplicate id:

MariaDB [nextcloud]> Select id,name FROM oc_webauthn;

+----+---------------+
| id | name          |
+----+---------------+
|  9 | Yubikey 5 NFC |
+----+---------------+

[son1c]

I created a new issue #27079 (comment)

[szaimen]

Is this Issue still valid in NC21.0.3? If not, please close this issue. Thanks! :)

[osm-frasch]

I have just tried it under 21.0.3
In our company webauthn ran wonderfully until NC21...since then no more
I have just completely deleted my two registered Fid02 sticks and created a new one (Yubiko 5). Afterwards I logged out.
Then I deleted the browser cookies for the Nextcloud account and cleared the browser cache.

I tested this with the latest versions of Firefox and Chrome. When I log in with passwordless (log in with a device), I can enter my user name, then the browser tells me to tap the Yubico stick (sensor field). After that...nothing happens. No further data is loaded in the browser. Nothing happens. So 21.0.3 can't do it either.

I remember that under NC 21.0.1 it was at least possible to log in, but then you were automatically logged out again if you triggered any action in Nextcloud. But since NC 21.0.2 I can't even log in with Webauthn anymore.

However...U2F works perfectly!

[zimmersi]

Hi @osm-frasch,
you can re-enable the webauthn login with the suggested changes in #27729
However, there is still the problem that the users (Browser + sync client) are logged out after a few minutes.

[zimmersi]

Hi @osm-frasch,
you can re-enable the webauthn login with the suggested changes in #27729
However, there is still the problem that the users (Browser + sync client) are logged out after a few minutes.

running NC 21.0.3

[osm-frasch]

Hi @osm-frasch,
you can re-enable the webauthn login with the suggested changes in #27729
However, there is still the problem that the users (Browser + sync client) are logged out after a few minutes.

running NC 21.0.3

Thank you for pointing this out.
I already knew that. But why should I apply this fix if the users are logged out again after a few minutes? We have a productive environment with about 200 users.
The problem must be solved in general!
Until then we will use U2F again. That works

Personal opinion, even if it doesn't belong here: I'm really starting to wonder how the problem is now dragging on throughout the entire 21 version. Webauthn had promoted Nextcloud really intensively in V19 and now it's broken and you can't get it to work. Is this not a higher priority? In our education centre it was rather embarrassing.

Another question in the round. Does the problem also exist in the new NC 22?

[zimmersi]

ok, I have the same issue with nearly 100 users, so I am also very interested in a solution.

[son1c]

Another question in the round. Does the problem also exist in the new NC 22?

I tried it yesterday and the problem still exist in 22. you can login with webauthn but the client sync tool an connected calendars and contact tools are logged off.

[osm-frasch]

Another question in the round. Does the problem also exist in the new NC 22?

I tried it yesterday and the problem still exist in 22. you can login with webauthn but the client sync tool an connected calendars and contact tools are logged off.

Looks like you can now publicly say that Nextcloud does not support Webauthn/Fido2. Would be the better communication for them

[zimmersi]

omg, I thought this is some kind of core functionality....

btw. yesterday I have reverted the changes from #25460. It is now working in 21.0.3 for me....

@ChristophWurst any plans when this is working again? seems to be still broken in NC 22 according to @son1c

[jlehtoranta]

Duplicate of #27886. The fix seems to be now in master, but not yet backported to stable22 and 21.

[zimmersi]

still the same issue in 21.0.4

[JimTheCactus]

For me there was an improvement. I no longer get the 500 error when attempting to log in using the Webauthn mechanism detailed in #27079, but now I experience the "Logged out automatically after a short time" problem.

[zimmersi]

yes, right, the login is working, but users are still logged out after a short period of time. thus it is still unusable.

[zimmersi]

still the same on NC 22.1.1
I have manually applied this fix now
#27886

[DrCarsonBeckett]

Does that fix help with the mentioned issue for you?

[zimmersi]

yes, this solved the issue for me.

[DrCarsonBeckett]

Thanks for the answer, I applied nextmcloud@937103c too and will report back later.

[DrCarsonBeckett]

Works as intended for me too. I hope it will be implemented in the next version to be released.

[amiga23]

It´s still an issue in 22.2.0 :-(

[amiga23]

I am using App passwords for the nextcloud app on linux, on iPhone and on iPad, additionally for carddav and caldav on iPhone, iPad and PinePhone. On all these devices I get logged out if I login with Nitrokey Fido2 on Desktop browser.

[amiga23]

Of cause this then causes the issue "We have detected multiple invalid login attempts from your IP. Therefore your next login is throttled up to 30 seconds." So I will also get loged (and locked) out from desktop.

[zimmersi]

this seems to be fixed with 22.2.1 👍

[derritter88]

I can confirm this as well.

[szaimen]

backports have been merged as well. So should be fixed with the latest releases.