Logging in with FIDO2 invalidates existing app passwords

[dr-br]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Create app password
2. Log out and log in with FIDO2 (not U2F)
3. App password has become invalid (eventually after a couple of minutes...<2 minutes)

I use the following script to access the server:

#!/bin/bash
url="https://nextcloud.myserver.de/remote.php/dav/calendars/myName/kalender?export"
user="myName"
pwd="appPassword"

wget \
   --output-document="$kalender.ics" \
   --auth-no-challenge \
   --http-user=$user --http-password="$pwd" \
   "$url"

Expected behaviour

App passwords should still be valid after logging in with FIDO2

Actual behaviour

After login with FIDO2 I can't access the server using app password anymore. Only regular password is accepted.

Server configuration

Operating system:

docker image nextcloud:latest (3d29187bda79)
PRETTY_NAME="Debian GNU/Linux 10 (buster)"

Web server:
apache2 2.4.38-3+deb10u5

Database:
docker image mariadb:10.5

PHP version:
PHP 7.4.22

Nextcloud version: (see Nextcloud admin page)
Nextcloud 22.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
fresh docker install

Where did you install Nextcloud from:
image: nextcloud:latest

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:
  - accessibility: 1.7.0
  - activity: 2.15.0
  - calendar: 2.3.1
  - circles: 22.0.0
  - cloud_federation_api: 1.4.0
  - comments: 1.11.0
  - contacts: 4.0.1
  - contactsinteraction: 1.2.0
  - dashboard: 7.1.0
  - dav: 1.18.0
  - federatedfilesharing: 1.11.0
  - federation: 1.11.0
  - files: 1.16.0
  - files_pdfviewer: 2.3.0
  - files_rightclick: 1.1.0
  - files_sharing: 1.13.2
  - files_trashbin: 1.11.0
  - files_versions: 1.14.0
  - files_videoplayer: 1.11.0
  - firstrunwizard: 2.11.0
  - logreader: 2.7.0
  - lookup_server_connector: 1.9.0
  - nextcloud_announcements: 1.11.0
  - notifications: 2.10.1
  - oauth2: 1.9.0
  - password_policy: 1.12.0
  - photos: 1.4.0
  - privacy: 1.6.0
  - provisioning_api: 1.11.0
  - serverinfo: 1.12.0
  - settings: 1.3.0
  - sharebymail: 1.11.0
  - spreed: 12.0.1
  - systemtags: 1.11.0
  - text: 3.3.0
  - theming: 1.12.0
  - twofactor_backupcodes: 1.10.1
  - updatenotification: 1.11.0
  - user_status: 1.1.1
  - viewer: 1.6.0
  - weather_status: 1.1.0
  - workflowengine: 2.3.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - recommendations
  - support
  - survey_client
  - user_ldap

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost:8080",
            "1": "nextcloud.myserver.de:443"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "22.0.0.11",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "log_rotate_size": 104857600,
        "data-fingerprint": "b7cb40d9a3957a8f9f0b691fa7144781",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto, 1",
        "app_install_overwrite": [
            "contacts",
            "bruteforcesettings",
            "spreed",
            "whiteboard"
        ],
        "overwrite.cli.url": "https:\/\/nextcloud.myserver.de",
        "overwritehost": "nextcloud.myserver.de:443",
        "overwriteprotocol": "https",
        "forcessl": "true",
        "overwritewebroot": "\/",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[jlehtoranta]

Duplicate of #27886. The fix seems to be now in master, but not yet backported to stable22 and 21.

[szaimen]

Lets track this in #26806