2FA: Invalid QR code on any device/browser

[andreapx]

Steps to reproduce

1. enable 2FA
2. try to login wih a user that has never logged in before
3. the QR code is invalid and there is no TOTP secret
   

Server configuration

Operating system: Ubuntu 20.04

Web server: nextcloud docker wth Nginx Proxy Manager in front

Database: mariadb 10.5

PHP version: 8.0.14

Version: Nextcloud Hub II (23.0.0)

Updated from an older version or fresh install: transferred from another server with the same version

List of activated apps:
Enabled: accessibility: 1.9.0, activity: 2.15.0, admin_audit: 1.13.0, bruteforcesettings: 2.3.0, calendar: 3.0.4, circles: 23.0.0, cloud_federation_api: 1.6.0, comments: 1.13.0, contacts: 4.0.7, contactsinteraction: 1.4.0, dashboard: 7.3.0, dav: 1.21.0, federatedfilesharing: 1.13.0, federation: 1.13.0, files: 1.18.0, files_external: 1.15.0, files_pdfviewer: 2.4.0, files_retention: 1.12.0, files_rightclick: 1.2.0, files_sharing: 1.15.0, files_trashbin: 1.13.0, files_versions: 1.16.0, files_videoplayer: 1.12.0, firstrunwizard: 2.12.0, gpxpod: 4.3.0, logreader: 2.8.0, lookup_server_connector: 1.11.0, maps: 0.1.10, nextcloud_announcements: 1.12.0, notes: 4.2.0, notifications: 2.11.1, oauth2: 1.11.0, onlyoffice: 7.2.1, password_policy: 1.13.0, phonetrack: 0.6.9, photos: 1.5.0, privacy: 1.7.0, provisioning_api: 1.13.0, ransomware_protection: 1.12.0, recommendations: 1.2.0, serverinfo: 1.13.0, settings: 1.5.0, sharebymail: 1.13.0, support: 1.6.0, survey_client: 1.11.0, systemtags: 1.13.0, tasks: 0.14.2, text: 3.4.0, theming: 1.14.0, twofactor_backupcodes: 1.12.0, twofactor_totp: 6.2.0, updatenotification: 1.13.0, user_status: 1.3.1, viewer: 1.7.0, weather_status: 1.3.0, workflowengine: 2.5.0;
Disabled: encryption, sharerenamer, spreed, user_ldap

The content of config/config.php:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nc.pirlix.com",
            "nc2.pirlix.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nc.pirlix.com",
        "dbtype": "mysql",
        "version": "23.0.0.10",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "theme": "",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "maintenance": false,
        "loglevel": 0,
        "app_install_overwrite": [
            "gpxpod"
        ],
        "encryption.legacy_format_support": false,
        "encryption.key_storage_migrated": false,
        "updater.release.channel": "stable",
        "default_phone_region": "IT",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "overwriteprotocol": "https",
        "mysql.utf8mb4": true,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": []
    }
}

Client configuration

Browser: Firefox latest version, Chrome latest version, Nextcloud app on iOS latest version

Operating system: Windows 10, iOS

Logs

Web server error log

I don't know where are the logs of the web server inside the Nextcloud docker container

Server log (data/nextcloud.log)

{"reqId":"RiON3GWYBGqVl6fuNSxR","level":0,"time":"2022-01-03T09:23:37+00:00","remoteAddr":"111.222.333.444","user":"--","app":"maps","method":"POST","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10"}
{"reqId":"eSOhmUkbQhYFgw8z5iEV","level":0,"time":"2022-01-03T09:23:38+00:00","remoteAddr":"111.222.333.444","user":"Vale","app":"maps","method":"GET","url":"/login/setupchallenge","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10"}
{"reqId":"eSOhmUkbQhYFgw8z5iEV","level":3,"time":"2022-01-03T09:23:38+00:00","remoteAddr":"111.222.333.444","user":"Vale","app":"PHP","method":"GET","url":"/login/setupchallenge","message":"Undefined array key \"redirect_url\" at /var/www/html/core/templates/twofactorsetupselection.php#36","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","version":"23.0.0.10","exception":{"Exception":"Error","Message":"Undefined array key \"redirect_url\" at /var/www/html/core/templates/twofactorsetupselection.php#36","Code":0,"Trace":[{"file":"/var/www/html/core/templates/twofactorsetupselection.php","line":36,"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::","args":[2,"Undefined array key \"redirect_url\"","/var/www/html/core/templates/twofactorsetupselection.php",36]},{"file":"/var/www/html/lib/private/Template/Base.php","line":180,"args":["/var/www/html/core/templates/twofactorsetupselection.php"],"function":"include"},{"file":"/var/www/html/lib/private/Template/Base.php","line":150,"function":"load","class":"OC\\Template\\Base","type":"->","args":["/var/www/html/core/templates/twofactorsetupselection.php",{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/private/legacy/OC_Template.php","line":179,"function":"fetchPage","class":"OC\\Template\\Base","type":"->","args":[{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/public/AppFramework/Http/TemplateResponse.php","line":204,"function":"fetchPage","class":"OC_Template","type":"->","args":[{"providers":{"totp":{"__class__":"OCA\\TwoFactorTOTP\\Provider\\TotpProvider"}},"logout_url":"/logout?requesttoken=z1LhL%2FCOuRYu2QKFqfpruoTxLgcVRWcNjkCfQ7VsrBQ%3D%3AjDa5HcXnyW5D6GnT4p0Z6eGUYW90HV5lySbaN%2FFa4lk%3D"}]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":171,"function":"render","class":"OCP\\AppFramework\\Http\\TemplateResponse","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OC\\Core\\Controller\\TwoFactorChallengeController"},"setupProviders"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\TwoFactorChallengeController","setupProviders",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"core.TwoFactorChallenge.setupProviders"}]},{"file":"/var/www/html/lib/base.php","line":1006,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/login/setupchallenge"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}}
{"reqId":"xVKdLibkyLYX2b99vsnr","level":0,"time":"2022-01-03T09:23:39+00:00","remoteAddr":"111.222.333.444","user":"admin","app":"maps","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0","version":"23.0.0.10"}

Browser log

index.js:46 No OC found
Nr @ index.js:46
value @ gettext.js:45
(anonymous) @ l10n.js:3
(anonymous) @ main.js?v=99cc2523-0:160
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:27
n @ bootstrap:19
(anonymous) @ main.js:1
(anonymous) @ main.js?v=99cc2523-0:891
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ main.js?v=99cc2523-0:1
index.es.js:2337 Proxying an event bus of version 2.1.1 with 1.3.0
e @ index.es.js:2337
(anonymous) @ index.es.js:3314
(anonymous) @ main.js?v=99cc2523-0:285
n @ bootstrap:19
(anonymous) @ requesttoken.js:11
n @ bootstrap:19
(anonymous) @ index.js:25
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:776
n @ bootstrap:19
(anonymous) @ main.js?v=99cc2523-0:1336
n @ bootstrap:19
(anonymous) @ main.js:1
(anonymous) @ main.js?v=99cc2523-0:891
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ main.js?v=99cc2523-0:1
jquery-migrate.min.js:2 JQMIGRATE: Migrate is installed, version 3.3.2
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ jquery.js:10336
(anonymous) @ jquery.js:28
0 @ jquery.js:14
n @ bootstrap:19
784 @ files_client.js?v=99cc2523-0:64
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ files_client.js?v=99cc2523-0:1
globals.js:62 $ is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ jquery.js:10339
(anonymous) @ jquery.js:28
0 @ jquery.js:14
n @ bootstrap:19
784 @ files_client.js?v=99cc2523-0:64
n @ bootstrap:19
(anonymous) @ bootstrap:83
(anonymous) @ files_client.js?v=99cc2523-0:1
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ script.js?v=99cc2523-0:492
globals.js:62 jQuery is deprecated: The global jQuery is deprecated. It will be removed in a later versions without another warning. Please ship your own.
ge @ globals.js:62
get @ globals.js:93
(anonymous) @ files.js?v=99cc2523-0:122
session-heartbeat.js:101 session heartbeat polling started

I don't know how to save the broswer network log, so...her it is:

[brotkastn]

I can confirm this bug on our local installation. Existing users can still log in, however when new Users (from the LDAP-Backend) are required to set up their TOTP-App, the resulting QR-Code will show as invalid in FreeOTP+

The log shows the following info:

{"reqId":"QTd5m8VvMXcUMHy5zpim","level":3,"time":"2022-01-18T12:47:48+00:00","remoteAddr":"192.168.89.98","user":"4BEF69CD-29F2-4C51-A670-D8DA0496FE3B","app":"PHP","method":"GET","url":"/login/setupchallenge","message":"Undefined array key "redirect_url" at /var/www/html/core/templates/twofactorsetupselection.php#36","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36","version":"23.0.0.10","exception":{"Exception":"Error","Message":"Undefined array key "redirect_url" at /var/www/html/core/templates/twofactorsetupselection.php#36","Code":0,"Trace":[{"file":"/var/www/html/core/templates/twofactorsetupselection.php","line":36,"function":"onError","class":"OC\Log\ErrorHandler","type":"::"},{"file":"/var/www/html/lib/private/Template/Base.php","line":180,"args":["/var/www/html/core/templates/twofactorsetupselection.php"],"function":"include"},{"file":"/var/www/html/lib/private/Template/Base.php","line":150,"function":"load","class":"OC\Template\Base","type":"->"},{"file":"/var/www/html/lib/private/legacy/OC_Template.php","line":179,"function":"fetchPage","class":"OC\Template\Base","type":"->"},{"file":"/var/www/html/lib/public/AppFramework/Http/TemplateResponse.php","line":204,"function":"fetchPage","class":"OC_Template","type":"->"},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":171,"function":"render","class":"OCP\AppFramework\Http\TemplateResponse","type":"->"},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\AppFramework\Http\Dispatcher","type":"->"},{"file":"/var/www/html/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::"},{"file":"/var/www/html/lib/base.php","line":1006,"function":"match","class":"OC\Route\Router","type":"->"},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/html/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"id":"61e6bc95f1496"}

This installation has been around since NC19, and we have had TOTP activated ever since.

If you need additional information, i would be happy to help.

Thank you for your work!

[Andrwe]

I had the same issue but for me it was solved by fixing the servertime and mounting /etc/localtime into the docker container as there was a time drift of 6 minutes.
For longtime solution I installed and configured chrony as NTP synchronization daemon.

[brotkastn]

Hello Andrwe,

I had the same issue but for me it was solved by fixing the servertime and mounting /etc/localtime into the docker container as there was a time drift of 6 minutes. For longtime solution I installed and configured chrony as NTP synchronization daemon.

I do not think that this is the same issue. I have installed Nextcloud on its own Vbuntu 21.10 VM, and have time-synchronization working. If the time on the server would be wrong, the TOTP-codes generated for the other users would no longer be correct.

In this case, only the first-time-setup of the TOTP does not work, and there are informations missing to generate a full token, as can be seen by the error thrown in the log.

Thank you though for your help in trying to solve our problem!

[c-bruder]

I have the same problems here. For local users it is works. Not for ldap users.

[buhanovserg]

Hello!
Totp2fa I scan the QR code with my phone, the numbers do not pass, I tried in different ways..
Here is the log:
{"reqId":"eTqzi3YcssUoEodb7mVc","level":2,"time":"2024-01-11T14:31:21+00:00","remoteAddr":"95.71.84.233","user":"ncadmin","app":"suspicious_login","method":"POST","url":"/login","message":"Could not predict suspiciousness: No models found","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0","version":"28.0.1.1","data":{"app":"suspicious_login"}}

[buhanovserg]

[rucko24]

Hello,

I managed to solve with the NTP server configured, using

• Google authenticator
• TOTP auth
• With FreeOTP I get a QR invalid error.

I also had that error notification.

This is my nextcloud version

TOTP enabled!

[buhanovserg]

Thanks for the advice, it really helped, thank you so much, you helped out!

[rucko24]

Thanks for the advice, it really helped, thank you so much, you helped out!

LMAO, hahaha it really worked for you? i can't believe it.

In the end my problem like yours was the time, which must be the same on both server and client and so on.

[buhanovserg]

Thank you very much! Everything works fine. To be honest, I didn't even think about it, I thought that the problem was completely different, I wouldn't have figured it out myself.