Login with App-Password in Thunderbird/sabre-dav fails after activating TOTP #404
Comments
|
Are you sure Thunderbird does not use your login password somewhere? That exception should not be thrown with app passwords. |
|
Hmm... I copied the app-password in the field that popped up in TbSync/sabre-dav when I signed in without TOTP. And it worked. Then I switched on TOTP and it continuously asked me for a password. I entered it but it kept on asking without letting me in. Now I checked a similar setup on my Work-Laptop, Windows 10. This works now. The other setup is Ubuntu and I don't have access to it right now. At least it seems not to be something fundamentally wrong. Maybe it's really an error similar what you describe. Thank you for now. |
|
I have to renounce my statement of success above. After an hour I get here with the Windows 10 setup the same behavior:
|
|
That is indeed strange. Is the app password still working? Could you check the web interface and see if it is still listed and/or try with another application? TBH this is very unexpected and I have not seen any similar report although this 2FA/app password code is three years old and AFAIK we haven't changed any of the "password login forbidden" logic. What kind of user back-end do you use on your Nextcloud? |
|
The app-password is still working. Because when I switch off 2FA the client (TB/sabre-dav) works normally with out doing anything else. Excuse me, what do you mean with backend? Nextcloud 14 runs on a Raspberry Pi with mysql 10.1.37. |
|
Okay, I suspected that the app password might have gotten invalidated. This happens when either the password is changed externally (with a user back-end like LDAP) or when the user back-end is unavailable. But that does not seem to be the case on your system. |
|
Yes. And it happens with two different app passwords. I have one for my personal laptop and one for my work laptop. And it happens with both. And only with Thunderbird/TbSync/sabre-dav. |
|
Hey, sorry for my late reply. Is this still an issue? |
|
I seem to have relevant case: my davs based connection through a file explorer (nautilus) fails, when there's TOTP enabled. Adding app password doesn't change anything, by disabling TOTP on my account, I can normally connect via davs connection again. |
|
Thank you for coming back. |
|
One way to debug this could be the use of a http proxy that logs all traffic. Maybe there's something in there that gives insights. I still don't know why this is an issue on your instance. It works just for for almost all other users. |
|
I can also comment that using an app password does not appear to work using the NextCloud desktop sync app ( 2.5.3 ). From the user security page it shows the app password was used successfully but it will not complete the login. |
|
I should also comment that when using the full login method via the Nextcloud desktop sync app it results in the same login prompt despite successfully logging in. |
|
I have the same issue. Not sabre-DAV, but CalDAV and CardDAV. I am on Windows 10x64, TbSync v2.11.1 beta release, Thunderbird 68.5.0 x64. Sync worked fine without TOTP. When I turn on TOTP, I am prompted for a password in TbSync. When I enter a "backup code" (app password), sync fails. |
Wait. That is not the same. Backup codes are one-time codes you can use in a browser session. For any client connections you have to generate app passwords from your personal security settings. |
|
Thanks Christoph. As you can see, I am not an IT expert. I am using CalDAV and CardDAV on a Woekeli NextCloud server, connecting to Thunderbird Lightning CardBook running in Windows 10 x64. A quick web search does not show me how to generate app passwords. Do you have a pointer? |
|
Hi there. I'm trying to sync with If I try to use totp in nextcloud I can login into tbsync with the app password, but if I want to show the calendars in thunderbird, all the calendar are deactivated. I can not activate them. In tbsync all the calandar are synchronized and I become the request, that all is ok. If I deactivate totp in nextcloud, all is ok and the function is ok. I tryed to delete all the passwords and the cache without changes. Who can help |
|
@georgehrke do you know of any limitations of app passwords and DAV? |
|
What du you mean? I use the app-passwords in the security-settings. I don't use the security codes like the other one here in this thread for login without the number-code. I know, this code only can use one time, but the app-passwords should be for that problem. Isn't it?. |
|
oh it wans't for me |
|
@ChristophWurst No, not aware of any other bug reports and I'm using app passwords with DAV on multiple instances. @janste1978 In case you synced your calendars with Thunderbird before enabling App Passwords and Two Factor, please make sure to properly remove the old saved passwords in Thunderbird. It's settings -> Privacy & security -> Passwords -> Saved Passwords ... |
|
I have deleted the passwords 3 times without help |
|
I have the same issue on Thunderbird with tbsync and on Outlook with Caldav Synchronizer. With enabled TOTP and using an app password, I get the following error when trying to sync:
I tried to de-activate and active TOTP and set a new app password afterwards, same result. |
|
Well, that exception is thrown in exactly two places: https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L452
|
|
What is the reason for the exception at https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L534? |
|
They are thrown in plenty places in https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php Mostly if the |
|
To add: I am able to access the Nextcloud calendar via iOS (also using app passwords) and add appointments that show up on the Nextcloud web calendar. |
|
@necrevistonnezr Did you delete all related passwords from the Thunderbird password store before moving to app-passwords? If not, Lightning is probably trying to connect with an old password. (see https://support.mozilla.org/en-US/questions/1005341 how to find the password store.) |
See nextcloud/server#21122. That should help a bit and I think the patch might apply on older releases as that code did not change much recently. |
Yes, still the same. I now asks me for a password every time I start up Thunderbird, even if I tick "User Password Manager to remember this password". |
|
Same here! Currently, I am running Nextcloud 19.0.3, but the issue was there for some time now. App passwords work for DAVDroid, but not very long with TBSync (currently 2.12) and the Provider for CalDAV & CardDAV addon (currently 1.12) in Thunderbird 68.12 (under Archlinux). This is my setup in Linux now, however, the same thing also happens under Windows. I am pretty sure, I have also seen the errors reported above, in #404 (comment). I will get back to you, as soon as I see the error again. Basically, what happens: With TOTP activated and a new app password created, everything works fine at first. At some point, often after (re-)booting things stop working—although, I think it might happen after a certain amount of time. TBSync/Thunderbird keeps asking about the password and cannot connect with the app password anymore. What helps (for some time), is creating a new app password. After reading this thread, I just checked, and the old app password indeed works again after disabling TOTP, and also after re-enabling TOTP (I guess only for some time, however). For now, it works again, I will report back if I am able to gather some more information. |
|
Okay, so I had never changed the app password under Windows and I am pretty the password didn't work a few days ago (when I had last booted to Windows). When I booted to Windows yesterday, I was asked for the password again and it worked. I guess, due to de-/re-activating TOTP previously (see above). Now, the same app password stopped working again. Generating a new app-password also works for Windows for a short period. My setup under Windows: Nextcloud 19.0.3 and Windows 10 x64 on the client side, Thunderbird 78.3.1 (32-bit), TBSync 2.16, Provider for CalDAV & CardDAV 1.19. TbSync Logging/Event Log showed the error message below, which is different from the one above (although, I am not too sure it was always the same). Besides this warning/error, I did not see anything in the logs. |
|
Please add If you use an app password but no 2FA, do the app passwords work forever? I'm still pretty sure this has nothing to do with 2FA as there is no such logic. Both 2FA and non-2FA auth takes the same paths. |
|
I added the line, looks like this now: public function invalidateToken(string $token) {
\OC::$server->getLogger()->emergency('invalidating token ' . $token);
$this->defaultTokenProvider->invalidateToken($token);
$this->publicKeyTokenProvider->invalidateToken($token);
}Am I correct that this prints an entry to the Nextcloud log files if the app password is invalidated? I will keep 2FA on and see what turns up in the logs. Afterwards I will try what happens if 2FA is disabled. And you are maybe right that it is not an 2FA/TOTP issue. To be honest, I did not know where to start with this issue (Nextcloud, TOTP/2FA, Thunderbird, Tbsync). This was just the only thread I found on the issue—and I somehow made a wrong connection between app passwords and 2FA. |
Exactly.
No worries. If it's that tokens are invalided for some reason then the log will tell us. |
|
Actually, I just had another looked at my Nextcloud log file, and some might be related (I don't know if these messages were not there at earlier times or if I did not spot them). So it could also be a problem with my setup. Errors look like this: Fatal error: Error: The full log file is here: https://pastebin.com/pd17QFqm |
Yes, exactly that. Your database isn't configured properly. |
|
Hi, URL: Request: Response: <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns"> Thunderbird macOS 91.7.0 Laurent |
|
Hi,
Is there any update available? |
|
Same issue here, slightly different scenario: |
|
Same issue here, I use a Security Key and get the same error. |
|
That response should only be generated if a client sends a password, not a valid token that can be found in the DB. |
|
I have also been getting errors when Thunderbird tries to connect to nextcloud using an app password. I generate a new app password on nextcloud: I specify the username & the URL. I also then type in the app password when it asks for my password It authenticated me, and shows me the calanders I can pick from. I chose both: When I try and enable the calander (in this case my personal calender): |
|
Something is not right here. |
|
Would supplying any logs or files assist in diagnosis of the issue? |
|
After logging onto my computer the next day, it worked for some reason? Maybe a restart of the computer fixes the issue? |
|
Ok I got stuck on this as well. Gravedigger had the crucial hint. Apparently Thunderbird hold on to the old password (or at least basic auth string), even if it is deleted in the password manager, until it is restarted. |
Hi *,
I use Thunderbird/Tbsync/sabre-dav with an app-password. That works as long as I do not activate two-factor-authentication TOTP.
As soon as I activate that, Thunderbird/Tbsync/sabre-dav cannot login anymore. The log of Nextcloud says: 'OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden: '
As soon as I deactivate TOTP, login and sync with the same app-password work again perfectly.
Synchronization of the official Nextcloud-clients works also during TOTP.
What do I do wrong? Is there help? Which additional information can I provide?
Best regards
Axl
The text was updated successfully, but these errors were encountered: