After upgrading to Nextcloud Vers. 21, logged-in users are always logged out after a few minutes (==> Fido2/webauthn ! Users only)

frank.scheuer · April 14, 2021, 7:47am

After upgrading to Nextcloud Vers. 21, logged-in users are always logged out after a few minutes. Does anyone have a clue about this? Are there others with the same problem?

This problem did not exist before.

We have users who log in via the TOTP procedure and users who log in via U2F and Fido2.

Nextcloud Version 21.0.1
PhP Version: 7.3.16

j-ed · April 14, 2021, 7:52am

I personally cannot replicate that problem on my server. Are there any errors listed in the Nextcloud log file? Is the system clock synced via NTP?

frank.scheuer · April 14, 2021, 8:00am

This is what I found quickly

frank.scheuer · April 14, 2021, 11:25am

We were able to narrow it down. There seems to be a problem with users who use security keys for login.
We have a lot of Yubico Fido2 keys in use at our training centre.

Over half of our staff use the keys and now have a real problem. They are logged out of the system after a few minutes. We have been able to use the sticks for about 6 months without any problems.
Users with TOTP login as 2nd factor are not affected.

If this is a bug, then I really ask that it be solved quickly. Please

szaimen · April 14, 2021, 11:36am

See Logintoken are Invalidated 21.0.1 · Issue #26502 · nextcloud/server · GitHub

frank.scheuer · April 14, 2021, 11:47am

Thanks for the hint,…was already looking in Github

frank.scheuer · April 15, 2021, 12:37pm

This seems to be a really big problem! I wonder why no one seems to be working on the solution yet. This is not a common bug…so far there is no feedback at all

frank.scheuer · May 31, 2021, 11:26am

Login via Webauth device dosent work. The issue regarding Wewbauthn has worsened since the last update 21.0.2. Webauthn login generally no longer works.
user son1c opened a new bug report about this 2 weeks ago.
Please use the reaction to show that you are affected by the same issue.

github.com/nextcloud/server

Login via Webauth device dosent work

opened 03:02PM - 23 May 21 UTC

son1c

0. Needs triage bug

### How to use GitHub * Please use the 👍 [reaction](https://blog.gith…ub.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to show that you are affected by the same issue. * Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue. * Subscribe to receive notifications on status change and new comments. ### Steps to reproduce 1. Add a Webauth device to a user (a Yubikey) 2. Logout 3. Login with the Webauth device ### Expected behaviour After typing your username, push the button on yubikey when your browser asks for device and the login is complete ### Actual behaviour After typing your username, push the button on yubikey when your browser asks for device. Then nothing happens. ### Server configuration **Operating system:** Official Docker Image **Database:** Offical MariaDB Docker image **Nextcloud version:** (see Nextcloud admin page) 21.0.2 **Updated from an older Nextcloud/ownCloud or fresh install:** 21.0.1 ### Logs #### Browser log [index] Error: Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing a query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '9' for key 'PRIMARY' at <<closure>> 0. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1728 Doctrine\DBAL\Driver\API\MySQL\ExceptionConverter->convert(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {}) 1. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1667 Doctrine\DBAL\Connection->handleDriverException(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {}) 2. /var/www/html/3rdparty/doctrine/dbal/src/Connection.php line 1146 Doctrine\DBAL\Connection->convertExceptionDuringQuery(Doctrine\DBAL\Driver\PDO\Exception {}, "INSERT INTO `oc ... )", ["Yubikey 5 NFC" ... 9], [2,2,2,2,1]) 3. /var/www/html/lib/private/DB/Connection.php line 257 Doctrine\DBAL\Connection->executeStatement("INSERT INTO `oc ... )", ["Yubikey 5 NFC" ... 9], [2,2,2,2,1]) 4. /var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 213 OC\DB\Connection->executeStatement("INSERT INTO `oc ... )", {dcValue1: "Yubi ... 9}, {dcValue1: 2,dcV ... 1}) 5. /var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php line 287 Doctrine\DBAL\Query\QueryBuilder->execute() 6. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 135 OC\DB\QueryBuilder\QueryBuilder->execute() 7. /var/www/html/lib/public/AppFramework/Db/QBMapper.php line 159 OCP\AppFramework\Db\QBMapper->insert(OC\Authenticatio ... 9}) 8. /var/www/html/lib/private/Authentication/WebAuthn/CredentialRepository.php line 89 OCP\AppFramework\Db\QBMapper->insertOrUpdate(OC\Authenticatio ... 9}) 9. /var/www/html/lib/private/Authentication/WebAuthn/CredentialRepository.php line 93 OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource(Webauthn\PublicKeyCredentialSource {}, "default") 10. /var/www/html/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php line 206 OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource(Webauthn\PublicKeyCredentialSource {}) 11. /var/www/html/lib/private/Authentication/WebAuthn/Manager.php line 235 Webauthn\AuthenticatorAssertionResponseValidator->check(null, Webauthn\Authent ... {}, Webauthn\PublicK ... {}, GuzzleHttp\Psr7\ServerRequest {}, "son1c") 12. /var/www/html/core/Controller/WebAuthnController.php line 107 OC\Authentication\WebAuthn\Manager->finishAuthentication(Webauthn\PublicK ... {}, "{\"id\":\"gdDVR ... }", "son1c") 13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 218 OC\Core\Controller\WebAuthnController->finishAuthentication("{\"id\":\"gdDVR ... }") 14. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 127 OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\WebAuthnController {}, "finishAuthentication") 15. /var/www/html/lib/private/AppFramework/App.php line 157 OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\WebAuthnController {}, "finishAuthentication") 16. /var/www/html/lib/private/Route/Router.php line 302 OC\AppFramework\App::main("OC\\Core\\Contr ... r", "finishAuthentication", OC\AppFramework\ ... {}, {_route: "core.W ... "}) 17. /var/www/html/lib/base.php line 993 OC\Route\Router->match("/login/webauthn/finish") 18. /var/www/html/index.php line 37 OC::handleRequest() POST /login/webauthn/finish from <ip> at 2021-05-23T14:38:34+00:00 The DB doesn't show me a duplicate entry in oc_webauth. ``` +----+---------------+ | id | name | +----+---------------+ | 9 | Yubikey 5 NFC | +----+---------------+ ```

Add a Webauth device to a user (a Yubikey)
Logout
Login with the Webauth device

wwe · May 31, 2021, 11:50am

it looks number of problems are related to webauthn login

frank.scheuer · May 31, 2021, 12:40pm

I am really increasingly very surprised about the actions of Nextcloud. In my opinion, this is a major problem and should be solved as quickly as possible. Instead, we now have NC 21.0.2 and the issue has even gotten worse. I don’t even know if the developers are addressing the issue. That alone would be reassuring to know. In Nextcloud 19, this feature was very strongly advertised! It doesn’t seem to be a high priority. I’m very curious to see if NC 21.0.3 solves the problem.