Android client can't login to nextcloud 27 except by webauthn

Nextcloud version 27.0.2
Operating system and version Debian 12
Nginx: 1.22.1-9
PHP version 8.2

Plain password login works on desktop only - whether in Firefox, Nextcloud Desktop Client, even Thunderbird’s Addressbook(CardDAV) and RSS download of bookmarks.

Android client (additionally Firefox and Google Chrome) can’t login to nextcloud 27 except by webauthn. Also doesn’t work: in Settings → Security → Devices & sessions, under “web, desktop and mobile clients currently logged in to your account”, I can create an “App name”, and “Create a New App Password”. But then it’s unusable and doesn’t work.

It’s just webauthn (with Yubico USB FIDO2) that will work for me in Android! And it’s irrespective of Nextcloud user. Creating a new Nextcloud user has the exact same problem.

The output of your Nextcloud log in Admin > Logging:

{"reqId":"vLCVNb2tu7s8zaFhzobN","level":2,"time":"2023-09-15T10:53:39+00:00","remoteAddr":"","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: username (Remote IP:","userAgent":"Google Pixel 6 (Android)","version":"","data":[],"id":"65043e4ff2fa7"}

I’m sorry I don’t get your point. Once the user enables 2fa there should be no way to login without second factor (webauthn, TOTP etc)… and this should be the same. Admin could enforce 2FA as well. But in my eyes it should never happen user can still login using plain password once 2FA is enabled, neither on desktop nor on any other client. Please double check desktop login really works without second factor on desktop - or maybe it’s just remains logged. If basic auth works while 2FA is active you should report this as bug.

The enablement of 2fa in Android was in response to having zero working methods of login in any way or place on the Android platform - all the while desktop-originating login working fine in every way and place. It is as though my Android phone is a “pariah” (for some reason I can’t determine), to my Nextcloud server.

By adding 2fa, my working login methods increased from zero to one, in Android.

My linux Desktop is accepted and welcomed in my Nextcloud server, and never had any problem. Which Nextcloud user I log in as, is immaterial - they all work in this way in Desktop.

Both my Android phone and my linux desktop are coming from the exact same IP address (behind the same firewall).

It’s true that I never need my FIDO2 dongle in desktop - plain password login works and is sufficient in all places - Firefox, Thunderbird, and the Nextcloud Desktop client.

one more time - if your account has active 2fa I know no way to login using plain password (by default existing sessions remain active forever). If webauthn is required then 2fa must be active.

If you need further support please provide details about your account, personal security settings and log files.

It turns out to be a false alarm.

It’s not Nextcloud’s fault, but rather the fault of the app I was using to share a password across from my laptop to my smartphone. The app I chose to do this with Binary Eye (reading a QR code on my laptop), was introducing imperceptible-to-the-eye corruptions of some sort. When I shared the password across with another method, then they worked.

It wasn’t Nextcloud’s fault after all.

My Bad!

Either the password, with no Yubikey, or the Yubikey, providing no password - both methods work for login with the Android app (these two things are not “anded” together for a successful login in Android, for me). Then in turn, the Nextcloud Notes app, and the Nextcloud Bookmarks App - from F-Droid, look to the successful login achieved by the Nextcloud Android app, asking for neither the Yubikey, nor the password.