Log in by Webauth device (Yubikey) fails 21.0.1+Webauthn 0.2.9

Hi all!

after upgrading to NC21 device login and registration is not possible any more. My Yubikeys are fine on tests with Webauthn.io.

Nextcloud version (eg, 20.0.5): 21.0.2 RC1 - 21.0.2.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04, Linux 5.4.0-73-generic
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.41 (Ubuntu) (fpm-fcgi)
PHP version (eg, 7.4): r7.4.3
Database: mysql 10.3.29 (mariadb)

after upgrading to NC21 nothing happens on tapping the Yubikey button. I realized some databases errors.

Is this the first time you’ve seen this error? (Y/N): yes, on NC21, worked on NC20

Steps to replicate it (sorry for mistakes, its manually translated from german UI):

  1. Peronal > Security > Passwordless authentication: delete all devices
  2. Add webAuthn device
  3. launch a different browser, e.g. chrome (error seen on FF&Chrome)
  4. click on Log in with a divice
  5. enter username
  6. click on log in
  7. insert the yubikey
  8. tap the key button on the yubikey
  9. every time a tap on the button the same error occoures in the log.
  10. if i add another key or delete all keys again the number for dublicte entry whill be increased by one number

The output of your Nextcloud log in Admin > Logging (hopy you are fine with that; if someone like it, I’ll copy and paste the other formats):

Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing a query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '3' for key 'PRIMARY'

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Connection.php - line 1728:

    Doctrine\DBAL\Driver\API\MySQL\ExceptionConverter->convert()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Connection.php - line 1667:

    Doctrine\DBAL\Connection->handleDriverException()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Connection.php - line 1146:

    Doctrine\DBAL\Connection->convertExceptionDuringQuery()

    /var/www/nextcloud/lib/private/DB/Connection.php - line 257:

    Doctrine\DBAL\Connection->executeStatement()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php - line 213:

    OC\DB\Connection->executeStatement()

    /var/www/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php - line 287:

    Doctrine\DBAL\Query\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 135:

    OC\DB\QueryBuilder\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 159:

    OCP\AppFramework\Db\QBMapper->insert()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 89:

    OCP\AppFramework\Db\QBMapper->insertOrUpdate()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 93:

    OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource()

    /var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php - line 206:

    OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/Manager.php - line 235:

    Webauthn\AuthenticatorAssertionResponseValidator->check()

    /var/www/nextcloud/core/Controller/WebAuthnController.php - line 107:

    OC\Authentication\WebAuthn\Manager->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 218:

    OC\Core\Controller\WebAuthnController->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 127:

    OC\AppFramework\Http\Dispatcher->executeController()

    /var/www/nextcloud/lib/private/AppFramework/App.php - line 157:

    OC\AppFramework\Http\Dispatcher->dispatch()

    /var/www/nextcloud/lib/private/Route/Router.php - line 302:

    OC\AppFramework\App::main()

    /var/www/nextcloud/lib/base.php - line 993:

    OC\Route\Router->match()

    /var/www/nextcloud/index.php - line 37:

    OC::handleRequest()

Verursacht durchDoctrine\DBAL\Driver\PDO\Exception: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '3' for key 'PRIMARY'

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Driver/PDO/Statement.php - line 84:

    Doctrine\DBAL\Driver\PDO\Exception::new()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Connection.php - line 1136:

    Doctrine\DBAL\Driver\PDO\Statement->execute()

    /var/www/nextcloud/lib/private/DB/Connection.php - line 257:

    Doctrine\DBAL\Connection->executeStatement()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php - line 213:

    OC\DB\Connection->executeStatement()

    /var/www/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php - line 287:

    Doctrine\DBAL\Query\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 135:

    OC\DB\QueryBuilder\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 159:

    OCP\AppFramework\Db\QBMapper->insert()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 89:

    OCP\AppFramework\Db\QBMapper->insertOrUpdate()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 93:

    OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource()

    /var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php - line 206:

    OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/Manager.php - line 235:

    Webauthn\AuthenticatorAssertionResponseValidator->check()

    /var/www/nextcloud/core/Controller/WebAuthnController.php - line 107:

    OC\Authentication\WebAuthn\Manager->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 218:

    OC\Core\Controller\WebAuthnController->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 127:

    OC\AppFramework\Http\Dispatcher->executeController()

    /var/www/nextcloud/lib/private/AppFramework/App.php - line 157:

    OC\AppFramework\Http\Dispatcher->dispatch()

    /var/www/nextcloud/lib/private/Route/Router.php - line 302:

    OC\AppFramework\App::main()

    /var/www/nextcloud/lib/base.php - line 993:

    OC\Route\Router->match()

    /var/www/nextcloud/index.php - line 37:

    OC::handleRequest()

Verursacht durchPDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '3' for key 'PRIMARY'

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Driver/PDO/Statement.php - line 82:

    PDOStatement->execute()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Connection.php - line 1136:

    Doctrine\DBAL\Driver\PDO\Statement->execute()

    /var/www/nextcloud/lib/private/DB/Connection.php - line 257:

    Doctrine\DBAL\Connection->executeStatement()

    /var/www/nextcloud/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php - line 213:

    OC\DB\Connection->executeStatement()

    /var/www/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php - line 287:

    Doctrine\DBAL\Query\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 135:

    OC\DB\QueryBuilder\QueryBuilder->execute()

    /var/www/nextcloud/lib/public/AppFramework/Db/QBMapper.php - line 159:

    OCP\AppFramework\Db\QBMapper->insert()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 89:

    OCP\AppFramework\Db\QBMapper->insertOrUpdate()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php - line 93:

    OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource()

    /var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php - line 206:

    OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource()

    /var/www/nextcloud/lib/private/Authentication/WebAuthn/Manager.php - line 235:

    Webauthn\AuthenticatorAssertionResponseValidator->check()

    /var/www/nextcloud/core/Controller/WebAuthnController.php - line 107:

    OC\Authentication\WebAuthn\Manager->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 218:

    OC\Core\Controller\WebAuthnController->finishAuthentication()

    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 127:

    OC\AppFramework\Http\Dispatcher->executeController()

    /var/www/nextcloud/lib/private/AppFramework/App.php - line 157:

    OC\AppFramework\Http\Dispatcher->dispatch()

    /var/www/nextcloud/lib/private/Route/Router.php - line 302:

    OC\AppFramework\App::main()

    /var/www/nextcloud/lib/base.php - line 993:

    OC\Route\Router->match()

    /var/www/nextcloud/index.php - line 37:
	
    OC::handleRequest()

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xx',
  'passwordsalt' => 'xx',
  'secret' => 'xx,
  'trusted_domains' => 
  array (
    0 => 'cloud.xx.de',
  ),
  'datadirectory' => '/var/oc-data',
  'dbtype' => 'mysql',
  'version' => '21.0.2.0',
  'overwrite.cli.url' => 'https://cloud.xx.de',
  'htaccess.RewriteBase' => '/',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'owncloud',
  'dbpassword' => 'xx',
  'installed' => true,
  'maintenance' => false,
  'filelocking.enabled' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'mail_from_address' => 'bb',
  'mail_domain' => 'xx.de',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'xxx.xxx.net',
  'mail_smtpname' => 'xx.de',
  'mail_smtppassword' => 'xx',
  'mail_smtpsecure' => 'tls',
  'mail_smtpport' => '25',
  'theme' => '',
  'loglevel' => 1,
  'updater.release.channel' => 'beta',
  'updater.secret' => 'xxx',
  'versions_retention_obligation' => 'auto, 14',
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'default_phone_region' => 'DE',
  'force_locale' => 'de_DE',
);

The output of your Apache/nginx/system log in /var/log/____:

Nothing interesting here

Regards, Benjamin

Seems to be a problem with your database, duplicate entries. Doesn’t show the table name. Perhaps there is more detail about the related table in a database log.
I’d check the database structure with the occ command:
https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html#maintenance-commands
and perhaps the indices:
https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html#add-missing-indices

1 Like

@tflidd thanks for the replay. I tied this:

  • I executed the missing-indices command, without any result: after deleting, creating and trying to log in with the key I still get the same error. I’m used to execute that command after some major updates anyway.
  • show global variables like 'log_error'; says the database logs here: /var/log/mysql/error.log. The file is empty. So the databes is fine.
  • @tflidd: How can I check the database strucktere by an occ command? I read the maintenance article twice, but I could not find any hint about database, occ and structure check. What did I oversee?

Any ideas? Are there other users with hardware tokens facing the same problems? Or not?

Quite strange: I think the keys are stored in the oc_webauthntable. But there is only one enty if I add new token key:

select id,name from oc_webauthn;
+----+------+
| id | name |
+----+------+
|  5 | yub1 |
+----+------+

But it is just a guess, that this table is relevant to that problem.

Do you use U2F or (T-)OTP with this key?

@tflidd It’s a bit difficult for me to answer the question. I have been dealing with keys for only half a year. I am not a security expert and I must say that I find both abbreviations and concepts very confusing. I’ll try my best to answer your questions:

  • For Nextcloud, I’ve been using FIDO2 (for me: passwordless login) since Nextcloud version 19. Unfortunately, I don’t know well enough to say whether U2F or OTP are also part of the process. Someone who knows this better than I do would have to comment on that. But I can say with certainty that I have not installed any additional apps for authorizations.

  • If the question is about how I use the Yubikey, I can tell that I use OTP, challange response, two-factor authorization, smartcard, etc… for various services. But nothing has changed there before and after the Nextcloud update. Other FIDO2 services are still working. Also, if Nextcloud allows key registration (see my procedure), authorization should work too.

I hope this helps with clarification and we find some further steps for trouble shooting.

1 Like

That’s because they are…:slight_smile:
So, for example FIDO2 is not a standard (see red square above).
WebAuthn is a standard. FIDO is the protocol. Combined they are FIDO2

But in practical terms the latest upgrade to RC1 does not screw up the 2FA functionality.
At least for me… Old Yubikeys work (blue and black), new can be enrolled…

@henry Thanks for your test! So it seems there is not a bug in general. In other cases I’d write a bug report, but if the error occurs only in some “special” circumstances, I’m afraid this will not solve my problem.

Btw. occ maintenance:repairand occ db:add-missing-indices didn’t help.

Any ideas how to trouble shot that error?

The U2F stuff is working for me but it is a different table and just 2FA not passwordless. On the repository of this app, I didn’t see anything related on a first glance: https://github.com/michib/nextcloud_twofactor_webauthn/#readme

With the key violation in your error message, it doesn’t say in which table there was this conflict. You could try to log all the db-queries to get the problematic one. From the logs you cited, they seem to be generated within the authentication process, so the developers related to ```
WebAuthn should know best at which step this might fail.

1 Like

@tflidd Thank you that you’re still part of this! After reading you replay, I wanted to change the tag to `webhauth´, but some did it already I guess it was you. Thanks!

Can you please give me any hint, how I could log the related db-querries? If I put the Nextcloud log into “debug” I cannot find there anything related. So, I need to do that on the database. Unfortunately, I’m not an expert for that too. My setup is Ubuntu with mariadb/mysql database.

No it is on the database level, there are some options in the config file I think. For Nextcloud itself, you would have to edit one of the files and add a line to log, but I can’t help you with that either ;-(

I’ve got the same issue. Fresh install of NC 21.0.2.
What works:

  • Adding my YubiKey 5 NFC with Edge
  • Logging in using the YubiKey with Edge

What doesn’t work:

  • Adding the YubiKey with Firefox 89.0b15 (64-Bit)
  • Logging in using the YubiKey (when added previously with Edge, because I can’t add it with Firefox)

Webauthn.io on the other hand works with Firefox+YubiKey with no problems whatsoever.

So why would it be a database issue if the same key works with Edge (and Chrome) and not with Firefox? And it isn’t a problem with Firefox+Yubikey either, because it works with Webauthn.io.

Wild guess: It’s a frontend issue in NC. Somehow the API is used incorrectly or in a Chrome specific way (without proper testing on Firefox) which manifests itself in a “database issue” later on.

If I find the time I will try to investigate further.

Edit: Logging in doesn’t work after all.

1 Like

Ok, I’ve got an update:

There are two unrelated problems with the webauthn login:

The first problem is that Firefox seems to ignore the request for the attestation type “none”. It always returns an attestation of type “packed” (at least with my YubiKey). Chrome and Edge correctly answer with attestation type “none”. The webauthn-lib that Nextcloud uses can handle the “packed” attestation, but Nextcloud is missing the correct initialization to do so. The effect is that you can’t add new YubiKeys to Nextcloud using Firefox.

The second problem is a bug in (at least) NC 21 in the QBMapper function “insertOrUpdate”. The function first tries to insert a new value, and when an exception of type “unique contraint violation” is caught, it tries to update. The problem is that it tries to catch the wrong exception class. It catches OCP\DB\Exception when the actual exception is Doctrine\DBAL\Exception\UniqueConstraintViolationException.
This bug stops you from logging in with the YubiKey, no matter which browser. But the good news is: This bug is already fixed in the master branch: server/QBMapper.php at d78449c01cf1cc608eca7a4d6ae675f1bc3e8aeb · nextcloud/server · GitHub

2 Likes

@BaertigerMann thank you for that investigation!

I didn’t use webauthn login for some time and perform upgrade from NC19 to NC21 and (in between my IT dept forced the upgrade from win10 18?? to 1909) as result of this thread I decided to test - can confirm webauthn second factor fails with Nitrokey against NC21.0.2 and FF88.0.1 and Edge 99.0.818.66 on Windows 10 1909

in the log the only related message looks like

[no app in context] Info: Deprecated event type for OCP\Authentication\TwoFactorAuth\IProvider::failed: Symfony\Component\EventDispatcher\GenericEvent is used

POST /login/challenge/twofactor_webauthn
from 192.168.11.202 by $user at 2021-05-27T21:27:10+00:00

Tested again…

I can enroll Yubikeys (blue and black) on the latest NC.
I can use successfully either of them as 2FA login.
I can’t use any of them for passwordless login…

And this fix does not work

It’s also 6 weeks old…

When I said (above) it was working with RC1 of the v.21 I don’t think I tested it with passwordless login (just 2FA)…

  • I tested one instance where I had Nitrokey setup before - 2nd factor with Nitrokey fails (after Windows dialog shows up and disappears).
  • On the other instance where Webauthn is not enabled even registering the Webauthn fails (looks successful but device is never added - keeps spinning forever at “adding device”)
  • error in NC log is the same as mentioned before

image

UPDATE: registering new Webauthn device

  • fingerprint reader worked
  • Ntrokey FIDO2 never completes (touch device, enter pin successful, last step assign device name never completes)

image

Just tested successfully using latest docker NC 21.0.2 (version from 04.06.2021) and Two-Factor Webauthn 0.2.10