Log in by Webauth device (Yubikey) fails 21.0.1+Webauthn 0.2.9

Seems to be a problem with your database, duplicate entries. Doesn’t show the table name. Perhaps there is more detail about the related table in a database log.
I’d check the database structure with the occ command:
and perhaps the indices:

1 Like

@tflidd thanks for the replay. I tied this:

  • I executed the missing-indices command, without any result: after deleting, creating and trying to log in with the key I still get the same error. I’m used to execute that command after some major updates anyway.
  • show global variables like 'log_error'; says the database logs here: /var/log/mysql/error.log. The file is empty. So the databes is fine.
  • @tflidd: How can I check the database strucktere by an occ command? I read the maintenance article twice, but I could not find any hint about database, occ and structure check. What did I oversee?

Any ideas? Are there other users with hardware tokens facing the same problems? Or not?

Quite strange: I think the keys are stored in the oc_webauthntable. But there is only one enty if I add new token key:

select id,name from oc_webauthn;
| id | name |
|  5 | yub1 |

But it is just a guess, that this table is relevant to that problem.

Do you use U2F or (T-)OTP with this key?

@tflidd It’s a bit difficult for me to answer the question. I have been dealing with keys for only half a year. I am not a security expert and I must say that I find both abbreviations and concepts very confusing. I’ll try my best to answer your questions:

  • For Nextcloud, I’ve been using FIDO2 (for me: passwordless login) since Nextcloud version 19. Unfortunately, I don’t know well enough to say whether U2F or OTP are also part of the process. Someone who knows this better than I do would have to comment on that. But I can say with certainty that I have not installed any additional apps for authorizations.

  • If the question is about how I use the Yubikey, I can tell that I use OTP, challange response, two-factor authorization, smartcard, etc… for various services. But nothing has changed there before and after the Nextcloud update. Other FIDO2 services are still working. Also, if Nextcloud allows key registration (see my procedure), authorization should work too.

I hope this helps with clarification and we find some further steps for trouble shooting.

1 Like

That’s because they are…:slight_smile:
So, for example FIDO2 is not a standard (see red square above).
WebAuthn is a standard. FIDO is the protocol. Combined they are FIDO2

But in practical terms the latest upgrade to RC1 does not screw up the 2FA functionality.
At least for me… Old Yubikeys work (blue and black), new can be enrolled…

@anon71540698 Thanks for your test! So it seems there is not a bug in general. In other cases I’d write a bug report, but if the error occurs only in some “special” circumstances, I’m afraid this will not solve my problem.

Btw. occ maintenance:repairand occ db:add-missing-indices didn’t help.

Any ideas how to trouble shot that error?

The U2F stuff is working for me but it is a different table and just 2FA not passwordless. On the repository of this app, I didn’t see anything related on a first glance: https://github.com/michib/nextcloud_twofactor_webauthn/#readme

With the key violation in your error message, it doesn’t say in which table there was this conflict. You could try to log all the db-queries to get the problematic one. From the logs you cited, they seem to be generated within the authentication process, so the developers related to ```
WebAuthn should know best at which step this might fail.

1 Like

@tflidd Thank you that you’re still part of this! After reading you replay, I wanted to change the tag to `webhauth´, but some did it already I guess it was you. Thanks!

Can you please give me any hint, how I could log the related db-querries? If I put the Nextcloud log into “debug” I cannot find there anything related. So, I need to do that on the database. Unfortunately, I’m not an expert for that too. My setup is Ubuntu with mariadb/mysql database.

No it is on the database level, there are some options in the config file I think. For Nextcloud itself, you would have to edit one of the files and add a line to log, but I can’t help you with that either ;-(

I’ve got the same issue. Fresh install of NC 21.0.2.
What works:

  • Adding my YubiKey 5 NFC with Edge
  • Logging in using the YubiKey with Edge

What doesn’t work:

  • Adding the YubiKey with Firefox 89.0b15 (64-Bit)
  • Logging in using the YubiKey (when added previously with Edge, because I can’t add it with Firefox)

Webauthn.io on the other hand works with Firefox+YubiKey with no problems whatsoever.

So why would it be a database issue if the same key works with Edge (and Chrome) and not with Firefox? And it isn’t a problem with Firefox+Yubikey either, because it works with Webauthn.io.

Wild guess: It’s a frontend issue in NC. Somehow the API is used incorrectly or in a Chrome specific way (without proper testing on Firefox) which manifests itself in a “database issue” later on.

If I find the time I will try to investigate further.

Edit: Logging in doesn’t work after all.

1 Like

Ok, I’ve got an update:

There are two unrelated problems with the webauthn login:

The first problem is that Firefox seems to ignore the request for the attestation type “none”. It always returns an attestation of type “packed” (at least with my YubiKey). Chrome and Edge correctly answer with attestation type “none”. The webauthn-lib that Nextcloud uses can handle the “packed” attestation, but Nextcloud is missing the correct initialization to do so. The effect is that you can’t add new YubiKeys to Nextcloud using Firefox.

The second problem is a bug in (at least) NC 21 in the QBMapper function “insertOrUpdate”. The function first tries to insert a new value, and when an exception of type “unique contraint violation” is caught, it tries to update. The problem is that it tries to catch the wrong exception class. It catches OCP\DB\Exception when the actual exception is Doctrine\DBAL\Exception\UniqueConstraintViolationException.
This bug stops you from logging in with the YubiKey, no matter which browser. But the good news is: This bug is already fixed in the master branch: server/QBMapper.php at d78449c01cf1cc608eca7a4d6ae675f1bc3e8aeb · nextcloud/server · GitHub


@BaertigerMann thank you for that investigation!

I didn’t use webauthn login for some time and perform upgrade from NC19 to NC21 and (in between my IT dept forced the upgrade from win10 18?? to 1909) as result of this thread I decided to test - can confirm webauthn second factor fails with Nitrokey against NC21.0.2 and FF88.0.1 and Edge 99.0.818.66 on Windows 10 1909

in the log the only related message looks like

[no app in context] Info: Deprecated event type for OCP\Authentication\TwoFactorAuth\IProvider::failed: Symfony\Component\EventDispatcher\GenericEvent is used

POST /login/challenge/twofactor_webauthn
from by $user at 2021-05-27T21:27:10+00:00

Tested again…

I can enroll Yubikeys (blue and black) on the latest NC.
I can use successfully either of them as 2FA login.
I can’t use any of them for passwordless login…

And this fix does not work

It’s also 6 weeks old…

When I said (above) it was working with RC1 of the v.21 I don’t think I tested it with passwordless login (just 2FA)…

  • I tested one instance where I had Nitrokey setup before - 2nd factor with Nitrokey fails (after Windows dialog shows up and disappears).
  • On the other instance where Webauthn is not enabled even registering the Webauthn fails (looks successful but device is never added - keeps spinning forever at “adding device”)
  • error in NC log is the same as mentioned before


UPDATE: registering new Webauthn device

  • fingerprint reader worked
  • Ntrokey FIDO2 never completes (touch device, enter pin successful, last step assign device name never completes)


Just tested successfully using latest docker NC 21.0.2 (version from 04.06.2021) and Two-Factor Webauthn 0.2.10

Mhm, I am also running the latest version of nextcloud but still having this issue since i upgraded to 21.

I have the same issue with NC 21.03 on Safari 14.1.1, Big Sur, Apple M1 and Safari Technology Preview Release 127 (for Safari 15.0).
Firefox and Chrome work fine.

Since the upgrade of NC from 20.x to 21.0.3 the passwordless authentication does not work anymore. I am trying a yubikey with Firefox 78.11.0esr and Chromium 90.0.4430.212.
There is the following error in the NC log:

[index] Error: Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing a query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry ‘2’ for key ‘PRIMARY’ at <>

  1. /var/www/html/nextcloud/3rdparty/doctrine/dbal/src/Connection.php line 1728
    Doctrine\DBAL\Driver\API\MySQL\ExceptionConverter->convert(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {})
  2. /var/www/html/nextcloud/3rdparty/doctrine/dbal/src/Connection.php line 1667
    Doctrine\DBAL\Connection->handleDriverException(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {})
  3. /var/www/html/nextcloud/3rdparty/doctrine/dbal/src/Connection.php line 1146
    Doctrine\DBAL\Connection->convertExceptionDuringQuery(Doctrine\DBAL\Driver\PDO\Exception {}, “INSERT INTO `oc … )”, ["Yubico Securit … 2], [2,2,2,2,1])
  4. /var/www/html/nextcloud/lib/private/DB/Connection.php line 257
    Doctrine\DBAL\Connection->executeStatement(“INSERT INTO `oc … )”, ["Yubico Securit … 2], [2,2,2,2,1])
  5. /var/www/html/nextcloud/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 213
    OC\DB\Connection->executeStatement(“INSERT INTO `oc … )”, {dcValue1: "Yubi … 2}, {dcValue1: 2,dcV … 1})
  6. /var/www/html/nextcloud/lib/private/DB/QueryBuilder/QueryBuilder.php line 287
  7. /var/www/html/nextcloud/lib/public/AppFramework/Db/QBMapper.php line 139
  8. /var/www/html/nextcloud/lib/public/AppFramework/Db/QBMapper.php line 164
    OCP\AppFramework\Db\QBMapper->insert(OC\Authenticatio … 2})
  9. /var/www/html/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php line 89
    OCP\AppFramework\Db\QBMapper->insertOrUpdate(OC\Authenticatio … 2})
  10. /var/www/html/nextcloud/lib/private/Authentication/WebAuthn/CredentialRepository.php line 93
    OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource(Webauthn\PublicKeyCredentialSource {}, “default”)
  11. /var/www/html/nextcloud/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php line 206
    OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource(Webauthn\PublicKeyCredentialSource {})
  12. /var/www/html/nextcloud/lib/private/Authentication/WebAuthn/Manager.php line 235
    Webauthn\AuthenticatorAssertionResponseValidator->check(null, Webauthn\Authent … {}, Webauthn\PublicK … {}, GuzzleHttp\Psr7\ServerRequest {}, “nextcloud”)
  13. /var/www/html/nextcloud/core/Controller/WebAuthnController.php line 107
    OC\Authentication\WebAuthn\Manager->finishAuthentication(Webauthn\PublicK … {}, “{“id”:”-V0gM … }", “nextcloud”)
  14. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 218
    OC\Core\Controller\WebAuthnController->finishAuthentication("{“id”:"-V0gM … }")
  15. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 127
    OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\WebAuthnController {}, “finishAuthentication”)
  16. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 157
    OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\WebAuthnController {}, “finishAuthentication”)
  17. /var/www/html/nextcloud/lib/private/Route/Router.php line 302
    OC\AppFramework\App::main(“OC\Core\Contr … r”, “finishAuthentication”, OC\AppFramework\ … {}, {_route: "core.W … "})
  18. /var/www/html/nextcloud/lib/base.php line 993
  19. /var/www/html/nextcloud/index.php line 37

POST /login/webauthn/finish
from at 2021-07-26T14:53:31+00:00