I am trying to generate app password and I am following the instructons given in the documentation here: Login Flow — Nextcloud latest Developer Manual latest documentation
So at the last step of the Login flow v2 when I run this curl post request:
curl -sLX POST https://192.168.1.56/nextcloud/login/v2/poll -d "token=cDvdG1ZHA30FAyanF1zVzgotDiaU3vrHoRSg8UyMKXWq0RpjBTlIPr5Dl2UAFQoeEydM5TukNvcUI0x5G0rv152Uo3Q5HuPBRmfTpFQfFxdQ2AVgHrKgo1wcApN7DZ"
the url gets run seem to be fine but I do not get the output as shown in the documentation
it works in my NC24.0.5 exactly as described.
dumb question - did you complete the login using your browser?
well, yes it is probably dumb, Sorry but I did tried the steps in browser and separately with new token in shell as well. Thanks
Can you share the steps you run to achieve your claim it works?
- run a request against
- extract login URL from JSON object returned in step 1
- visit login URL from step 2 with your browser (no login required, just grant access)
/login/v2/poll and send the token → receive expected response - returns the object only once!!
optional: verify new session created “User > Security” - in my case the UA was "PowerShell…* - which I use for the initial request to
surprisingly step 4 didn’t work with PowerShell
invoke-webRequest for some reason, but Linux
curl was just fine…
This looks plain simple, why is it things getting out of hand
just 2 days back I was able to perform step 1 in browser.
tried in the rest ciient.
Thank you @wwe for staying here with me, I have made progress and understood the login flow v2 better, Now when I try to open the login URL to authenticate the webview opens , I put my credentials and then we reach on grant clicking the grant button nothing happens.
I tested the same URL on other devices as well and got the same result. I am not able to navigate beyond that point. Googling a bit I found this: App "stuck" in webview after login? · Issue #7075 · nextcloud/android · GitHub
which is more like what I just faced. However they discussed to upgrade and the problem went away, I already have Nextcloud and all apps up to date.
I checked the browser console when I click on the Grant button and I spotted this:
The error saying "The page setting blocked loading of resource form-action " what page setting it might be where it came from ? I am confused here.
I checked haproxy config I definitely have
Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'" set in apache2 config
http-response set-header Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';" in haproxy .
restarted apache2 and haproxy server … still cannot go beyond Grant page.
went futther to dig in the nc php code base and just wondering why
header("Content-Security-Policy: default-src 'self'");
is not set at the LoginFlowV2 ?
you are accessing the original website with
https:// but the URL
/login/v2/grant redirecting to plain
http:// which is not allowed by the browser. Most likely something is wrong with you reverse proxy config
'overwriteprotocol' => 'https', in my config.php file and all of the problems solved.
Not sure how I missed it over 2 years and never had issue before like this.
Thank you again.