Need help getting flow login to work to get app passowrd

I am trying to generate app password and I am following the instructons given in the documentation here: Login Flow — Nextcloud latest Developer Manual latest documentation

So at the last step of the Login flow v2 when I run this curl post request:

curl -sLX POST https://192.168.1.56/nextcloud/login/v2/poll -d "token=cDvdG1ZHA30FAyanF1zVzgotDiaU3vrHoRSg8UyMKXWq0RpjBTlIPr5Dl2UAFQoeEydM5TukNvcUI0x5G0rv152Uo3Q5HuPBRmfTpFQfFxdQ2AVgHrKgo1wcApN7DZ"

the url gets run seem to be fine but I do not get the output as shown in the documentation
i.e:

{
    "server":"https:\/\/cloud.example.com",
    "loginName":"username",
    "appPassword":"yKTVA4zgxjfivy52WqD8kW3M2pKGQr6srmUXMipRdunxjPFripJn0GMfmtNOqOolYSuJ6sCN"
}

it works in my NC24.0.5 exactly as described.
dumb question - did you complete the login using your browser?

well, yes it is probably dumb, Sorry but I did tried the steps in browser and separately with new token in shell as well. Thanks

Can you share the steps you run to achieve your claim it works?

nothing special,

  1. run a request against /index.php/login/v2
  2. extract login URL from JSON object returned in step 1
  3. visit login URL from step 2 with your browser (no login required, just grant access)
  4. visit /login/v2/poll and send the token → receive expected response - returns the object only once!!
  5. optional: verify new session created “User > Security” - in my case the UA was "PowerShell…* - which I use for the initial request to /index.php/login/v2

surprisingly step 4 didn’t work with PowerShell invoke-webRequest for some reason, but Linux curl was just fine…

This looks plain simple, why is it things getting out of hand
getting_405_error
just 2 days back I was able to perform step 1 in browser.


tried in the rest ciient.

the docs state

This will return a 404 until authentication is done

Thank you @wwe for staying here with me, I have made progress and understood the login flow v2 better, Now when I try to open the login URL to authenticate the webview opens , I put my credentials and then we reach on grant clicking the grant button nothing happens.

I tested the same URL on other devices as well and got the same result. I am not able to navigate beyond that point. Googling a bit I found this: App "stuck" in webview after login? · Issue #7075 · nextcloud/android · GitHub
which is more like what I just faced. However they discussed to upgrade and the problem went away, I already have Nextcloud and all apps up to date.

I checked the browser console when I click on the Grant button and I spotted this:


The error saying "The page setting blocked loading of resource form-action " what page setting it might be where it came from ? I am confused here.

I checked haproxy config I definitely have Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'" set in apache2 config

and http-response set-header Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';" in haproxy .

restarted apache2 and haproxy server … still cannot go beyond Grant page.

went futther to dig in the nc php code base and just wondering why

header("Content-Security-Policy: default-src 'self'");

is not set at the LoginFlowV2 ?

you are accessing the original website with https:// but the URL /login/v2/grant redirecting to plain http:// which is not allowed by the browser. Most likely something is wrong with you reverse proxy config

1 Like

I added 'overwriteprotocol' => 'https', in my config.php file and all of the problems solved.

Not sure how I missed it over 2 years and never had issue before like this.

Thank you again.

1 Like