Password Expiration Causes Silent Authentication Failures (Desktop Client Shows Generic 503 Error)

📱 Desktop & mobile clients
, , ,
1

After being logged out of my Nextcloud desktop client, I encountered a 503 Service Unavailable error when trying to reconnect, despite the server being accessible via browser and mobile apps. After extensive troubleshooting, I discovered the root cause was an expired password–but this was never clearly communicated in the desktop client or error messages. Here are the steps I took to investigate this problem.

Steps I took (and hidden errors)

  1. Initial error in Desktop Client

    • Popup: “Secure connection to https://nextcloud-remote-server.com failed” with options to retry or use HTTP.
    • No mention of password issues.

  2. Debugging Attempts

    • Verified the server:
      • Web interface worked fine (no password warnings)
      • Certificate valid (DigiCert, not expired)
    • Checked logs:
      • Desktop clients logs showed 503 Service Unavailable for WebDAV (/remote.php/dav/files)
      • No explicit “password expired” message–just generic auth failures.
    • Manual WebDAV test:
       curl -X PROPFIND -u "user:app_password" https://nextcloud-remote-server.com/remote.php/dav/files/user/
      • Finally revealed the cause:
         <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
   <s:exception>Sabre\DAV\Exception\ServiceUnavailable</s:exception>
   <s:message>OC/User/LoginException: Password is expired, please use forgot password method to reset</s:message>
 </d:error>

  3. Root Cause

    • My password had expired due to an admin policy, but:
      • No notification in the web UI and I was still able to logout and back in in the web client
      • Desktop client masked this behind Secure connection to server failed error, suggesting a server issue.

Suggested Improvements

  1. Desktop Client
  • Detect and display password expiration errors explicitly (e.g., “Your password has expired—reset it in the web interface”).
  • Stop hiding auth failures behind 503/401 codes.
  1. Web Interface
  • Show visible warnings to users with expired passwords (e.g., banner, email notification).

Question for Discussion:

  1. Is there a technical reason password expiration can’t trigger clear client-side warnings?

  2. Could we add:

    • A “days until expiry” counter in web UI?
    • Desktop client notifications before revocation?

  3. Should app passwords be exempt from expiration (with admin option)?

1 Like
2

Yeah, should probably be better. There’s an open enhancement Issue in the Desktop client for this. It hasn’t gotten a lot of interest so probably low priority. Password expiration isn’t recommended much these days, so that may be at least part of the reason of the lack of interest. I don’t think anyone would be against it being implemented however.

I was still able to logout and back in in the web client

Any chance you’re logging in using your email? If so, this is cleared up in upcoming v32.

A “days until expiry” counter in web UI?

Consider voting on this related enhancement Issue.

3

This topic was automatically closed after 90 days. New replies are no longer allowed.