Remove client app token every 4 hours (we're using 2fa with yubikeys as well)

Nextcloud version: 22
Operating system and version : rhel 8.5
Apache or nginx version : Apache 2.4
PHP version: 7.4
User-Backend: Ldap
2fA: yubikeys

is is possible to somehow logoff user sessions every 4 hours? Edit: that includes the client app tokens as we realized how to achieve that on the web client via config.php settings.

we can script something that uses the API but we haven’t looked into this yet, just checking in with the community beforehand, especially because we’re using 2fa with yubikeys, the end goal is to require the users to touch their keys every 4 hours in order to continue using the app.

we are looking into nextcloud enterprise but we haven’t been contacted yet from the sales team :man_shrugging:

For me that would be extremely annoying. Especially if you work on Nextcloud as a platform and use different apps and use to have open different tabs with your work. If then you got logged out and you risk to lose your work, I would get angry.

that is a requirement for this installation tho.
users will basically only ever use the windows client.
you do not risk loosing your work because the client app (at least the windows one) holds the file locally and just stops syncing, we also have file-locking enabled.

replying to my own post because we found a way to achieve this.
we scripted a procedure in the db that sets the field “invalid password” to 1 every 4 hours, this causes all the clients to be disconnected and requires them to be granted access again.
we’re probably gonna develop our own app that does this in a more elaborate fashion and uses the last activity time to do that.
the field is in the table oc_authtokens

the sales dept hasn’t contacted us back yet…we were open to buy this for 500+ users but the fact that sales cannot contact us back within more than a week (first contact was at least 10 days ago) doesn’t bode well.

Ok, I still don’t get the requirement for this. Sometimes people ask for strange things and they try to implement a solution in a very strange way and there is a better and cleaner way. Sometimes, it shows some feature that could be interesting for many other users as well, and it would be interesting to implement this (in case there is no other way to do that).

It’s the community forum here. But might be interesting for @jospoortvliet and the guys and girls from Nextcloud GmbH.

it’s considered a security requirement in that environment, they implemented 2fa with yubikeys and the IT managers doesn’t consider a client that never requires the token again in line with the 2fa philosophy.
we don’t know if people actually left their pc on and if somebody else is at their desk.
there’s an option in the config.php file for web sessions, and that requires to login again.
the way the login flow works on nc22 the desktop client (and I suppose the mobile app as well) a password is being generated that is valid forever.
that table also holds the auth token for webdav clients, and those are being invalidated after some time, so I suppose there must be something in the php code that looks at the table and invalidates the session for webdav clients.

what we want to achieve is people who use the dekstop client on windows should have to be able to use the app only if and when they have the 2fa token in the pc.
the way yubikeys (5c) works they can only do challenge response during login, we consider acceptable requiring login again after inactivity or every 4 hours.

It’s the community forum here. But might be interesting for @jospoortvliet and the guys and girls from Nextcloud GmbH.

that would be swell, thanks!

1 Like