Webdav doesn't work with TOTP authentication (even with App password)

Hi,

I recently enabled TOTP and everything worked fine, until I tried to access my files using webdav.
I properly reconfigured my webdav client, using an app password, but it won’t access my files. The client displays : “HTTP Error: Unauthorised”. The server shows a few errors in the logs. You can find both screenshots linked to this message.

I tried to disable TOTP authentication to see if it was really the cause of the problem, and I could now access my files.

Has anyone got an idea?

Thanks,

Best regards,
Miocastoor

Nextcloud version : Nextcloud 11.0.1 (stable)
Operating system and version :

  • Client: Fedora 25, nautilus (webdav client) and the Online Accounts functionality.
  • Server: Debian 8.7
    nginx version : 1.6.2-5+deb8u4
    PHP version : 5.6.30+dfsg-0+deb8u1

you need to use the app-password function for webdavclients.

Thanks for your answer, but as I said, I’ve already tried to use an app password, unsuccessfully.

if you disable TOTP, does then the app-password work too?

I just tried and it seems to work.

So there is no way to make it work with webdav?

can you explain how you use the App-Password? For me it works very good with every client.

I open the menu, then Personal -> App passwords, I create a new app password (which I called “Fedora Online Accounts”), and I use the generated password when authenticating in Online Accounts in the settings panel of gnome.

Curious. I can’t try it with Linux desktop, I use Windows. Has the Server any error log?

I have linux too, and used cadaver (a command line webdav-tool) and thunar (in XFCE) both worked with totp and app-password.

Only the logs provided in my first message, which appear when TOTP is enabled.

I have same problem too

I’m having the same problem. Can’t get webdav to connect from Thunar / Gigolo when TOTP is enabled even though I’ve generated an app pw. Simply says “Login failed…” in the logs

which version of nc are you using?

Is your username correct? I use IMAP for authentication with the domain set in the configuration. Depending on how I log in the username that the app passwords are created as changes

Hi, it did not work for the normal mount command, however after putting the credentials under /etc/davfs/secrets i was able to mount the folders :slight_smile:

Same Problem. My theory: I connected to the same account before without totp.

I tried with another account where i used totp at first connection and everything went fine.

…facing same issue, I can confirm

New users with TOTP active before first connect -> works.
Existing users who previously connected and activated TOTP later -> fails.

Both users have a device/session token (not using their nc password).

1 Like

Does it work for an existing user but on a different client system (so perhaps the client system somehow tries to use the old password).

TL;DR: It does work for an existing user on a different client system, however the different client I used was also a different platform (iOS NextCloud app), so it’s always possible that it works on iOS and not on Ubuntu, or that the app password works in a NextCloud app, but not with WebDAV.

Here’s how I tested:

  • Set up a NextCloud account (running NextCloud snap version 20 on Ubuntu Core on a Raspberry Pi).
  • Created my user account, not using TOTP.
  • In GNOME Settings, added my NextCloud account.
  • In “Files” app, mounted my NextCloud instance. Mounted as expected.
  • Logged into NextCloud in my browser, installed and turned on TOTP. Confirmed I can log out and back in using one-time password in Firefox (tested on Ubuntu laptop and a few other devices).
  • In GNOME Settings, removed my NextCloud account (clicked the big red “Remove” button).
  • In NextCloud > Settings > Security, created an app password.
  • In GNOME Settings, clicked NextCloud, entered my URL, username, and the app password and clicked “Connect”. Ubuntu accepted the credentials. (Note: I don’t know what happens if I deliberately enter bad credentials).
  • Navigated to File app, right-click my URL in the sidebar, select “mount”.

Expected result:

  • My NextCloud files appear in the Files app

Actual result:

  • Dialog appears stating “Unable to access user@mydomain.com HHTP Error: Unauthorized”

Then, I tested another client:

  • Downloaded the NextCloud app from the App Store onto my iPad Pro
  • In NextCloud (in a browser), created an app password for the iPad
  • Ran the NextCloud app on the iPad, selecting the option to use an app token
  • Entered my username and app password

Login succeeded as expected.

Notes:

  • In NextCloud > Settings > Security > Devices & sessions, I revoked the previous sessions from my Ubuntu device - I suspected that maybe either Ubuntu had a session token or NextCloud was expecting a session token from the device; that is, one side or the other wasn’t expecting the app password. This didn’t resolve the issue.
  • I’m unable to mount a WebDAV drive in GNOME. I haven’t tried accessing contacts or calendars.
  • I’m able to mount the WebDAV URL if I use davfs from the command line. This would seem to support the theory that GNOME is caching the old password:
# This works
sudo apt install davfs2 # Select Yes when prompted to let users mount drives
mkdir $HOME/nc
echo "https://NEXTCLOUD_DOMAIN/remote.php/dav/files/NEXTCLOUD_USERNAME/ $HOME/nc davfs user 0 0" | sudo tee -a /etc/fstab
usermod -a -G davfs2 $LOGNAME
mount $HOME/nc # Will prompt for nextcloud username and password
#Store secrets so you're not prompted
mkdir ~/.davfs2
echo "$HOME/nc NEXTCLOUD_USERNAME NEXTCLOUD_APP_PASSWORD" >> ~/.davfs2/secrets
chmod 600 ~/.davfs2/secrets