TL;DR: It does work for an existing user on a different client system, however the different client I used was also a different platform (iOS NextCloud app), so it’s always possible that it works on iOS and not on Ubuntu, or that the app password works in a NextCloud app, but not with WebDAV.
Here’s how I tested:
- Set up a NextCloud account (running NextCloud snap version 20 on Ubuntu Core on a Raspberry Pi).
- Created my user account, not using TOTP.
- In GNOME Settings, added my NextCloud account.
- In “Files” app, mounted my NextCloud instance. Mounted as expected.
- Logged into NextCloud in my browser, installed and turned on TOTP. Confirmed I can log out and back in using one-time password in Firefox (tested on Ubuntu laptop and a few other devices).
- In GNOME Settings, removed my NextCloud account (clicked the big red “Remove” button).
- In NextCloud > Settings > Security, created an app password.
- In GNOME Settings, clicked NextCloud, entered my URL, username, and the app password and clicked “Connect”. Ubuntu accepted the credentials. (Note: I don’t know what happens if I deliberately enter bad credentials).
- Navigated to File app, right-click my URL in the sidebar, select “mount”.
- My NextCloud files appear in the Files app
Then, I tested another client:
- Downloaded the NextCloud app from the App Store onto my iPad Pro
- In NextCloud (in a browser), created an app password for the iPad
- Ran the NextCloud app on the iPad, selecting the option to use an app token
- Entered my username and app password
Login succeeded as expected.
- In NextCloud > Settings > Security > Devices & sessions, I revoked the previous sessions from my Ubuntu device - I suspected that maybe either Ubuntu had a session token or NextCloud was expecting a session token from the device; that is, one side or the other wasn’t expecting the app password. This didn’t resolve the issue.
- I’m unable to mount a WebDAV drive in GNOME. I haven’t tried accessing contacts or calendars.
- I’m able to mount the WebDAV URL if I use davfs from the command line. This would seem to support the theory that GNOME is caching the old password:
# This works
sudo apt install davfs2 # Select Yes when prompted to let users mount drives
echo "https://NEXTCLOUD_DOMAIN/remote.php/dav/files/NEXTCLOUD_USERNAME/ $HOME/nc davfs user 0 0" | sudo tee -a /etc/fstab
usermod -a -G davfs2 $LOGNAME
mount $HOME/nc # Will prompt for nextcloud username and password
#Store secrets so you're not prompted
echo "$HOME/nc NEXTCLOUD_USERNAME NEXTCLOUD_APP_PASSWORD" >> ~/.davfs2/secrets
chmod 600 ~/.davfs2/secrets