Server: Retrieving user profile over OCS-API with OAuth2 bearer token fails when using 2FA

Created on 16 Nov 2018  路  3Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Enable Two-Factor-Authentification.
  2. Configure an OAuth2-Account (in this case for CodiMD).
  3. Authenticate over OAuth2.
  4. Try to call /ocs/v2.php/cloud/user?format=json using the OAuth2 bearer token as authentication, see here

Expected behaviour

The user info should be returned as JSON.

Actual behaviour

One gets redirected to /login/selectchallenge?redirect_url=/ocs/v2.php/cloud/user%3Fformat%3Djson, which shouldn't happen when using the OAuth2 bearer token.

Server configuration

Operating system: Linux

Web server: nginx

Database: PostgreSQL

PHP version: 7.2.12

Nextcloud version: 14.0.3

Updated from an older Nextcloud/ownCloud or fresh install: Updated.

Where did you install Nextcloud from: Arch Linux repositories

(this is my data, but it the problem occurs for @SISheogorath too, I don't know his setup.)

This problem was discovered in an issue over at CodiMD. When using Nextcloud as OAuth2 provider signing in fails if 2FA ist enabled, as it turned out, because Nextcloud redirects the profile request to the selectchallenge page.

bug authentication
Source
picture Eisfunke

All 3 comments

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/8288 (getUsername() fails with user_ldap (using OCS API)), https://github.com/nextcloud/server/issues/7744 (Ability to update user profile picture with OCS API), https://github.com/nextcloud/server/issues/6026 (User Provisioning API request fails with "Bad request"), https://github.com/nextcloud/server/issues/9532 (OCS API user info returns incomplete data), and https://github.com/nextcloud/server/issues/2753 ("CSRF check failed" when using nextcloud/ocs/v1.php/cloud/users API).

nextcloud-bot picture nextcloud-bot on 16 Nov 2018
👎1

I'm seeing this issue as well. None of the issues referenced above is related. Will try come up with a PR.

stjosh picture stjosh on 19 Nov 2018
👍1

I guess this TODO would already be a hint: // TODO: dont check/enforce 2FA if a auth token is used

stjosh picture stjosh on 19 Nov 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChristophWurst picture ChristophWurst  路  3Comments
juliushaertl picture juliushaertl  路  3Comments
j-ed picture j-ed  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments
williambargent picture williambargent  路  3Comments