Server: Active Directory password change revokes APP tokens

cc @ChristophWurst as you're the authentication / app password expert

Thank you

I've just tested and changing password works as expected when user is local. Issue seems to be only when user is in Active Directory.

Hi,
I just wander - is any chance it will be looked at? I've tested also on Nextcloud 15 and this doesn't work as well.

This should be fixed since https://github.com/nextcloud/server/pull/11390. cc @rullzer

Hi Christoph,

Many thanks for your reply.

I've just enabled debug level of logs and done some additional tests - it looks the behaviour is more complex than just working or not. I have WebDav mapped drive using RaiDrive (with manually created token) and Nextcloud client 2.6.2 on the same Windows 10 machine. I've repeated the test twice again - results below.

1. Surprisingly WebDav after a while of waiting (and after I've logged to web) started working. Nextcloud client prompted me to login but it didn't prompt about password - just to grant access.

2. WebDav stopped to work completely and even putting the same app password didn't help. I tried to use WebDav on another computer with Windows client, but the password doesn't work as well. However the client is just working and didn't prompt me about anything so looks this particular app token is working fine.

Will you be able to put some light on it? Is anything what I missed in my test?

Below log from server related to WebDav authentication.

[webdav] Debug: Sabre\DAV\Exception\NotAuthenticated: Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured at <>

1. <>
   Sabre\DAV\Auth\Plugin->beforeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
2. /var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php line 105
   undefinedundefinedcall_user_func_array([Sabre\DAV\Auth\ ... "], [Sabre\HTTP\Requ ... }])
3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 466
   Sabre\Event\EventEmitter->emit("beforeMethod", [Sabre\HTTP\Requ ... }])
4. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 254
   Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
5. /var/www/nextcloud/apps/dav/appinfo/v1/webdav.php line 80
   Sabre\DAV\Server->exec()
6. /var/www/nextcloud/remote.php line 163
   undefinedundefinedrequire_once("/var/www/nextcl ... p")

PROPFIND /remote.php/webdav/
from 192.168.2.44 at 2020-01-27T15:15:52+01:00

Hi,
I believe - just narrowed this down. Basically, if I change password and then login to nextcloud website in 5 minutes, the app tokens are working fine. However if I wait longer (tested around 1 hour) and then login to to web browser, all APP tokens are revoked.
If you need me to do any other test - please let me know - I can do it.

Can you try on a more recent nextcloud version? 15 is eol.

I'm using Nextcloud version: 17.0.2 so I guess this is latest production version?

Is any chance somebody will look at it? I've just tested it again and even I change password and login to browser straight away, it does sometimes work and sometimes doesn't. I can't find even pattern for this.

Sadly nobody helps me with this :-( Is anybody else who has this issue? I don't believe nobody is using WebDAV with 2FA and password change policy from Active Directory? It would be great if Virtual Drive would be released but for now I need to use WebDAV....

You could check help.nextcloud.com for similar reports from the community.

Hi Christoph,
Thank you for your reply.
I've tried to find similar issue on the help.nextcloud.com and also few other websites and wasn't able. I've tested the behaviour on Nextcloud 17 and another server with version 15 (with the same result). Basically sometimes when I login to Nextcloud quickly, the app token is not revoked. But if I wait hour it is pretty much revoked always.
I realise you are very busy but is any chance this will be fixed? I can do tests, send logs and help as much as required from my site.

@ChristophWurst I have certainly encountered this issue since the fix was implemented in PR #11390 .

However, since that PR... it worked for maybe a point version or two, but the results are not reliable. Much like @PiotrIr has reported, it works sometimes but doesn't work other times... and there's no pattern.

(I don't know if it's the 5-min wait time thing. I've never really thought about the fact that I should change and login right away, but anecdotally, I think I recall if I did something like that it works more of the time.)

I change my LDAP password every month or so ... and every single time, I have to go into all my clients and change the app tokens. Let me know if there's debug logs or something to help fixing this rather serious annoyance.

Edit: I am on the latest NC 18.0.3 . I just did a change about an hour ago and it invalidated all my tokens so I have to start all over again. Log into every single client with LDAP username/password for those which support the auto-token feature thing. And copy this long password for those that don't... :/

Thanks!

Thank you sylikc!
I'm glad somebody else reported this issue. From my site I also can offer any necessary help to resolve this problem.

@rullzer @ChristophWurst I experienced this again today. I waited for ldap password to expire, then did the change and logged into nextcloud.

Tokens were all still invalid.

I can probably set up a mini virtual lab to test this, but is there anything that would help you to debug this, or how I would debug this in order to help gather the information for a fix?

Are the tokens being invalidated after a use when the password is invalid (ldap password not changed yet)?

Thanks

Might be related: https://github.com/nextcloud/server/issues/21285 / https://github.com/nextcloud/server/pull/21288