Server: App Login credentials not working

Created on 15 Jul 2020  ·  9Comments  ·  Source: nextcloud/server

I am using nextcloud 18.0.6 and recently upgraded from 18.0.3.

The additional app passwords from security -> devices & sessions are not working. Passwords are generated over the "Create new app password" button.

I created a new app password, the android nextcloud app responds with incorrect credentials, same by using a browser and the app login.

The log says:

Info core Bruteforce attempt from “****” detected for action “login”.
Warning no app in context Login failed: **** (Remote IP: ****)

I cleared the database bruteforce attempt entry with my IP address, but at the first login attempt with the correct (generated) _app login_ credentials, a new bruteforce attempt entry is created in the database and the login is rejected with "Wrong username or password. "

Update:
_Just tested on a nextcloud hoster with 18.0.6 (updated from 18.0.3), with the same problem!_

Steps to reproduce

  1. maybe upgrade from18.0.3. to 18.0.6
  2. "Create new app password"
  3. Login with the generated password inside browser or android nextcloud app

Expected behaviour

Login successful.

Actual behaviour

Error Message "Wrong username or password. "

Server configuration

Debian buster

Web server:
Apache 2.4.38-3+deb10u3

Database:
MariaDB

PHP version:
php 7.3

**Nextcloud version: 18.0.6

Updated from an older Nextcloud/ownCloud or fresh install:
18.0.3.

Where did you install Nextcloud from:
https://nextcloud.com/install/
Signing status:


Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

```
Enabled:

  • accessibility: 1.4.0
  • activity: 2.11.0
  • admin_audit: 1.8.0
  • calendar: 2.0.3
  • cloud_federation_api: 1.1.0
  • comments: 1.8.0
  • contacts: 3.3.0
  • dav: 1.14.0
  • federatedfilesharing: 1.8.0
  • files: 1.13.1
  • files_pdfviewer: 1.7.0
  • files_rightclick: 0.15.2
  • files_trashbin: 1.8.0
  • files_versions: 1.11.0
  • files_videoplayer: 1.7.0
  • firstrunwizard: 2.7.0
  • logreader: 2.3.0
  • lookup_server_connector: 1.6.0
  • nextcloud_announcements: 1.7.0
  • notes: 3.6.0
  • notifications: 2.6.0
  • oauth2: 1.6.0
  • password_policy: 1.8.0
  • photos: 1.0.0
  • privacy: 1.2.0
  • provisioning_api: 1.8.0
  • recommendations: 0.6.0
  • serverinfo: 1.8.0
  • settings: 1.0.0
  • sharebymail: 1.8.0
  • support: 1.1.1
  • survey_client: 1.6.0
  • systemtags: 1.8.0
  • text: 2.0.0
  • theming: 1.9.0
  • twofactor_backupcodes: 1.7.0
  • updatenotification: 1.8.0
  • viewer: 1.2.0
  • workflowengine: 2.0.0
    Disabled:
  • encryption
  • federation
  • files_external
  • files_sharing
  • user_ldap


**Nextcloud configuration:**
<details>
<summary>Config report</summary>

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "192.168.***.**",
            "*****.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/192.168.***.**\/nextcloud",
        "dbtype": "mysql",
        "version": "18.0.6.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "forcessl": true,
        "forceSSLforSubdomains": true,
        "loglevel": 0,
        "theme": "",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "maintenance": false,
        "updatechecker": false,
        "appstoreenabled": true,
        "trashbin_retention_obligation": "auto",
        "htaccess.RewriteBase": "\/nextcloud",
        "mysql.utf8mb4": true,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}
0. Needs triage bug
Source
picture ka223
👍4

Most helpful comment

@nielsenb-jf Sadly the workaround is not working here.

This should be higher priority as it's currently no longer possible to add new apps to the nextcloud account without revealing the main password.

picture MaxXor on 23 Aug 2020
👍3

All 9 comments

Same problem on 19.0.1, newly generated app passwords are no longer working.

MaxXor picture MaxXor on 2 Aug 2020
👍3

Same problem on 18.0.7, debian buster with Apache 2.4 and PHP 7.3

Palulukas picture Palulukas on 11 Aug 2020
👍1

I see the same thing here, errors in the log that I think are related look like this:

[no app in context] Warning: Login failed: nielsenb (Remote IP: 172.19.0.2)

POST /login
from 172.19.0.2 at 2020-08-18T21:23:35+00:00

I am running Nextcloud behind a reverse proxy with nginx to handle SSL. I managed to get things working by setting 'overwriteprotocol' => 'https' in config.php.

nielsenb-jf picture nielsenb-jf on 19 Aug 2020

I see the same thing here, errors in the log that I think are related look like this:

[no app in context] Warning: Login failed: nielsenb (Remote IP: 172.19.0.2)

POST /login
from 172.19.0.2 at 2020-08-18T21:23:35+00:00

I am running Nextcloud behind a reverse proxy with nginx to handle SSL. I managed to get things working by setting 'overwriteprotocol' => 'https' in config.php.

Thanks for your effort, I'll try your fix very soon!

Palulukas picture Palulukas on 19 Aug 2020

I see the same thing here, errors in the log that I think are related look like this:

[no app in context] Warning: Login failed: nielsenb (Remote IP: 172.19.0.2)

POST /login
from 172.19.0.2 at 2020-08-18T21:23:35+00:00

I am running Nextcloud behind a reverse proxy with nginx to handle SSL. I managed to get things working by setting 'overwriteprotocol' => 'https' in config.php.

Still login failed "Wrong username or password. " with app login. :/

ka223 picture ka223 on 19 Aug 2020

@nielsenb-jf Sadly the workaround is not working here.

This should be higher priority as it's currently no longer possible to add new apps to the nextcloud account without revealing the main password.

MaxXor picture MaxXor on 23 Aug 2020
👍3

I see the same thing here, errors in the log that I think are related look like this:

[no app in context] Warning: Login failed: nielsenb (Remote IP: 172.19.0.2)

POST /login
from 172.19.0.2 at 2020-08-18T21:23:35+00:00

I am running Nextcloud behind a reverse proxy with nginx to handle SSL. I managed to get things working by setting 'overwriteprotocol' => 'https' in config.php.

Still login failed "Wrong username or password. " with app login. :/

Same here. :/

Palulukas picture Palulukas on 25 Aug 2020

Also fails for me, Nextcloud 19.0.2

https://<myDomain>.com/index.php/settings/integrity/failed
returns

No errors have been found.

PhilLab picture PhilLab on 27 Aug 2020

Issue persists on Nextcloud 19.0.5.

MaxXor picture MaxXor on 20 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blackcrack picture blackcrack  ·  3Comments
Django-BOfH picture Django-BOfH  ·  3Comments
georgehrke picture georgehrke  ·  3Comments
georgehrke picture georgehrke  ·  3Comments
dl5rcw picture dl5rcw  ·  3Comments