FreeOTP Android 2.0 no longer works with Nextcloud (https://nextcloud.com/)

[devo001]

We've successfully used FreeOTP Android (<2.0) to scan TOTP QR codes generated by Nextcloud before. All new users downloading FreeOTP Android 2.0 now receive a "Token is invalid" error message and are unable to use the Nextcloud system.

FreeOTP IOS 2.3.2 scans the same codes successfully, as do other Android TOTP authenticator apps.

Any guidance you could provide would be greatly appreciated.

[justin-stephenson]

Hi,

Could you post the OTP URI which NextCloud provides as a QR code image, such as:

otpauth://hotp/?secret=62tsfhk2k2gjybsk2idba3i4one2yzcj5dhwftsxk6xdwve4lram2gyq&algorithm=SHA256&digits=6&period=30&lock=false&counter=0

Please use a test account which does not contain actual sensitive OTP data in the secret value.

[devo001]

Hi Justin,

Apologies for the delay.

I’ve changed the original values to equivalents. Trust I’ve captured the URI correctly.

otpauth://totp/ABC%20Nextcloud%3Aguest%40nextcloud.com%3A12345?secret=ABCD1E23FGH4I5J6&issuer=ABC%20Nextcloud

Thank you.

On 11 Jan 2023, at 15:41, Justin Stephenson @.***> wrote:

Hi,

Could you post the OTP URI which NextCloud provides as a QR code image, such as:

otpauth://hotp/?secret=62tsfhk2k2gjybsk2idba3i4one2yzcj5dhwftsxk6xdwve4lram2gyq&algorithm=SHA256&digits=6&period=30&lock=false&counter=0 Please use a test account which does not contain actual sensitive OTP data in the secret value.

— Reply to this email directly, view it on GitHub https://github.com/freeotp/freeotp-android/issues/295#issuecomment-1378769558, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUNABTKFB6W7BEXQL5XR2LLWR2Z67ANCNFSM6AAAAAATX67KBE. You are receiving this because you authored the thread.

[justin-stephenson]

Hi,

The issue is with the Label field which NextCloud creates. The colon : (or %3A) is used as a delimeter between the issuer and the account name. It is expected there will be only one colon (or %3A) delimiter, per the link above:

The issuer prefix and account name should be separated by a literal or url-encoded colon, and optional spaces may precede the account name. Neither issuer nor account name may themselves contain a colon.

Inserting the otpauth URI into 2FA QR Code Generator and you can quickly see that it sets this label: ABC Nextcloud:guest@nextcloud.com:12345.

For now, you can fix this issue by adding this URI into the 2FA QR Code Generator linked above and removing one of the %3A values from the string, then scan the resulting image.

In the example you provided I also had to change the secret value to a valid base32 encoded value.

[justin-stephenson]

@devo001 It could be helpful to create a ticket with nextCloud re-stating the above information, I would do so myself but I'm not sure where is the correct place to file such a ticket.

[devo001]

Thank you for your evaluation and guidance Justin,

I’m happy to log the issue with Nextcloud.

On 11 Jan 2023, at 21:31, Justin Stephenson @.***> wrote:

@devo001 https://github.com/devo001 It could be helpful to create a ticket with nextCloud re-stating the above information, I would do so myself but I'm not sure where is the correct place to file such a ticket.

— Reply to this email directly, view it on GitHub https://github.com/freeotp/freeotp-android/issues/295#issuecomment-1379383182, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUNABTKTA72JSEFLVW7SVFLWR4DCVANCNFSM6AAAAAATX67KBE. You are receiving this because you were mentioned.

[ploxiln]

Even if the Nextcloud otpauth uri is somewhat invalid, it may be pragmatic to restore support for this kind of invalid label in FreeOTP. Not everyone will upgrade Nextcloud right away, and there are likely some other applications similarly affected, since other OTP apps seem to tolerate it.

[justin-stephenson]

Even if the Nextcloud otpauth uri is somewhat invalid, it may be pragmatic to restore support for this kind of invalid label in FreeOTP. Not everyone will upgrade Nextcloud right away, and there are likely some other applications similarly affected, since other OTP apps seem to tolerate it.

That's fair, we could add an exception for NextCloud. The add was failing here[1] if I remember correctly. PRs are welcome

[1] https://github.com/freeotp/freeotp-android/blob/ab6ab2b565195ee919fbb552d58e31924b09a968/mobile/src/main/java/org/fedorahosted/freeotp/Token.java#L228