Wrong security key is used

[rajil]

⚠️ Before posting ⚠️

• [X] This is a bug, not a question or an enhancement.
• [X] I've searched for similar issues and didn't find a duplicate.
• [X] I've written a clear and descriptive title for this issue, not just "Bug" or "Crash".
• [X] I agree to follow Nextcloud's Code of Conduct.

Steps to reproduce

1. Setup 'Two-Factor Authentication' and 'Passwordless Authentication' and add Yubikey as the device.
2. Login on Android using 'Log in with a device'
3. Two-factor authentication pops up, and says ' Use WebAuthn for second factor authentication'.

Expected behaviour

Android should login

Actual behaviour

Android mobile says 'Wrong Security Key is used' and does not login

Android version

10

Device brand and model

Samsung SM-N960F

Stock or custom OS?

Stock

Nextcloud android app version

3.23.0

Nextcloud server version

25.0.2.3

Using a reverse proxy?

Yes

Android logs

No response

Server error logs

{
  "reqId": "redacted",
  "level": 0,
  "time": "2022-12-17T11:20:24+05:30",
  "remoteAddr": "192.168.1.2",
  "user": "redacted",
  "app": "PHP",
  "method": "GET",
  "url": "/login/challenge/webauthn?redirect_url=/apps/files/",
  "message": "Return type of Webauthn\\AuthenticationExtensions\\AuthenticationExtension::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php#55",
  "userAgent": "Samsung SM-N960F (Android)",
  "version": "25.0.2.3",
  "exception": {
    "Exception": "Error",
    "Message": "Return type of Webauthn\\AuthenticationExtensions\\AuthenticationExtension::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php#55",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php",
        "line": 18,
        "function": "onError",
        "class": "OC\\Log\\ErrorHandler",
        "type": "::",
        "args": [
          8192,
          "Return type of Webauthn\\AuthenticationExtensions\\AuthenticationExtension::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice",
          "/var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php",
          55
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/composer/composer/ClassLoader.php",
        "line": 571,
        "args": [
          "/var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php"
        ],
        "function": "include"
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/composer/composer/ClassLoader.php",
        "line": 428,
        "function": "Composer\\Autoload\\includeFile",
        "args": [
          "/var/lib/nextcloud/apps/twofactor_webauthn/vendor/composer/../web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php"
        ]
      },
      {
        "file": "/var/lib/nextcloud/apps/twofactor_webauthn/lib/Service/WebAuthnManager.php",
        "line": 264,
        "function": "loadClass",
        "class": "Composer\\Autoload\\ClassLoader",
        "type": "->",
        "args": [
          "Webauthn\\AuthenticationExtensions\\AuthenticationExtension"
        ]
      },
      {
        "file": "/var/lib/nextcloud/apps/twofactor_webauthn/lib/Provider/WebAuthnProvider.php",
        "line": 109,
        "function": "startAuthenticate",
        "class": "OCA\\TwoFactorWebauthn\\Service\\WebAuthnManager",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\User\\User"
          },
          "cloud.redacted.com"
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/core/Controller/TwoFactorChallengeController.php",
        "line": 143,
        "function": "getTemplate",
        "class": "OCA\\TwoFactorWebauthn\\Provider\\WebAuthnProvider",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\User\\User"
          }
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 225,
        "function": "showChallenge",
        "class": "OC\\Core\\Controller\\TwoFactorChallengeController",
        "type": "->",
        "args": [
          "webauthn",
          "/apps/files/"
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 133,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\Core\\Controller\\TwoFactorChallengeController"
          },
          "showChallenge"
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/private/AppFramework/App.php",
        "line": 172,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\Core\\Controller\\TwoFactorChallengeController"
          },
          "showChallenge"
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/private/Route/Router.php",
        "line": 298,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::",
        "args": [
          "OC\\Core\\Controller\\TwoFactorChallengeController",
          "showChallenge",
          {
            "__class__": "OC\\AppFramework\\DependencyInjection\\DIContainer"
          },
          [
            "webauthn",
            "core.TwoFactorChallenge.showChallenge"
          ]
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/lib/base.php",
        "line": 1047,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->",
        "args": [
          "/login/challenge/webauthn"
        ]
      },
      {
        "file": "/usr/share/webapps/nextcloud/index.php",
        "line": 36,
        "function": "handleRequest",
        "class": "OC",
        "type": "::",
        "args": []
      }
    ],
    "File": "/usr/share/webapps/nextcloud/lib/private/Log/ErrorHandler.php",
    "Line": 92,
    "CustomMessage": "--"
  }
}

Additional information

Default browser on mobile is Firefox version 108.1.0

[AlvaroBrey]

This looks like a server error. Can you login successfully on the same server, with the same hardware key, but on a desktop browser?

[rajil]

Yes, the key works fine on the desktop with firefox Also, I tried with chrome on mobile and that worked too.

On Tue, Dec 20, 2022, 4:00 PM Álvaro Brey @.***> wrote:

This looks like a server error. Can you login successfully on the same server, with the same hardware key, but on a desktop browser?

— Reply to this email directly, view it on GitHub https://github.com/nextcloud/android/issues/11177#issuecomment-1359147701, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC4TATG7OBOX5JZ6FYU7V3WOGDC3ANCNFSM6AAAAAATBYSQVY . You are receiving this because you authored the thread.Message ID: @.***>

[AlvaroBrey]

Hm, can you see if you have any updates for your system webview? Though I wouldn't think this would fix it, but just in case.

@tobiasKaminsky yet another +1 for #1723

[tobiasKaminsky]

"login with a device" is passwordless authentication. If you want to use real 2fa, then during login you first need to enter username/password (first factor) and then confirm via yubikey (second factor).

Can you remove "passwordless auth" and test it again?

[rajil]

I disabled 'Passwordless Authentication' on the server and tried the mobile app again. I still got the same error of wrong security key,

[tobiasKaminsky]

@ChristophWurst as you are master of 2fa. Can you shed some light on this, what and how causes this error message?

[ChristophWurst]

I have never seen that error. Can someone try to figure out where it's coming from?

[tobiasKaminsky]

@rajil one or more screenshots would be great.

[tobiasKaminsky]

Ahh. It is from: https://github.com/nextcloud-deps/hwsecurity/blob/master/hwsecurity/ui/src/main/res/values/strings.xml#L38

So it is entirely on Android.

Still the question remains, how this can happen…

[tobiasKaminsky]

@tobiasKaminsky yet another +1 for #1723

Yes, switching to login flow v2, where auth is done in browser is best way.

[AlvaroBrey]

So it is entirely on Android.

Looks like it's caused by either a wrong request or a server error, see the server log in the first post

[ChristophWurst]

Return type of Webauthn\\AuthenticationExtensions\\AuthenticationExtension::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice at /var/lib/nextcloud/apps/twofactor_webauthn/vendor/web-auth/webauthn-lib/src/AuthenticationExtensions/AuthenticationExtension.php#55"

That is a deprecation warning, not an error. You can safely ignore it.

[github-actions[bot]]

This bug report did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!

[richwalm]

I faced this issue myself recently, and was able to resolve it by logging into the web interface and re-adding the YubiKey I was using. Strange that I was able to login to the browser's end fine with the previous one though.