Active Directory password change revokes APP tokens

[PiotrIr]

Steps to reproduce

1. Create app token for WebDAV connection and login to sync client 2.6.2
2. Change password in Active Directory

Expected behaviour Starting with Nextcloud 15 For password changes in external user backends the device-specific passwords are marked as invalid and once a login of the user account with the main password happens all device-specific passwords are updated and work again.

Actual behaviour After login to Nextcloud using web browser, all app tokens (WebDAV and Nexcloud sync client) don't work.

Server configuration Operating system: Ubuntu 18.04

Web server: nginx-1.16.1

Database: MariaDB 10.4.11

PHP version: 7.3.13

Nextcloud version: 17.0.2

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Could you help me with this please?

[violoncelloCH]

cc @ChristophWurst as you're the authentication / app password expert

[PiotrIr]

Thank you

[PiotrIr]

I've just tested and changing password works as expected when user is local. Issue seems to be only when user is in Active Directory.

[PiotrIr]

Hi, I just wander - is any chance it will be looked at? I've tested also on Nextcloud 15 and this doesn't work as well.

[ChristophWurst]

This should be fixed since https://github.com/nextcloud/server/pull/11390. cc @rullzer

[PiotrIr]

Hi Christoph,

Many thanks for your reply.

I've just enabled debug level of logs and done some additional tests - it looks the behaviour is more complex than just working or not. I have WebDav mapped drive using RaiDrive (with manually created token) and Nextcloud client 2.6.2 on the same Windows 10 machine. I've repeated the test twice again - results below.

1. Surprisingly WebDav after a while of waiting (and after I've logged to web) started working. Nextcloud client prompted me to login but it didn't prompt about password - just to grant access.

2. WebDav stopped to work completely and even putting the same app password didn't help. I tried to use WebDav on another computer with Windows client, but the password doesn't work as well. However the client is just working and didn't prompt me about anything so looks this particular app token is working fine.

Will you be able to put some light on it? Is anything what I missed in my test?

Below log from server related to WebDav authentication.

[webdav] Debug: Sabre\DAV\Exception\NotAuthenticated: Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured at <>

0. <> Sabre\DAV\Auth\Plugin->beforeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
1. /var/www/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php line 105 undefinedundefinedcall_user_func_array([Sabre\DAV\Auth\ ... "], [Sabre\HTTP\Requ ... }])
2. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 466 Sabre\Event\EventEmitter->emit("beforeMethod", [Sabre\HTTP\Requ ... }])
3. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 254 Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Reque ... "}, Sabre\HTTP\Response {})
4. /var/www/nextcloud/apps/dav/appinfo/v1/webdav.php line 80 Sabre\DAV\Server->exec()
5. /var/www/nextcloud/remote.php line 163 undefinedundefinedrequire_once("/var/www/nextcl ... p")

PROPFIND /remote.php/webdav/ from 192.168.2.44 at 2020-01-27T15:15:52+01:00

[PiotrIr]

Hi, I believe - just narrowed this down. Basically, if I change password and then login to nextcloud website in 5 minutes, the app tokens are working fine. However if I wait longer (tested around 1 hour) and then login to to web browser, all APP tokens are revoked. If you need me to do any other test - please let me know - I can do it.

[rullzer]

Can you try on a more recent nextcloud version? 15 is eol.

[PiotrIr]

I'm using Nextcloud version: 17.0.2 so I guess this is latest production version?

[PiotrIr]

Is any chance somebody will look at it? I've just tested it again and even I change password and login to browser straight away, it does sometimes work and sometimes doesn't. I can't find even pattern for this.

[PiotrIr]

Sadly nobody helps me with this :-( Is anybody else who has this issue? I don't believe nobody is using WebDAV with 2FA and password change policy from Active Directory? It would be great if Virtual Drive would be released but for now I need to use WebDAV....

[ChristophWurst]

You could check help.nextcloud.com for similar reports from the community.

[PiotrIr]

Hi Christoph, Thank you for your reply. I've tried to find similar issue on the help.nextcloud.com and also few other websites and wasn't able. I've tested the behaviour on Nextcloud 17 and another server with version 15 (with the same result). Basically sometimes when I login to Nextcloud quickly, the app token is not revoked. But if I wait hour it is pretty much revoked always. I realise you are very busy but is any chance this will be fixed? I can do tests, send logs and help as much as required from my site.

[sylikc]

@ChristophWurst I have certainly encountered this issue since the fix was implemented in PR nextcloud/server#11390 .

However, since that PR... it worked for maybe a point version or two, but the results are not reliable. Much like @PiotrIr has reported, it works sometimes but doesn't work other times... and there's no pattern.

(I don't know if it's the 5-min wait time thing. I've never really thought about the fact that I should change and login right away, but anecdotally, I think I recall if I did something like that it works more of the time.)

I change my LDAP password every month or so ... and every single time, I have to go into all my clients and change the app tokens. Let me know if there's debug logs or something to help fixing this rather serious annoyance.

Edit: I am on the latest NC 18.0.3 . I just did a change about an hour ago and it invalidated all my tokens so I have to start all over again. Log into every single client with LDAP username/password for those which support the auto-token feature thing. And copy this long password for those that don't... :/

Thanks!

[PiotrIr]

Thank you sylikc! I'm glad somebody else reported this issue. From my site I also can offer any necessary help to resolve this problem.

[sylikc]

@rullzer @ChristophWurst I experienced this again today. I waited for ldap password to expire, then did the change and logged into nextcloud.

Tokens were all still invalid.

I can probably set up a mini virtual lab to test this, but is there anything that would help you to debug this, or how I would debug this in order to help gather the information for a fix?

Are the tokens being invalidated after a use when the password is invalid (ldap password not changed yet)?

Thanks

[kesselb]

Might be related: https://github.com/nextcloud/server/issues/21285 / https://github.com/nextcloud/server/pull/21288

[szaimen]

Is this Issue still valid? If not, please close this issue. Thanks! :)

[sylikc]

@szaimen from what I notice nowadays, the tokens generated remain valid across ldap changes, but the Nextcloud client does not if it detected a password change

It might become a nextcloud client bug though.

Symptoms... On password expiration on nextcloud, the desktop client stops syncing.

I change ldap password and then log in once to the Nextcloud web interface so all tokens should be valid again

I close (windows) nextcloud client. On next start it pops up the browser asking me to log in again, even though the token should now be valid

Edit: this actually sounds exactly like the issue referenced above that was closed

[xGDI]

Same issue here with latest desktop client and NC server (21.0.2). After the user changes the password the next cloud client stops syncing after some minutes (shows disconnected). After reboot / restart of client the user gets prompted to sign in via webbrowser to grant access for the client. Temporarily the client is authenticated but after restart it can't authenticate again.

[ChristophWurst]

this sounds like something about the stored password in each app token. they have the password. that password is validated every 5min.

[xGDI]

this sounds like something about the stored password in each app token. they have the password. that password is validated every 5min.

So basically all app tokens of a user become invalid after they change their password? Is it possible to avoid this or at least after the user relogins all tokens get updated?

[ChristophWurst]

No, actually there is some public-private key magic going on that allows one session to update the new password in all other tokens. In very old Nextcloud installations, or tokens that are really really old, that public-private key logic isn't there yet. You could check oc_authtoken for the affected user to find out the version of those tokens.

[xGDI]

I'll take a look into it - but we are using the latest NextCloud version (actually a fresh install with LDAP plugin - no saml), so I guess all tokens have the latest version too. Thanks for your help.

[cm-schl]

Hi @ChristophWurst ,

I'm facing the same problem with the Android Client of Nextcloud. Some users only use this client to access Nextcloud and never use the Webinterface. So when the user changes his password the tokens seem to get invalid. Could you maybe give us some additional information how the "public-private key logic" is working? So maybe I could try to make some tests when exactly this problem starts.

In my special case after changing the LDAP password the user gets asked for the new password in the Nextcloud Client (I assume this is how it should work, right?) but then ends in some kind of loop: the user never gets to enter the client and also can't retry to insert the new password.

I'm also asking for details regarding the invalidation of tokens because we also would like to use the app-tokens for authentication to Nextcloud Calendars in Thunderbird. Reading your comments I've got the idea that Nextcloud intentionally invalidates the tokens after a user changes his LDAP password. In such a case when you use Thunderbird Calendar with app-tokens they would get invalidated until the users connects to Nextcloud - or am I wrong?

[ChristophWurst]

Could you maybe give us some additional information how the "public-private key logic" is working? So maybe I could try to make some tests when exactly this problem starts.

When you open a web session the public key of each individual app token is used to encrypt the login password and store it with each entry. Only those processes that provide the app password will be able to decrypt the private key and moreover the login password.

I think the clients alone can't update the password, but it always needs one login into the web (or a web view in a client) to update all app tokens with the password.

Reading your comments I've got the idea that Nextcloud intentionally invalidates the tokens after a user changes his LDAP password. In such a case when you use Thunderbird Calendar with app-tokens they would get invalidated until the users connects to Nextcloud - or am I wrong?

Yes, you can put it that way. The login password is required for features like external storage. I think that is why we try to get everything into a consistent state with the latest password.

[HorstBort]

Hi,

I believe I'm experiencing the same problem. Our Nextcloud (22) server authenticates against our AD via LDAP. Security policies require a password change every 90 days. When a user changes their password, the Nextcloud client disconnects and the user has to go through the whole Webflow authentication again.

Is there any way to circumvent this? As far as I'm concerned, once the app token is created, it should stay valid regardless of a password change in the auth backend, at least for my use case. It should be revoked, however, if the password or the account itself expires, which is tracked in specific fields in our AD.

On a related note: A 5 minute interval to check the password seems a little excessive for me - is there a place where this can be configured?

[cm-schl]

Hi @rullzer and @ChristophWurst thanks for all the work on this subject and the information how app tokens work. I've read what was written in https://github.com/nextcloud/server/issues/2581 and I understand the reason why the app tokens don't work after a password change until the user logs in to Nextcloud.

So maybe the question should be an other as we can't tell Nextcloud to not revoke the AppTokens (because of the fact that it's not the token but the password of the user that has changed): Is there a way to tell Nextcloud that a specific Users has multiple Passwords - the Active Directory / LDAP password AND some kind of password that never expires (just like the AppToken, but without the logic of crypting the user password)?

I'm really not sure if I'm missing something from the security point of view (?), but when we would think of some kind of "simple app token" that simply is a second, not expiring (but complex) password for a Nextcloud user that could be created and revoked by the user (just like the actual app tokens) - wouldn't this work like many users expect the app tokens to work?

The actual problem that affects me (and I think also the others) is that some users only use Nextcloud as kind of CalDAV & CardDAV server. They never log in to Nextcloud using the webinterface - all the work of creating Calendars & Addressbooks is done by the Administrators... In this scenario the AppTokens can't be used to configure smartphone apps or desktop software like Thunderbird.

[szaimen]

Hi, please update to 24.0.8 or better 25.0.2 and report back if it fixes the issue. Thank you!

[sylikc]

I'll take a test this month and let my password expire. Currently the only app that gets kicked off is the Desktop App (for me it's Windows). When the password expires, and the desktop app can't authenticate, it believe it needs to login again.

It would be better to have it wait, and when I use my new password in the server, the token is valid again and it uses that, instead of making me log into the NC server again once it thinks it's invalid.

[szaimen]

So isnt this rather a Desktop client issue then now?

[sylikc]

So isnt this rather a Desktop client issue then now?

For me it is. I'll let other people talk about app tokens. For awhile I also had the problem where it did invalidate them all. I myself haven't seen it recently. I'm on v25.0.3 right now.

[olewales]

Try making config change suggested in another issue: https://github.com/nextcloud/server/issues/11113#issuecomment-1364550194 'auth.storeCryptedPassword' => false

This fixed both webUI and desktop client for me

[juresaht2]

Confirmed issue on Nextcloud 25.0.4 .

If the password is changed to the original one, then app tokens once again function.

[juresaht2]

This ticket belongs in Server not in Documentation. Could explain why it gets no attention. I will open another ticket in the correct spot.

[sylikc]

If the password is changed to the original one, then app tokens once again function.

After changing your password, you have to log into NC at least once with the new password for the tokens to function again. This was referenced somewhere. Try that

[juresaht2]

Perhaps the documentation should be clarified that the device access tokens will not function again once the external LDAP password is changed, unless https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#auth-storecryptedpassword is set to false.