Open schiessle opened 5 years ago
I had to whitelist the 2FA-app (twofactor_totp in my case) for guests to get it working.
This still is an issue for multiple twofactor apps. As guest, in https://cloud.nextcloud.com/settings/user/security one cannot create Backup-Codes, enable TOTP or add webauthn-Tokens. "Nextcloud notification" can be switched on but it is not used. So it seems that 2FA isn't available for Guest accounts at all, at least in NC25.
If I enale 2FA for Guest accounts on first logon they get a message that 2FA is enabled for them but not configured and to get in contact with the admin user. For internal accounts this works fine as at this same point you are forced to setup 2FA for your account.
Environment: Nextcloud 27.1.2, PostgreSQL, PHP 8.1, Apache2 (running on Ubuntu)
Result: guest account is not able to setup 2FA
Expected result: guest account should be able to setup 2FA at this point. For NC local admin account I've setup it this way and new local accounts are forces to setup 2FA at first logon. I would expect this to work the same wat for guest accounts.
Steps to duplicate:
Screenshot:
Now if you for NC> Administration> Security, remove "guest_app" from "Two-factor authentication is enforced for all members of the following groups." again and the logon as teh guest user Settings> Security also does not list the 2FA option which sloud be enabled by "Limit guest access to an app's allowlist" adding "twofactor_totp" and "twofactor_backupcodes" in the admin settings.
To add some context on the use case: We use the Sendent for Outlook plugin and would like to leverage sharing with guest accounts. For protecting shared data this requires 2FA for guest accounts.
If I try to enable 2FA (U2F) for a guest user I get a 500, the response body contains following message:
Also generating backup codes throws the same error.