MorrisJobke
commented
7 years ago cc @nickvergessen @LukasReschke
Open wshanks opened 7 years ago
MorrisJobke
commented
7 years ago cc @nickvergessen @LukasReschke
MorrisJobke
commented
7 years ago cc @ChristophWurst
nickvergessen
commented
7 years ago I see the problem, but I don't really have an idea how this could be done.
vojtabiberle
commented
7 years ago Just another point of view: I have server in different timezone than I'm sitting. Times are correct (UTC is same) but Nextcloud refuse log me in with confirm dialog.
szaimen
commented
1 year ago Hi, please update to at least 23.0.12 and report back if it fixes the issue. Thank you!
nickvergessen
commented
1 year ago Still an issue.
szaimen
commented
1 year ago on 25?
nickvergessen
commented
1 year ago Yes 25.0.1 and also master, the parts where never touched as we also don't know how.
When checking the timeout for certain admin actions like creating a user or adding an app, it seems that NextCloud compares the last authentication time on the server against the client's current time. If the server and client clocks are not synchronized and are off by more than the timeout, it is impossible to authenticate because the server always sees the new authentication as happening too long ago already. Of course, it is good practice to keep clocks synchronized any way, but NextCloud should compare two times on the server, not one on the server and one on the client. Otherwise, the timeout could be bypassed by someone setting the client's clock back.
If you need more information, see #2734 which I created for this problem. It was opened with a generic title about password authentication and then closed with a fix for an LDAP problem that was identified, but this is a separate password authentication problem from that.