[Bug]: WebAuthn passwordless login not working although set-up

[Henne1191]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I have set up a Nitrokey 3C security key for my user in a managed Nextcloud instance for passwordless login in my users settings in the "security" section. The setup worked and the key is shown with the name I have given it.

However, when I try to login without a password by selecting "login with a device" on the login screen after entering my account mail address Nextcloud is telling me "Your account is not set up for passwordless login". (please note: the nextcloud instance is in German and I cannot change it so the wording might be slightly different).

Also, I didn't find any information about this particular error message or passwordless login in general in the official documentation so I don't know if I might have to set up anything else to make it work.

Steps to reproduce

1. Set up a Nitrokey 3C as security key for passwordless login
2. Logout and go to the login page
3. Select "login with a device"
4. Enter account mail address
5. Confirm

Expected behavior

Nextcloud should start passwordless authentication and make Firefox ask me to touch my key to login.

Installation method

None

Nextcloud Server version

25

Operating system

None

PHP engine version

None

Web server

None

Database engine version

None

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [ ] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

Since this is a Managed instance where I only have a regular user account I cannot get additional information besides Nextcloud version which is 25.0.7.1

[joshtrichards]

"Your account is not set up for passwordless login"

The above is just a generic message shown whenever authentication fails.

Since this is a Managed instance where I only have a regular user account I cannot get additional information besides Nextcloud version which is 25.0.7.1

This is going to make it nearly impossible to debug anything with you from this end. I was going to suggest (temporarily) setting your log_level to 0 (debug). A lot of information about the passwordless login process will then appear in your Nextcloud logs. It's also possible something else is wrong and there are already indications (clues) in your Nextcloud logs.

This sounds like an issue you may need to take your NC administrator.

But I do have one other suggestion since each browser has quirks with webauthn sometimes: try to login with an entirely different browser.

[nextcloud-command]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[FredericLespez]

I have the same exact problem on my Nextcloud instance (27.1.3) on Debian 12.2 (PHP 8.2) I also use a Nitrokey device (Nitrokey 3A NFC). The same Nitrokey works flawlessly as 2FA.

I tried to regsiter the Nitrokey then login with 2 different browsers (Firefox and Brave latest version): same behavior.

Here is the Nextcloud log messages (normal level) when I register the Nitrokey as a Webauthn device and when I try to login passwordlessly.

Device registration

{"reqId":"kU3XkS11XLskxNwwnoVP","level":0,"time":"2023-11-05T19:04:25+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"settings","method":"GET","url":"/settings/api/personal/webauthn/registration","message":"Starting WebAuthn registration","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"settings"}}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":0,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"settings","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"Finishing WebAuthn registration","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"settings"}}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":1,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"no app in context","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"Checking the authenticator attestation response","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"authenticatorAttestationResponse":"","publicKeyCredentialCreationOptions":"","host":"MY_INSTANCE_HOSTNAME"}}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":0,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"no app in context","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"No attestation is asked.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":[]}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":0,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"no app in context","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"The Attestation Statement is anonymous.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":[]}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":1,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"no app in context","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"The attestation is valid","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":[]}
{"reqId":"IGKgLtSS8RrrEMJbsvJr","level":0,"time":"2023-11-05T19:04:47+00:00","remoteAddr":"MY_REMOTE_IP","user":"myemail_used_for_login","app":"no app in context","method":"POST","url":"/settings/api/personal/webauthn/registration","message":"Public Key Credential Source","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"publicKeyCredentialSource":""}}

Login passwordlessly

 {"reqId":"rannrkyFDFv6efCAg7RD","level":0,"time":"2023-11-05T19:06:20+00:00","remoteAddr":"MY_REMOTE_IP","user":"--","app":"core","method":"POST","url":"/login/webauthn/start","message":"Starting WebAuthn login","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"core"}}
{"reqId":"rannrkyFDFv6efCAg7RD","level":0,"time":"2023-11-05T19:06:20+00:00","remoteAddr":"MY_REMOTE_IP","user":"--","app":"core","method":"POST","url":"/login/webauthn/start","message":"Converting login name to UID","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"core"}}
{"reqId":"rannrkyFDFv6efCAg7RD","level":0,"time":"2023-11-05T19:06:20+00:00","remoteAddr":"MY_REMOTE_IP","user":"--","app":"core","method":"POST","url":"/login/webauthn/start","message":"Got UID: myemail_used_for_login@mydomain.xx","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0","version":"27.1.3.2","data":{"app":"core"}}

I use an email to login into my instance (myemail_used_for_login@mydomain.xx). I can see in the log that during the registration, the 'user' is my email (without the domain): myemail_used_for_login But during the login phase, the 'user' (UID ?) is my full email (with the domain) : myemail_used_for_login@mydomain.xx May be that is why an error says "Your account is not set up for passwordless login" ?

If you need more detailed (debug log level), I can provide them.

[goebbe]

Just to add a small "me too": Same behaviour as described above, using a solo2 key on a managed Nextcloud instance on hosting.de. No 2FA involved. I registered the key using Firefox 119 on Linux Mint 21.2. for passwordless login. Trying to log in passwordless using my e-mail-address fails with the described error message. I tried login from Firefox and from Chrome, both failed. Since it is a managed machine, I cannot provide logs.

[FredericLespez]

I followed my intuition: I registered my Nitrokey as a Webauthn device for my Nextcloud admin account (where the 'user' part of the login is not an email). And I have successfully login without entering a password into this account.

So the problem seems to concern only user accounts with an email to identify a user.

Hope it helps!

[goebbe]

@FredericLespez Thank you for your last comment! Now, I also tried to use the "user" instead of my e-mail when logging in with the solo2 key. Result: Now I do not get the error message "Your account is not set up for passwordless login". Instead, a Firefox message pops up and asks me to touch the solo2 key. However, in my case, touching the key does not result in the expected login. When I touch the key, the message disappears, however there is no login.

@FredericLespez Did you install any plugins for this? Do you use 2FA?

Since I can successfully register and login with Fido 2, e.g. on https://www.token2.com/tools/fido2-demo, I guess this is either an issue with Nextcloud or with the config of Nextcloud on hosting.de.

This is using Firefox 119.0.1 on Linux Mint 21.2 using a managed Nextcloud 26.0.6 on hosting.de This is not 2FA but instead using solo2 instead of a password. There are no Fido or token related plugins installed. Edit: I also tried with Chome Version 119.0.6045.159, and have the same issue.

Note: It was not obvious to find my "user" name for my Nextcloud account. One way to see the current "user" name is to generate a device specific password token in via settings/ security. When doing this, the "user"-name is shown.

[FredericLespez]

@goebbe You're welcome :-)

The only Nextcloud apps I have related to this are : Two-factor Provider and Two-Factor Webauthn. But I think these two are installed by default.

I use 2FA (TOTP tokens and my Nitrokey). And why I log in passwordlessly, the 2FA is still needed to log in (see #21215).

[FredericLespez]

If I sum up our experiments, here is what we have established: You can log into your account by using either your email or your username. After registering a security key to log in passwordlessly, you can only use your username to log in even if Nextcloud asks for your Username or email to log in with a device. If you try to use your email, Nextcloud send en error Your account is not set up for passwordless login.

Note that if you use an email to log in, you can get your username by:

• either removing everything after the @ sign i your email (for john@example.com, your username is john
• or generating a device specific password token in via Settings/Security, Nextcloud then displays your username (as explained by goebbe above.

Hope it helps!