No application passwords needed for external apps?

[marwenius]

Steps to reproduce

1. Two-Factor TOTP Provider is activated
2. User has secured their account using TOTP
3. User can authenticate with external apps via their browser (tested with: Desktop and Android app)

Expected behaviour

According to the section Login with external apps, I would assume that authentication via the browser is not possible under all circumstances for any external app.

Actual behaviour

Users can authenticate themselves without application passwords via the browser using their username, password and TOTP.

Server configuration

Operating system: Linux 6.1.66 #1 SMP PREEMPT_DYNAMIC Fri Dec 8 20:52:09 CET 2023 x86_64

Web server: Apache (fpm-fcgi)

Database: mysql 10.11.6

PHP version: 8.1.28

Version: 29.0.4 - 29.0.4.1

Updated from an older version or fresh install: 29.0.2

List of activated apps:

Enabled:

• activity: 2.21.1
• circles: 29.0.0-dev
• cloud_federation_api: 1.12.0
• comments: 1.19.0
• contactsinteraction: 1.10.0
• dashboard: 7.9.0
• dav: 1.30.1
• federatedfilesharing: 1.19.0
• federation: 1.19.0
• files: 2.1.0
• files_downloadlimit: 2.0.0
• files_pdfviewer: 2.10.0
• files_reminders: 1.2.0
• files_sharing: 1.21.0
• files_trashbin: 1.19.0
• files_versions: 1.22.0
• firstrunwizard: 2.18.0
• logreader: 2.14.0
• lookup_server_connector: 1.17.0
• nextcloud_announcements: 1.18.0
• notifications: 2.17.0
• oauth2: 1.17.0
• password_policy: 1.19.0
• photos: 2.5.0
• privacy: 1.13.0
• provisioning_api: 1.19.0
• recommendations: 2.1.0
• related_resources: 1.4.0
• serverinfo: 1.19.0
• settings: 1.12.0
• sharebymail: 1.19.0
• support: 1.12.0
• survey_client: 1.17.0
• systemtags: 1.19.0
• text: 3.10.1
• theming: 2.4.0
• twofactor_backupcodes: 1.18.0
• twofactor_totp: 11.0.0-dev
• updatenotification: 1.19.1
• user_status: 1.9.0
• viewer: 2.3.0
• weather_status: 1.9.0
• workflowengine: 2.11.0

Disabled:

• admin_audit
• bruteforcesettings
• encryption
• files_external
• suspicious_login
• user_ldap

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0

Operating system: Windows 10 Pro

[ChristophWurst]

Did you go through and ?

[marwenius]

Yes, they went through this process. Is this to be expected?

[ChristophWurst]

Yes, that is expected. This means the user's active session was used to verify the login on another device.

If the users are logged out, they first have to log in and pass the 2FA page before they can grant access.

[marwenius]

Maybe I'm on the wrong track here, but then I find the statement in the readme confusing that application passwords are necessary when they are not?

Thanks for the quick response, by the way.

[ChristophWurst]

Right, some of this is outdated. The login flow that uses the browser session is only implemented in "official" Nextcloud apps. Other apps, e.g. Gnome Online Accounts, don't know this mechanism and they ask for a username and password. In those prompts you can not use the login password when 2FA is enabled. You will have to generate and use an app password.

Does this explain it better? I can update the readme.

[marwenius]

Yes, that explains it for me at least. And an update would certainly not be amiss if that were possible. Thank you very much!