Login with App-Password in Thunderbird/sabre-dav fails after activating TOTP

[AxelMKlein]

Hi *,

I use Thunderbird/Tbsync/sabre-dav with an app-password. That works as long as I do not activate two-factor-authentication TOTP.

As soon as I activate that, Thunderbird/Tbsync/sabre-dav cannot login anymore. The log of Nextcloud says: 'OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden: '

As soon as I deactivate TOTP, login and sync with the same app-password work again perfectly.

Synchronization of the official Nextcloud-clients works also during TOTP.

What do I do wrong? Is there help? Which additional information can I provide?

Best regards Axl

[ChristophWurst]

Are you sure Thunderbird does not use your login password somewhere? That exception should not be thrown with app passwords.

[AxelMKlein]

Hmm... I copied the app-password in the field that popped up in TbSync/sabre-dav when I signed in without TOTP. And it worked. Then I switched on TOTP and it continuously asked me for a password. I entered it but it kept on asking without letting me in.

Now I checked a similar setup on my Work-Laptop, Windows 10. This works now.

The other setup is Ubuntu and I don't have access to it right now. At least it seems not to be something fundamentally wrong. Maybe it's really an error similar what you describe. I will check that over the weekend.

Thank you for now.

[AxelMKlein]

I have to renounce my statement of success above.

After an hour I get here with the Windows 10 setup the same behavior:

• TbSync/sabre-dav cannot synchronize any more. Asks for the password. After getting the right app-password it keeps asking for it and cannot login. :-( Strange enough that it worked for a few minutes.

[ChristophWurst]

That is indeed strange. Is the app password still working? Could you check the web interface and see if it is still listed and/or try with another application?

TBH this is very unexpected and I have not seen any similar report although this 2FA/app password code is three years old and AFAIK we haven't changed any of the "password login forbidden" logic.

What kind of user back-end do you use on your Nextcloud?

[AxelMKlein]

The app-password is still working. Because when I switch off 2FA the client (TB/sabre-dav) works normally with out doing anything else. I see the client in the web interface. For example the Nextcloud clients in Ubuntu and Windows 10 work perfectly with the app-passwords even when 2FA is switched on.

Excuse me, what do you mean with backend? Nextcloud 14 runs on a Raspberry Pi with mysql 10.1.37.

[ChristophWurst]

Okay, I suspected that the app password might have gotten invalidated. This happens when either the password is changed externally (with a user back-end like LDAP) or when the user back-end is unavailable. But that does not seem to be the case on your system.

[AxelMKlein]

Yes. And it happens with two different app passwords. I have one for my personal laptop and one for my work laptop. And it happens with both. And only with Thunderbird/TbSync/sabre-dav. The sync of the Gnome-apps with the online accounts in Gnome and the nextcloud-client work perfectly with these app-passwords. What can I do, what information can I provide to support the debug?

[ChristophWurst]

Hey,

sorry for my late reply. Is this still an issue?

[psukys]

I seem to have relevant case: my davs based connection through a file explorer (nautilus) fails, when there's TOTP enabled. Adding app password doesn't change anything, by disabling TOTP on my account, I can normally connect via davs connection again.

[AxelMKlein]

Thank you for coming back. I switched TOTP off in my setup and have currently no time to test it otherwise. In theory it is still relevant and as soon as I find some time I can test it. But I think it does not make sense to just confirm the old status in case there is no change. I would prefer testing an improvement instead.

[ChristophWurst]

One way to debug this could be the use of a http proxy that logs all traffic. Maybe there's something in there that gives insights. I still don't know why this is an issue on your instance. It works just for for almost all other users.

[reidcanavan]

I can also comment that using an app password does not appear to work using the NextCloud desktop sync app ( 2.5.3 ). From the user security page it shows the app password was used successfully but it will not complete the login.

[reidcanavan]

I should also comment that when using the full login method via the Nextcloud desktop sync app it results in the same login prompt despite successfully logging in.

[Lab-doc]

I have the same issue. Not sabre-DAV, but CalDAV and CardDAV. I am on Windows 10x64, TbSync v2.11.1 beta release, Thunderbird 68.5.0 x64. Sync worked fine without TOTP. When I turn on TOTP, I am prompted for a password in TbSync. When I enter a "backup code" (app password), sync fails.

[ChristophWurst]

When I enter a "backup code" (app password), sync fails.

Wait. That is not the same. Backup codes are one-time codes you can use in a browser session. For any client connections you have to generate app passwords from your personal security settings.

[Lab-doc]

Thanks Christoph. As you can see, I am not an IT expert. I am using CalDAV and CardDAV on a Woekeli NextCloud server, connecting to Thunderbird Lightning CardBook running in Windows 10 x64. A quick web search does not show me how to generate app passwords. Do you have a pointer?

[ChristophWurst]

See https://docs.nextcloud.com/server/stable/user_manual/session_management.html#managing-devices :)

[janste1978]

Hi there. I'm trying to sync with tbsync 2.11 provider for caldav 1.11 and thunderbird 68.6.0

If I try to use totp in nextcloud I can login into tbsync with the app password, but if I want to show the calendars in thunderbird, all the calendar are deactivated. I can not activate them. In tbsync all the calandar are synchronized and I become the request, that all is ok.

If I deactivate totp in nextcloud, all is ok and the function is ok.

I tryed to delete all the passwords and the cache without changes. Who can help

[ChristophWurst]

@georgehrke do you know of any limitations of app passwords and DAV?

[janste1978]

What du you mean? I use the app-passwords in the security-settings. I don't use the security codes like the other one here in this thread for login without the number-code. I know, this code only can use one time, but the app-passwords should be for that problem. Isn't it?.

[janste1978]

oh it wans't for me

[georgehrke]

@ChristophWurst No, not aware of any other bug reports and I'm using app passwords with DAV on multiple instances.

@janste1978 In case you synced your calendars with Thunderbird before enabling App Passwords and Two Factor, please make sure to properly remove the old saved passwords in Thunderbird. It's settings -> Privacy & security -> Passwords -> Saved Passwords ...

[janste1978]

I have deleted the passwords 3 times without help

[necrevistonnezr]

I have the same issue on Thunderbird with tbsync and on Outlook with Caldav Synchronizer. With enabled TOTP and using an app password, I get the following error when trying to sync:

URL: https://[mydomain]/remote.php/dav (PROPFIND) Request:

Response: OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden password login forbidden

I tried to de-activate and active TOTP and set a new app password afterwards, same result.

[georgehrke]

Well, that exception is thrown in exactly two places:

https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L452 https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L455

isTokenPassword seems to be returning false there. Maybe @ChristophWurst has some hints how to debug that.

[ChristophWurst]

What is the reason for the exception at https://github.com/nextcloud/server/blob/fda71a99794da0abfe119cc6e45dff7f02e2e25e/lib/private/User/Session.php#L534?

[georgehrke]

They are thrown in plenty places in https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php

Mostly if the QBMapper threw a DoesNotExistException and if ICrypt::decrypt throws an exception: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php#L333

[necrevistonnezr]

To add: I am able to access the Nextcloud calendar via iOS (also using app passwords) and add appointments that show up on the Nextcloud web calendar.

[georgehrke]

@necrevistonnezr Did you delete all related passwords from the Thunderbird password store before moving to app-passwords? If not, Lightning is probably trying to connect with an old password. (see https://support.mozilla.org/en-US/questions/1005341 how to find the password store.)

[ChristophWurst]

Mostly if the QBMapper threw a DoesNotExistException and if ICrypt::decrypt throws an exception: https://github.com/nextcloud/server/blob/master/lib/private/Authentication/Token/DefaultTokenProvider.php#L333

See https://github.com/nextcloud/server/pull/21122. That should help a bit and I think the patch might apply on older releases as that code did not change much recently.

[necrevistonnezr]

@necrevistonnezr Did you delete all related passwords from the Thunderbird password store before moving to app-passwords? If not, Lightning is probably trying to connect with an old password. (see https://support.mozilla.org/en-US/questions/1005341 how to find the password store.)

Yes, still the same. I now asks me for a password every time I start up Thunderbird, even if I tick "User Password Manager to remember this password".

[jogrue]

Same here! Currently, I am running Nextcloud 19.0.3, but the issue was there for some time now. App passwords work for DAVDroid, but not very long with TBSync (currently 2.12) and the Provider for CalDAV & CardDAV addon (currently 1.12) in Thunderbird 68.12 (under Archlinux). This is my setup in Linux now, however, the same thing also happens under Windows.

I am pretty sure, I have also seen the errors reported above, in https://github.com/nextcloud/twofactor_totp/issues/404#issuecomment-633868409. I will get back to you, as soon as I see the error again.

Basically, what happens: With TOTP activated and a new app password created, everything works fine at first. At some point, often after (re-)booting things stop working—although, I think it might happen after a certain amount of time. TBSync/Thunderbird keeps asking about the password and cannot connect with the app password anymore. What helps (for some time), is creating a new app password. After reading this thread, I just checked, and the old app password indeed works again after disabling TOTP, and also after re-enabling TOTP (I guess only for some time, however). For now, it works again, I will report back if I am able to gather some more information.

[jogrue]

Okay, so I had never changed the app password under Windows and I am pretty the password didn't work a few days ago (when I had last booted to Windows). When I booted to Windows yesterday, I was asked for the password again and it worked. I guess, due to de-/re-activating TOTP previously (see above). Now, the same app password stopped working again. Generating a new app-password also works for Windows for a short period.

My setup under Windows: Nextcloud 19.0.3 and Windows 10 x64 on the client side, Thunderbird 78.3.1 (32-bit), TBSync 2.16, Provider for CalDAV & CardDAV 1.19.

TbSync Logging/Event Log showed the error message below, which is different from the one above (although, I am not too sure it was always the same). Besides this warning/error, I did not see anything in the logs.

URL:
https://cloud.mydomain.tld/remote.php/dav/principals/users/myusername/ (PROPFIND)

Request:
<d:propfind xmlns:d="DAV:" xmlns:cal="urn:ietf:params:xml:ns:caldav" xmlns:cs="http://calendarserver.org/ns/"><d:prop><cal:calendar-home-set /><d:group-membership /></d:prop></d:propfind>

Response:
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect</s:message>
</d:error>

[ChristophWurst]

Please add \OC::$server->getLogger()->emergency('invalidating token ' . $token); to the beginning of this method: https://github.com/nextcloud/server/blob/caff1023ea72bb2ea94130e18a2a6e2ccf819e5f/lib/private/Authentication/Token/Manager.php#L210-L213. The line number may be different on your system.

If you use an app password but no 2FA, do the app passwords work forever? I'm still pretty sure this has nothing to do with 2FA as there is no such logic. Both 2FA and non-2FA auth takes the same paths.

[jogrue]

I added the line, looks like this now:

        public function invalidateToken(string $token) {
                \OC::$server->getLogger()->emergency('invalidating token ' . $token);
                $this->defaultTokenProvider->invalidateToken($token);
                $this->publicKeyTokenProvider->invalidateToken($token);
        }

Am I correct that this prints an entry to the Nextcloud log files if the app password is invalidated? I will keep 2FA on and see what turns up in the logs. Afterwards I will try what happens if 2FA is disabled.

And you are maybe right that it is not an 2FA/TOTP issue. To be honest, I did not know where to start with this issue (Nextcloud, TOTP/2FA, Thunderbird, Tbsync). This was just the only thread I found on the issue—and I somehow made a wrong connection between app passwords and 2FA.

[ChristophWurst]

Am I correct that this prints an entry to the Nextcloud log files if the app password is invalidated? I will keep 2FA on and see what turns up in the logs. Afterwards I will try what happens if 2FA is disabled.

Exactly.

And you are maybe right that it is not an 2FA/TOTP issue. To be honest, I did not know where to start with this issue (Nextcloud, TOTP/2FA, Thunderbird, Tbsync). This was just the only thread I found on the issue—and I somehow made a wrong connection between app passwords and 2FA.

No worries. If it's that tokens are invalided for some reason then the log will tell us.

[jogrue]

Actually, I just had another looked at my Nextcloud log file, and some might be related (I don't know if these messages were not there at earlier times or if I did not spot them). So it could also be a problem with my setup. Errors look like this:

Fatal error:

Sabre\DAV\Exception\ServiceUnavailable: Doctrine\DBAL\Exception\DriverException: An exception occurred while executing 'UPDATE `oc_authtoken` SET `last_check` = ?, `last_activity` = ? WHERE `id` = ?' with params [1601580031, 1601580038, 1203]: SQLSTATE[HY000]: General error: 2006 MySQL server has gone away

Error:

Doctrine\DBAL\Exception\DriverException: An exception occurred while executing 'UPDATE `oc_authtoken` SET `last_check` = ?, `last_activity` = ? WHERE `id` = ?' with params [1601580031, 1601580038, 1203]: SQLSTATE[HY000]: General error: 2006 MySQL server has gone away

The full log file is here: https://pastebin.com/pd17QFqm

[ChristophWurst]

General error: 2006 MySQL server has gone away

Yes, exactly that. Your database isn't configured properly.

[houdini69]

Hi, I've got the exact same issue with Thunderbird/TbSync/sabre-dav as soon as activate 2FA in Nextcloud with this error in TbSync,

URL: https://xxxxxx.xxx.x/nextcloud/remote.php/dav/principals/users/xxxxxxx/ (PROPFIND)

Request:

Response: OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden password login forbidden Thunderbird macOS 91.7.0 TbSync 3.0.2 Nextcloud 23 on armbian Laurent

[gituser789]

Hi, i run into the same problem:

• Disabled TOTP: Thunderbird synchronisation (Calendar via standard Calendar and Contacts via CardBook) works fine
• Enabled TOTP: No Access via Thunderbird

Is there any update available? Or any workaround?

[tweinreich]

Same issue here, slightly different scenario: Sync with macOS calendar app works without TOTP but after activating the app, the password cannot be verified anymore.

[GitPullNow]

Same issue here, I use a Security Key and get the same error.

Response:
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
  <s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception>
  <s:message/>
  <o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>

[ChristophWurst]

That response should only be generated if a client sends a password, not a valid token that can be found in the DB.

[Gravydigger]

I have also been getting errors when Thunderbird tries to connect to nextcloud using an app password.

I generate a new app password on nextcloud:

I specify the username & the URL. I also then type in the app password when it asks for my password

It authenticated me, and shows me the calanders I can pick from. I chose both:

When I try and enable the calander (in this case my personal calender):

[ChristophWurst]

Something is not right here. \OC\User\Session::logClientIn only throws PasswordLoginForbiddenException if the provided password is not an app password.

[Gravydigger]

Would supplying any logs or files assist in diagnosis of the issue?

[Gravydigger]

After logging onto my computer the next day, it worked for some reason?

Maybe a restart of the computer fixes the issue?

[cirk2]

Ok I got stuck on this as well. Gravedigger had the crucial hint.

Apparently Thunderbird hold on to the old password (or at least basic auth string), even if it is deleted in the password manager, until it is restarted. Because of this my Thunderbird tried to use the old password instead of the App-Token when switching to two factor auth. No matter how often I recreated the Calendar or App-Token. Only fully killing the Thunderbird process made it use the App Token instead of the old Password.