Doesn't trigger on Firefox mobile but works on other sites

[vwbusguy]

Steps to reproduce

1. Login to nextcloud
2. Select U2F device
3. Doesn't open dialog for USB/NFC, but immediately fails

Note that this same Firefox browser/key/phone works with GitHub. I'm able to get the dialog and NFC auth via Chrome Browser, but not Firefox, specifically on NextCloud 17.

Expected behaviour

User logs in, selects U2F device, prompt opens to select USB/NFC, key is presented, user is authenticated.

Actual behaviour

User logs in, selects U2F device, no dialog is presented and the key check immediately fails. User must cancel login or present backup code to proceed.

Server configuration

Operating system: Fedora 30

Web server: Apache/2.4.41

Database: Mariadb 10.3.17

PHP version: 7.3.9

Version: (see admin page) 17.0.0

Updated from an older version or fresh install: Updated from latest 16.x

List of activated apps:

• accessibility: 1.3.0
• activity: 2.10.1
• admin_audit: 1.7.0
• audioplayer: 2.8.4
• bookmarks: 2.1.1
• bruteforcesettings: 1.4.0
• calendar: 1.7.1
• cloud_federation_api: 1.0.0
• comments: 1.7.0
• contacts: 3.1.6
• dav: 1.13.0
• deck: 0.7.0
• external: 3.4.0
• federatedfilesharing: 1.7.0
• federation: 1.7.0
• files: 1.12.0
• files_automatedtagging: 1.7.0
• files_downloadactivity: 1.6.0
• files_external: 1.8.0
• files_markdown: 2.1.0
• files_pdfviewer: 1.6.0
• files_rightclick: 0.15.1
• files_sharing: 1.9.0
• files_trashbin: 1.7.0
• files_versions: 1.10.0
• files_videoplayer: 1.6.0
• firstrunwizard: 2.6.0
• fulltextsearch: 1.3.6
• gallery: 18.4.0
• logreader: 2.2.0
• lookup_server_connector: 1.5.0
• nextcloud_announcements: 1.6.0
• notes: 3.0.3
• notifications: 2.5.0
• oauth2: 1.5.0
• ocsms: 2.1.3
• passman: 2.3.2
• password_policy: 1.7.0
• privacy: 1.1.0
• provisioning_api: 1.7.0
• radio: 0.6.5
• recommendations: 0.5.0
• richdocuments: 3.4.2
• serverinfo: 1.7.0
• sharebymail: 1.7.0
• spreed: 7.0.0
• support: 1.0.1
• survey_client: 1.5.0
• suspicious_login: 2.3.0
• systemtags: 1.7.0
• tasks: 0.11.3
• text: 1.1.0
• theming: 1.8.0
• twofactor_backupcodes: 1.6.0
• twofactor_totp: 4.0.0
• twofactor_u2f: 4.0.0
• updatenotification: 1.7.0
• viewer: 1.1.0
• workflowengine: 1.7.0

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your server installation folder

The content of config/config.php:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{ "trusted_domains": [

], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbname": "***REMOVED SENSITIVE VALUE***", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "dbtableprefix": "oc_", "instanceid": "***REMOVED SENSITIVE VALUE***", "log_type": "syslog", "check_for_working_htaccess": false, "asset-pipeline.enabled": false, "assetdirectory": "\/srv\/nextcloud", "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "apps_paths": [ { "path": "\/srv\/nextcloud\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/lib\/nextcloud\/apps", "url": "\/apps-appstore", "writable": true } ], "memcache.local": "\\OC\\Memcache\\Redis", "filelocking.enabled": true, "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "timeout": 0 }, "theme": "", "loglevel": 0, "maintenance": false, "version": "17.0.0.9", "mail_smtpmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_smtpauth": 1, "updater.release.channel": "stable", "overwrite.cli.url": "https:\/\/\/nextcloud", "mail_smtpauthtype": "LOGIN", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "app_install_overwrite": [ "calendar", "passman", "ocsms", "radio", "socialsharing_twitter", "socialsharing_facebook", "socialsharing_email" ], "mysql.utf8mb4": true, "updater.secret": "***REMOVED SENSITIVE VALUE***", "twofactor_enforced": "false", "twofactor_enforced_groups": [ "admin" ], "twofactor_enforced_excluded_groups": [] } #### Client configuration **Browser:** Firefox 68.1.1 **Operating system:** Android 9 (Samsung Galaxy S9+)

[ChristophWurst]

Please enable ADB, connect the device to your desktop machine and check the browser console via FF desktop's developer tools. Then please share the console logs with us. I'm sure there is one or another error logged.

overwrite.cli.url": "https:///nextcloud"

is this your actual value? This is not a valid URL. With this value, u2f won't work.

[vwbusguy]

@ChristophWurst - I put REDACTED in >/< and github filtered it out. It's a self-hosted nextcloud instance.

I'll report back once I can get setup with adb and figure out how to connect desktop Firefox to it. It's odd that other websites, like Github work with Firefox on my phone. It's not even opening the Android U2F dialog.

[ChristophWurst]

I'll report back once I can get setup with adb and figure out how to connect desktop Firefox to it.

It's relatively easy: https://developer.mozilla.org/en-US/docs/Tools/Remote_Debugging/Debugging_Firefox_for_Android_with_WebIDE_clone

[ChristophWurst]

Ah … do you use a subfolder for Nextcloud?

[vwbusguy]

Yes, I do.

[vwbusguy]

Here's what I see in the console debugging. It looks like it's failing to load a script.

[vwbusguy]

The u2f listed there appears to just be some JSON: {"message":"Current user is not logged in"}

[ChristophWurst]

You get an error 1: https://developers.yubico.com/U2F/Libraries/Client_error_codes.html

I do not yet know when these pop up and how to fix. It also showed at https://github.com/nextcloud/twofactor_u2f/issues/555.

Thanks the debug info!

[ChristophWurst]

The u2f listed there appears to just be some JSON: {"message":"Current user is not logged in"}

Where exactly is that json from?

[vwbusguy]

You can see the first line of the console in my screenshot references "u2f" which appears to be some kind of json response. I don't know more than that.

[vwbusguy]

It's also weird that it's so specific. Desktop Firefox works fine. Chrome on Android works fine. Firefox on Android is where it is broken. It also seems specific to Nextcloud, since the same key/browser/device works for GitHub logins. It never actually opens the dialog where I present my key, but immediately fails instead.

[ChristophWurst]

Hi,

I do not have the time to dig into this any deeper at the moment. If you do, please let me know if three are any insights. Could you get it running in the meantime?

[vwbusguy]

I'm not sure I have anything more to offer about it other than the same behavior persists on Fedora 31, with NextCloud 17.0.1, with Firefox (Android) 68.2.1.

[Brianetta]

Just chiming in that I'm also experiencing this issue, as described. I've updated to version 5.0.0.

[strugee]

Firefox does not support U2F, only its standardized successor Webauthn/FIDO2. Chrome supports both of these APIs which is why it's working, and GitHub has upgraded to FIDO2 which is why GitHub works.

This issue is a duplicate of #342.

[strugee]

Closing since this is a duplicate. @ChristophWurst hope I'm not stepping on your toes since I have write access from a different team :-)

[ChristophWurst]

Firefox does not support U2F

Actually FF works fine. I'm using it for u2f. And to my knowledge fido2 is backwards-compatible with u2f.

[vwbusguy]

@ChristophWurst is right. The same browser works with my u2f mfa for my github account.

[strugee]

Ack, I lost track of this ticket. Turns out that U2F is enabled on desktop Firefox for compatibility reasons but not on mobile Firefox, which is why this works on the desktop but not on mobile.

You're right that FIDO2 is backwards-compatible with U2F in some cases, but I'm pretty sure that's limited to security keys. If a website uses FIDO2, a U2F security key will work with it. But FIDO2/Webauthn still uses different JS APIs. (At least AFAIK, obviously I've been wrong once already... but I'm pretty sure.)

[ChristophWurst]

Yeah, and this app focuses on security keys exclusively right now. There is https://github.com/michib/nextcloud_twofactor_webauthn for webauthn if you want to try that.

[vwbusguy]

To be clear, I'm not using the key for passworldless authentication (which is what I assume webauthn would pertain to) but as a second factor after password.

[Brianetta]

To be clear, I'm not using the key for passworldless authentication (which is what I assume webauthn would pertain to) but as a second factor after password.

This assumption is incorrect. Webauthn is the new browser API for interfacing with the user's FIDO tokens, and as well as offering passwordless authentication it is the direct successor to U2F, offering the same second factor authentication (even with the same FIDO1 hardware) but with more consistency across browsers.

[tigernero79]

Per essere chiari, non sto usando la chiave per l'autenticazione passworldless (che è ciò che presumo riguarderebbe Webauthn) ma come secondo fattore dopo la password.

To be clear, I'm not using the key for passworldless authentication (which is what I assume webauthn would pertain to) but as a second factor after password.

Prove to install Google authenticator and testo if work on u2f to FF.

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

[vwbusguy]

Yes, I have Google Authenticator installed (which is actually for TOTP). Like I said in my original post, this works in Firefox for other sites on the same device. I can use my key with github in Firefox on Android. I can use my key with nextcloud on Chrome with the same device. It's specific to Nextcloud with Firefox on Android.