on a UbiKey, enforce user verification to always be required for FIDO2 actions like signin: ykman fido config toggle-always-uv (note: this requires yubikey-manager >= 5.3.0 and can be done before or after enrolling via this plugin - it doesn't matter)
attempt to sign-in to nextcloud using that ubikey (which won't work, see below)
to validate that the key is in fact working, toggle user verification enforcement again (same command) so that it's off and re-attempt step 2 (which will now succeed)
Expected behaviour
Login should work with enforced user verification. Note: During enrollment, this is already working correctly - just not during login
Actual behaviour
The browser raises a notification to touch the ubikey. However, no popup is presented to request user verification and the LED of the key also does not indicate that any action is required. Touching it also does nothing, as the ubikey expects verification to be done but that's not possible as no popup for user valdiation is presented. Eventually the login fails (I presume a timeout?) and so login with enforced verification doesn't work. I assume this to be because this extension marks user verification to be discouraged, but I'm not certain about that.
I'd note that as the key is only used as second factor, someone who obtains the key would not directly gain access to nextcloud. From that perspective, it can be argued that enforced verification is unnecessary or overkill. However, this setting of ubikey is only available for the entire device. So as soon as other credentials are on it that would give instant access it makes sense to enforce user verification (as those other services may choose to not enforce it on their end). But if done, the user is no longer able to use it for this integration. A workaround is to always toggle validation on and off before / after login, but that's quite cumbersome and dangerous, as users may forget to toggle it back on after login.
Server configuration
Operating system:
hosted environment (I presume debian)
Web server:
Apache (hosted, so I'm not sure)
Database:
MySQL 28.0.5.1
PHP version:
8.1
Version: (see admin page)
1.4.0
Updated from an older version or fresh install:
Fresh install of the extension
(pretty huge, let me know if you really need it and I'll try to create a minimal log of the event)
Server log (data/nextcloud.log)
(pretty huge, let me know if you really need it and I'll try to create a minimal log of the event)
Browser log
JS console log below:
The resource from “REMOVED SENSITIVE VALUE/index.php/login/selectchallenge?redirect_url=/index.php/js/core/merged-template-prepend.js?v%3D93c3f87b-5” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff). webauthn
Loading failed for the Githubissues.
Githubissues is a development platform for aggregating issues.
Steps to reproduce
ykman fido config toggle-always-uv(note: this requires yubikey-manager >= 5.3.0 and can be done before or after enrolling via this plugin - it doesn't matter)Expected behaviour
Login should work with enforced user verification. Note: During enrollment, this is already working correctly - just not during login
Actual behaviour
The browser raises a notification to touch the ubikey. However, no popup is presented to request user verification and the LED of the key also does not indicate that any action is required. Touching it also does nothing, as the ubikey expects verification to be done but that's not possible as no popup for user valdiation is presented. Eventually the login fails (I presume a timeout?) and so login with enforced verification doesn't work. I assume this to be because this extension marks user verification to be discouraged, but I'm not certain about that.
I'd note that as the key is only used as second factor, someone who obtains the key would not directly gain access to nextcloud. From that perspective, it can be argued that enforced verification is unnecessary or overkill. However, this setting of ubikey is only available for the entire device. So as soon as other credentials are on it that would give instant access it makes sense to enforce user verification (as those other services may choose to not enforce it on their end). But if done, the user is no longer able to use it for this integration. A workaround is to always toggle validation on and off before / after login, but that's quite cumbersome and dangerous, as users may forget to toggle it back on after login.
Server configuration
Operating system: hosted environment (I presume debian)
Web server: Apache (hosted, so I'm not sure)
Database: MySQL 28.0.5.1
PHP version: 8.1
Version: (see admin page) 1.4.0
Updated from an older version or fresh install: Fresh install of the extension
List of activated apps:
The content of config/config.php: "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "REMOVED SENSITIVE VALUE" ], "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "28.0.5.1", "overwrite.cli.url": "REMOVED SENSITIVE VALUE", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "maintenance": false, "theme": "", "loglevel": 0, "updater.release.channel": "stable", "encryption.legacy_format_support": true, "encryption.key_storage_migrated": false, "default_phone_region": "REMOVED SENSITIVE VALUE", "updater.secret": "REMOVED SENSITIVE VALUE"
Client configuration
Browser: 115.12.0esr
Operating system: OpenSuse Leap 15.6
Logs
Web server error log
(pretty huge, let me know if you really need it and I'll try to create a minimal log of the event)
Server log (data/nextcloud.log)
(pretty huge, let me know if you really need it and I'll try to create a minimal log of the event)
Browser log
JS console log below:
The resource from “REMOVED SENSITIVE VALUE/index.php/login/selectchallenge?redirect_url=/index.php/js/core/merged-template-prepend.js?v%3D93c3f87b-5” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff). webauthn
Loading failed for the Githubissues.