[Bug]: Can't authenticate when Nextcloud want to confirm password

[Bevito]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Hi,
The present issue is similar to #49829 (wich is solved).
A lot of people still have issue with the input box that want to confirm your password.
On our Nextcloud instance, the issue is still present.

I'm very sorry If I broke some rules, about creating a new issue for some issues already reported.

If I can help to resolve the issue, please, let me know.

Best regards.

Steps to reproduce

1. Log in to Nextcloud with LDAP account
2. Go to personnal parameters
3. Input a new password in Global Credentials area
4. Save
5. Input your password to confirm

Expected behavior

When Nextcloud asked for password confirmation, the password seems to be wrong.
Nextcloud failed to check password even if your password is correctly input.
Nextcloud send an XHR post to apps/files_external/globalcredentials and Nextcloud report an HTTP error 403.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 32.0.1 to 32.0.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "maxZipInputSize": 1073741824,
        "allowZipDownload": true,
        "theme": "",
        "overwrite.cli.url": "https:\/\/cloud.iut-orsay.fr",
        "htaccess.RewriteBase": "\/",
        "maintenance": false,
        "maintenance_window_start": 2,
        "default_language": "fr",
        "default_phone_region": "FR",
        "defaultapp": "files,dashboard",
        "log_type": "owncloud",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 0,
        "enable_previews": false,
        "trusted_domains": [
            "cloud.iut-orsay.fr"
        ],
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 0,
            "timeout": 0
        },
        "onlyoffice": {
            "jwt_secret": "***REMOVED SENSITIVE VALUE***",
            "jwt_header": "AuthorizationJwt"
        },
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "ldapUserCleanupInterval": "60",
        "updater.release.channel": "stable",
        "mysql.utf8mb4": true,
        "mail_sendmailmode": "smtp",
        "app_install_overwrite": [
            "printer"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - announcementcenter: 7.1.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - groupfolders: 19.0.4
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - onlyoffice: 9.7.0
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - suspicious_login: 9.0.1
  - systemtags: 1.21.1
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_totp: 13.0.0-dev.0
  - updatenotification: 1.21.0
  - user_ldap: 1.22.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - drawio: 3.0.3 (installed 3.0.3)
  - encryption: 2.19.0
  - logreader: 4.0.0 (installed 2.14.0)
  - twofactor_nextcloud_notification: 5.0.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No specific logs found in nextcloud.log

Additional info

I checked and double checked the password before confirming it :

The firefox console when submitting the password. The error seems to be normal.
For some reason, Nextcloud can't verify the password.
I can log in with my account, but I can't authenticate when changing global credentials password.

[skjnldsv]

Hey, thanks for the additional report :)
Can you describe your setup?
Do you have a reverse proxy? Are you using nginx or apache ?

[Bevito]

Hi @skjnldsv, Thanks for your answer.

Nextcloud is installed on a DELL PowerEdge physical server, with Debian Bookworm (12.10 at the moment).
We have Apache2 as a web server and php8.2-fpm for PHP.
There is no reverse proxy.
Nextcloud is configured with MariaDB, for the database, and LDAP (OpenLDAP) for users authentications.
Redis is installed and configured for memcache distributed and locking and memcache local is configured with APCu.

I don't know what Nextcloud is trying to do, when the input box want to confirm the password.
I guess, It does not do a connection like the login page ?
There is a lot of LDAP traffic, so It's kind of difficult to check what is going on.

If you need any others informations, please let me know.

[v3DJG6GL]

I have the same problem with OpenID Connect (https://github.com/pulsejet/nextcloud-oidc-login):
Previously, until about 30.0.4, the password popup also appeared from time to time when changing some admin settings. I could then log out and log in again, which made the password popup disappear for a while.
At the moment, when changing some External Storage settings, the password popup always appears, even if I have just logged in again.
Entering the password obviously fails because my OpenID Connect provider manages my passwords.

• Nextcloud: v31.0.2
• Nextcloud OIDC Login: v3.2.2
• Reverse Proxy: Traefik: v3.3.4
• OpenID Connect Provider: Authelia: v4.39.1

[skjnldsv]

Thanks for both of your answers.

@Bevito can you confirm you have apache's mod_env enabled ?
@v3DJG6GL you also use apache ?

[Bevito]

Yes. mod_env is enabled.
The command sudo a2enmod env report : Module env already enabled

[cmdrscotty]

I am also experiencing this issue (30.0.8) can no longer add or modify external storage because it keeps requiring me to reauthenticate for any admin changes (despite already being logged in as admin)

(Minor note, upgrade path to next cloud 31 only shows up as a nightly release and not a stable release via update manager)

[gregecslo]

I have nginx, reverse proxy and LDAP auth with MFA plugin.
Also not working.
Nextcloud 31.0.2

[drewzoo02]

Bug also present on 31.0.2 non-Docker setup with Apache, no proxy, and Active Directory for LDAP authentication.

Nextcloud version: 31.0.2 non-Docker
Web server: apache2
PHP version: 8.3.6
PHP extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, random, Reflection, SPL, session, standard, sodium, apache2handler, bz2, ldap, curl, fileinfo, gd, gmp, intl, mbstring, exif, zip, apcu, mysqlnd, PDO, xml, bcmath, calendar, ctype, dom, FFI, ftp, gettext, iconv, igbinary, imagick, msgpack, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, smbclient, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, memcached, libsmbclient, Zend OPcache
Database: mysql 10.11.8
Apps: Activity, Antivirus for files, AppAPI, Collaborative tags, Comments, Contacts Interaction, Dashboard, External storage support, Federation, File reminders, File sharing, Files download limit, First run wizard, LDAP user and group backend, Log Reader, Memories, Monitoring, Nextcloud announcements, Nextcloud webhook support, Notifications, Password policy, PDF viewer, Photos, Preview Generator, Privacy, Recommendations, Related Resources, Share by mail, Support, Teams, Text, Two-Factor TOTP Provider, Update notification, Usage survey, User status, Weather status

[v3DJG6GL]

@v3DJG6GL you also use apache ?

No, I use NGINX.

[skjnldsv]

Seems like everyone here is using ldap though, no?

[cmdrscotty]

Seems like everyone here is using ldap though, no?

I'm not, just nextcloud's builtin user authentication system

[v3DJG6GL]

Seems like everyone here is using ldap though, no?

No, I'm using OIDC (https://github.com/pulsejet/nextcloud-oidc-login) for authentication.

[skjnldsv]

Dammit 😅
I'll keep diving further 👍

[skjnldsv]

Okay, as I cannot reproduce, i'll have to ask you some debugging:
Here is a patch to apply to your server. You can directly edit the lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php file, around line 82.

+++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
@@ -82,7 +82,7 @@ class PasswordConfirmationMiddleware extends Middleware {
                        [, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2);
                        $loginResult = $this->userManager->checkPassword($user->getUid(), $password);
                        if ($loginResult === false) {
-                               throw new NotConfirmedException();
+                               throw new \Exception('Password confirmation failed: ' . $authHeader . ' ' . $password);
                        }
 
                        $this->session->set('last-password-confirm', $this->timeFactory->getTime());

It will display in your logs the auth header, which should look something like YWRtaW46YWRtaW4=, followed by your password. Do NOT copy/paste it here, but please do check that it's properly retrieved and that your password is indeed correct.

Again: DO NOT POST THE LOG HERE, only check the content yourself and revert the changes 👍

Explanations

The only issue I came close to this is where mod_env was disabled and the authorization header was not forwarded to the backend. So the controller was always receiving an empty password and could not check if it was the right one.

So I need to check again if this is a similar case on your setups.

Details

The error in your nextcloud.log will show as the following:

{
  "Exception": "Exception",
  "Message": "Password confirmation failed: Basic YWRtaW46YWRtaW4= admin",
  "Code": 0,
  "Trace": [
    {
      "file": "/home/admin/git/server/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php",
      "line": 73,
      "function": "beforeController",
      "class": "OC\\AppFramework\\Middleware\\Security\\PasswordConfirmationMiddleware",
      "type": "->"
    },
    {
      "file": "/home/admin/git/server/lib/private/AppFramework/Http/Dispatcher.php",
      "line": 106,
      "function": "beforeController",
      "class": "OC\\AppFramework\\Middleware\\MiddlewareDispatcher",
      "type": "->"
    },
    {
      "file": "/home/admin/git/server/lib/private/AppFramework/App.php",
      "line": 161,
      "function": "dispatch",
      "class": "OC\\AppFramework\\Http\\Dispatcher",
      "type": "->"
    },
    {
      "file": "/home/admin/git/server/lib/private/Route/Router.php",
      "line": 307,
      "function": "main",
      "class": "OC\\AppFramework\\App",
      "type": "::"
    },
    {
      "file": "/home/admin/git/server/lib/base.php",
      "line": 1025,
      "function": "match",
      "class": "OC\\Route\\Router",
      "type": "->"
    },
    {
      "file": "/home/admin/git/server/index.php",
      "line": 24,
      "function": "handleRequest",
      "class": "OC",
      "type": "::"
    }
  ],
  "File": "/home/admin/git/server/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php",
  "Line": 85,
  "message": "Password confirmation failed: Basic YWRtaW46dmNkZmQ= vcdfd",
  "exception": {},
  "CustomMessage": "Password confirmation failed: Basic YWRtaW46dmNkZmQ= vcdfd"
}

[Bevito]

Hi @skjnldsv, I will test this this morning.
If you need, I can create a local, or an LDAP account.

Thanks a lot for your time, and all the help.

[Bevito]

I applied the patch : thanks.

When I try to change my global credentials password :

The password on the "auth: Object" line is correct.
The password on the "data" line is correct too (it is just a test to see if I can save it to global credentials)

I get an HTTP error 500 this time :

Here is the log :

I can confirm that my password is indeed, correct in the log.

[v3DJG6GL]

Okay, as I cannot reproduce, i'll have to ask you some debugging:
Here is a patch to apply to your server. You can directly edit the lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php file, around line 82.

Should I also try this patch with my OIDC setup?
Because with my situation, ideally there should be no password prompt appear at all, since - AFAIK - Nextcloud cannot know my OIDC login-based password anyway?
Earlier, until approx. v30.0.4, the password prompt appeared only if the admin user was logged in a longer time without re-authenticating. I then had to logout and login again which seemed to reset this counter. Although this still was a workaround, I at least could overcome the password prompt.
But currently, I cannot bypass the password prompt in any way...

[skjnldsv]

Because with my situation, ideally there should be no password prompt appear at all, since - AFAIK - Nextcloud cannot know my OIDC login-based password anyway?

Nextcloud can still check if the password you entered is valid.
As a security measure we ask you to confirm sensitive actions. That's why I provided the patch to ensure the password you entered in the prompt is properly understood by Nextcloud security middleware.

Feel free to apply the patch too, but only to check the logs on your side and see if you do recognise your password.
⚠ Do not paste the log here 🙏

[skjnldsv]

@artonge something is weird here from the PasswordConfirmationMiddleware.
The password is properly retrieved from the backend, so it's not a header issue.

[v3DJG6GL]

Nextcloud can still check if the password you entered is valid.

How should that be possible? I don't think that is how OIDC works:
All that is managed by my OIDC provider (Authelia): Nextcloud should only receive an authentication token from my OIDC provider if login/authentication is successful.
It wasn't possible back then (v30.0.4) when I was able to bypass the password by logging out and login again: If I entered my OIDC password into that password prompt, it was (as expected) always wrong.

[skjnldsv]

@v3DJG6GL I'm lacking the knowledge then :)

[skjnldsv]

@v3DJG6GL OIDC cannot validate, you're 100% correct, I asked the engineers in charge to enlight me 💡
We're investigating, your issue might slightly differ from this thread :)

[skjnldsv]

@v3DJG6GL can you also confirm you're facing a 403 when confirming your password?
If not, what error are you experiencing ?

[v3DJG6GL]

@v3DJG6GL OIDC cannot validate, you're 100% correct, I asked the engineers in charge to enlight me 💡 We're investigating, your issue might slightly differ from this thread :)

@skjnldsv alright, thanks for the confirmation! :)

@v3DJG6GL can you also confirm you're facing a 403 when confirming your password? If not, what error are you experiencing ?

Yes, I get a 403 when trying to authenticate.

[skjnldsv]

@v3DJG6GL thanks!
Can you type window.backendAllowsPasswordConfirmation in your browser console and give me the value ?

[v3DJG6GL]

@skjnldsv

window.backendAllowsPasswordConfirmation
true