Authentication error (from OCS) with Android

core
android

#1

Actual behaviour

  • Authentication not possible (message: Wrong user or password)

Expected behaviour

  • Login should work

Steps to reproduce

1) use owncloud android app (2.5.0, 2.6.0 or 2.7.0beta)
2) enter server https://owncloud.somedomain.com
3) message: secure connection established
4) enter username / password (working fine connecting using the browser or the ubuntu desktop client or cadaver DAV cli client)
5) message: wrong username or password

Environment data

Mobile client configuration:

Android 4.4.4 or 6.01 (both)
ownCloud Android client: 2.5.0, 2.6.0 or 2.7.0beta

Server configuration

Apache with PHP CGI/FastCGI
Owncloud 8.2.9 (fresh install)

Logs

Web server error log

no entry

ownCloud log (data/owncloud.log)

Exception: {"Message":"HTTP\/1.1 401 No basic authentication headers were found","Exception":"Sabre\DAV\Exception\NotAuthenticated","Code":0,"Trace":

Trace on Android client:


PROPFIND /remote.php/webdav/ HTTP/1.1
Depth: 0
Authorization: Basic XXXXXXXX=
User-Agent: Mozilla/5.0 (Android) ownCloud-android/2.7.0-beta.1
Host: owncloud.somedomain.com
Content-Length: 428
Content-Type: text/xml; charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>HTTP/1.1 207 Multi-Status
Date: Sun, 01 Apr 2018 07:27:32 GMT
Server: Apache
X-Powered-By: PHP/5.6.19
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
Vary: Brief,Prefer,Accept-Encoding,User-Agent
DAV: 1, 3, extended-mkcol
Set-Cookie: oc_sessionPassphrase=XXXXXXXX; path=/; secure; httponly
Set-Cookie: XXXXXXXX; path=/; secure; HttpOnly
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

340
<?xml version="1.0" encoding="utf-8"?>
/remote.php/webdav/4380635RDNVCK4380635"5abf776734381"Sat, 31 Mar 2018 11:56:23 GMT00000018ocx1h5dyi9en852491423744HTTP/1.1 200 OKHTTP/1.1 404 Not Found

--------then-----------

GET /ocs/v1.php/cloud/user?format=json HTTP/1.1
OCS-APIREQUEST: true
Authorization: Basic XXXXXXXX=
User-Agent: Mozilla/5.0 (Android) ownCloud-android/2.7.0-beta.1
Host: owncloud.somedomain.com

HTTP/1.1 401 Unauthorized
Date: Sun, 01 Apr 2018 07:27:32 GMT
Server: Apache
X-Powered-By: PHP/5.6.19
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
WWW-Authenticate: Basic realm="Authorisation Required"
Set-Cookie: ocx1h5dyi9en=XXXXXXXX; path=/; HttpOnly
Set-Cookie: oc_sessionPassphrase=XXXXXXXX; path=/; secure; httponly
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8

59
{"ocs":{"meta":{"status":"failure","statuscode":997,"message":"Unauthorised"},"data":[]}}
0


#2

I'm interested in the reason why you have chosen to install such an outdated version of ownCloud? If you browse on:

you can see that ownCloud 10.0.7 is the latest available version. I think it doesn't make any sense to install anything else then this version on a fresh setup.

i did the following search:

https://central.owncloud.org/search?q=%22No%20basic%20authentication%20headers%20were%20found%22

and found:

https://central.owncloud.org/t/no-basic-authentication-headers-were-found-message/819

It seems to be that this is caused by some insufficient server configuration.


#3

I'm interested in the reason why you have chosen to install such an outdated version of ownCloud?

Because the hosting provider refuses to upgrade libxml2 from 2.6.30 to at least 2.7.0 right now.
It is also the version of ownCloud provided by the hosting provider as quick install.
PHP would be available in latest versions.

No basic authentication headers were found
and found:
https://central.owncloud.org/t/no-basic-authentication-headers-were-found-message/819
It seems to be that this is caused by some insufficient server configuration.

I will check that with the hosting provider.

I've tried https://owncloud.somedomain.com/remote.php/webdav which shows the HTTP basic-auth popup, accepts the credentials entered and responds with "200/OK "This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client."". Also WebDAV from a cli client or webDAV browser on the computer work fine.

Accessing OCS https://owncloud.somedomain.com/ocs/v1.php/cloud/user?format=json directly in the browser keeps sending the HTTP basic-auth popup (I did not add the "OCS-APIREQUEST: true" header manually). This is the URL used by the Android client.


#4

Mhhh, ok. Understand the reason. :slight_smile:

But i don't think that it is a good idea to run ownCloud 8.2 on a public facing hosting provider. Besides the requirement for the libxml2 (which is probably there for a reason) 8.2 reached its end-of-life nearly one year ago according to https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

From what i know this means you won't get any bugfixes, security updates or support for this version.

Addition:

I did a short research on the issue tracker about that and found:

If i'm understanding this correctly the requirement indeed was already there for older versions of ownCloud. Only the newer versions had added a check for it.