Client refuses to log in

A month or two back I tried to run the new Web interface and was required to load oauth2. The experiment was a failure, oauth2 won’t work with http, only https.¹ I’ve tried removing the Web interface and oauth2 to revert to the previous behaviour. Unfortunately oauth2 seems to have triggered something deeper inside the system and every time it starts up I get the message “Oauth2 authentication requires a secured connection” in a pop-up. Other applications such as calendar, GPXpod or Gallery work fine from the web interface, it’s just the desktop client that seems to be affected.

If I create a file in files it doesn’t appear to synchronise to my directory on the server, likewise files don’t synchronise from directory to cloud.

¹This is a private cloud behind a firewall. There’s no need to increase security to https before that’s suggested!

Expected behaviour

Synchronisation client logs in.

Actual behaviour

“Oauth2 Error” pop-up with the message “Oauth2 authentication requires a secured connection.” and login fails.

Steps to reproduce

  1. Log in as user, OR
  2. Click on ownCloud icon

Server configuration

Operating system: AlmaLinux 8.6 (Sky Tiger)

Web server: Apache/2.4.37 (AlmaLinux)

Database: sqlite3 3.26.0

PHP version: 7.4.19

ownCloud version: 10.9.0.3

Storage backend (external storage): Local

Client configuration

Client version: 2.9.2

Operating system: AlmaLinux 8.6 (Sky Tiger)

OS language: English

Qt version used by client package (Linux only, see also Settings dialog):

Client package (From ownCloud or distro) (Linux only):

Installation path of client:

OAuth 2.0 really disabled on the ownCloud 10 server? What does occ app:list say?

1 Like

Short answer:

$ ./occ app:list | grep auth
$

Do you want the full listing? It’s 139 lines long.

1 Like

No, anybody on the network can sniff passwords in clear text if HTTP is used, TLS is always recommended.

Are there still remnants of oauth configuration in the config.php (or an additional.config.php) file?

If no, then there must be some configuration in the DB, however I’m unsure how to run queries on a SQLite DB…

I did a quick test and after the uninstall of the oauth2 app there are still the following tables in the DB:

| oc_oauth2_access_tokens     |
| oc_oauth2_auth_codes        |
| oc_oauth2_clients           |
| oc_oauth2_refresh_tokens    |

I deleted them in MySQL with the drop table statement.

There is no additional.config.php. The main config.php is pretty simple:

<?php
$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'XXXXX',
  'passwordsalt' => 'XXXXX',
  'secret' => 'XXXXX',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => '<the server by name>',
    2 => '<the server by IP>',
    3 => '<a CNAME for the server (historic)>',
  ),
  'datadirectory' => '<path to the cloud directory',
  'overwrite.cli.url' => 'http://localhost/owncloud',
  'dbtype' => 'sqlite3',
  'version' => '10.9.0.3',
  'logtimezone' => 'UTC',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/owncloud/apps-external',
      'url' => '/apps-external',
      'writable' => true,
    ),
  ),
  'installed' => true,
  'mail_domain' => '<server FQDN>',
  'mail_from_address' => 'owncloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => '<server FQDN>',
  'mail_smtpport' => '25',
  'theme' => '',
  'loglevel' => 2,
  'maintenance' => false,
  'allow_user_to_change_mail_address' => '',
  'files_external_allow_create_new_local' => 'true',
);

As for the DB:

$ sqlite3 <path>/owncloud.db
SQLite version 3.26.0 2018-12-01 12:34:55
Enter ".help" for usage hints.
sqlite> .tables
oc_account_terms             oc_gpxpod_tile_servers     
oc_accounts                  oc_gpxpod_tracks           
oc_activity                  oc_group_admin             
oc_activity_mq               oc_group_user              
oc_addressbookchanges        oc_groups                  
oc_addressbooks              oc_jobs                    
oc_appconfig                 oc_migrations              
oc_authtoken                 oc_mimetypes               
oc_calendarchanges           oc_mounts                  
oc_calendarobjects           oc_notifications           
oc_calendars                 oc_oauth2_access_tokens    
oc_calendarsubscriptions     oc_oauth2_auth_codes       
oc_cards                     oc_oauth2_clients          
oc_cards_properties          oc_oauth2_refresh_tokens   
oc_comments                  oc_persistent_locks        
oc_comments_read_markers     oc_preferences             
oc_credentials               oc_privatedata             
oc_dav_job_status            oc_properties              
oc_dav_properties            oc_schedulingobjects       
oc_dav_shares                oc_share                   
oc_external_applicable       oc_share_external          
oc_external_config           oc_storages                
oc_external_mounts           oc_systemtag               
oc_external_options          oc_systemtag_group         
oc_federated_reshares        oc_systemtag_object_mapping
oc_file_locks                oc_trusted_servers         
oc_filecache                 oc_users                   
oc_files_trash               oc_vcategory               
oc_gpxpod_options_values     oc_vcategory_to_object     
sqlite> drop table oc_oauth2_access_tokens;
sqlite> drop table oc_oauth2_auth_codes;
sqlite> drop table oc_oauth2_clients;
sqlite> drop table oc_oauth2_refresh_tokens;
sqlite> .quit

But it still asks for Oauth2 authentication requires a secured connection. I’m just in the middle of L0 dumps, so I’ll try a reboot in an hour or so and see if that clears it.

1 Like

Can you output the oc_appconfig where appid is oauth2. If there is anything, I’d guess these entries could be removed as well, but make sure to NOT remove the whole table!

EDIT: missing NOT :scream:

sqlite> select * from oc_appconfig where appid = 'oauth2';
oauth2|signed|true
oauth2|installed_version|0.5.2
oauth2|enabled|yes
oauth2|types|authentication
sqlite> delete from oc_appconfig where appid = 'oauth2';
sqlite> select * from oc_appconfig where appid = 'oauth2';
sqlite>

Still hasn’t cleared it, I’ll report back after the reboot.

1 Like

There must be some more configuration somewhere else in the DB, not sure where though…
I don’t think a reboot will change anything.

I need to take a reboot anyhow, after the dumps I’ve run the updates and want a clean system.

1 Like

Perhaps try to find your owncloud.cfg. On my Kubuntu system it is in ./.config/ownCloud/owncloud.cfg
Looking into it I can see the following line:

0\http_CredentialVersion=1
0\http_oauth=true

Perhaps switch that to false? @michaelstingl

I’ve just done that, and the pop-up is still there! :frowning_face: Is it possible that config info is just read at startup? I note that the client seems to hide rather than go away. Should the credential version be changed in any way, I’m assuming that 1 is the most basic?

I would only edit this file after closing the client and reopening once the config file was correctly saved.

Would be interesting, yes.

Don’t forget to delete the related background job as well.

$ ./occ app:list
Enabled:
  - activity:
    - Version: 2.7.0
    - Path: /var/www/html/owncloud/apps-external/activity
  - calendar:
    - Version: 1.6.4
    - Path: /var/www/html/owncloud/apps-external/calendar
  - comments:
    - Version: 0.3.0
    - Path: /var/www/html/owncloud/apps/comments
  - configreport:
    - Version: 0.2.0
    - Path: /var/www/html/owncloud/apps/configreport
  - dav:
    - Version: 0.7.0
    - Path: /var/www/html/owncloud/apps/dav
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/www/html/owncloud/apps/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/www/html/owncloud/apps/federation
  - files:
    - Version: 1.5.2
    - Path: /var/www/html/owncloud/apps/files
  - files_external:
    - Version: 0.8.0
    - Path: /var/www/html/owncloud/apps/files_external
  - files_mediaviewer:
    - Version: 1.0.5
    - Path: /var/www/html/owncloud/apps/files_mediaviewer
  - files_pdfviewer:
    - Version: 1.0.1
    - Path: /var/www/html/owncloud/apps/files_pdfviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/www/html/owncloud/apps/files_sharing
  - files_texteditor:
    - Version: 2.4.1
    - Path: /var/www/html/owncloud/apps/files_texteditor
  - files_trashbin:
    - Version: 0.9.1
    - Path: /var/www/html/owncloud/apps/files_trashbin
  - files_versions:
    - Version: 1.3.0
    - Path: /var/www/html/owncloud/apps/files_versions
  - firstrunwizard:
    - Version: 1.2.0
    - Path: /var/www/html/owncloud/apps/firstrunwizard
  - gallery:
    - Version: 16.1.2
    - Path: /var/www/html/owncloud/apps-external/gallery
  - gpxpod:
    - Version: 2.2.2
    - Path: /var/www/html/owncloud/apps-external/gpxpod
  - impersonate:
    - Version: 0.5.1
    - Path: /var/www/html/owncloud/apps-external/impersonate
  - market:
    - Version: 0.6.3
    - Path: /var/www/html/owncloud/apps-external/market
  - metadata:
    - Version: 0.10.0
    - Path: /var/www/html/owncloud/apps-external/metadata
  - notifications:
    - Version: 0.5.4
    - Path: /var/www/html/owncloud/apps/notifications
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/www/html/owncloud/apps/provisioning_api
  - systemtags:
    - Version: 0.3.0
    - Path: /var/www/html/owncloud/apps/systemtags
  - tasks:
    - Version: 0.9.7
    - Path: /var/www/html/owncloud/apps-external/tasks
  - templateeditor:
    - Version: 0.4.0
    - Path: /var/www/html/owncloud/apps/templateeditor
  - updatenotification:
    - Version: 0.2.1
    - Path: /var/www/html/owncloud/apps/updatenotification
Disabled:
  - admin_audit:
    - Path: /var/www/html/owncloud/apps/admin_audit
  - announcementcenter:
    - Path: /var/www/html/owncloud/apps/announcementcenter
  - customgroups:
    - Path: /var/www/html/owncloud/apps/customgroups
  - encryption:
    - Path: /var/www/html/owncloud/apps/encryption
  - enterprise_key:
    - Path: /var/www/html/owncloud/apps/enterprise_key
  - external:
    - Path: /var/www/html/owncloud/apps/external
  - files_antivirus:
    - Path: /var/www/html/owncloud/apps/files_antivirus
  - files_classifier:
    - Path: /var/www/html/owncloud/apps/files_classifier
  - files_external_dropbox:
    - Path: /var/www/html/owncloud/apps/files_external_dropbox
  - files_external_ftp:
    - Path: /var/www/html/owncloud/apps/files_external_ftp
  - files_ldap_home:
    - Path: /var/www/html/owncloud/apps/files_ldap_home
  - files_lifecycle:
    - Path: /var/www/html/owncloud/apps/files_lifecycle
  - firewall:
    - Path: /var/www/html/owncloud/apps/firewall
  - graphapi:
    - Path: /var/www/html/owncloud/apps/graphapi
  - guests:
    - Path: /var/www/html/owncloud/apps/guests
  - metrics:
    - Path: /var/www/html/owncloud/apps/metrics
  - openidconnect:
    - Path: /var/www/html/owncloud/apps/openidconnect
  - password_policy:
    - Path: /var/www/html/owncloud/apps/password_policy
  - ransomware_protection:
    - Path: /var/www/html/owncloud/apps/ransomware_protection
  - sharepoint:
    - Path: /var/www/html/owncloud/apps/sharepoint
  - systemtags_management:
    - Path: /var/www/html/owncloud/apps/systemtags_management
  - theme-enterprise:
    - Path: /var/www/html/owncloud/apps/theme-enterprise
  - user_external:
    - Path: /var/www/html/owncloud/apps/user_external
  - user_ldap:
    - Path: /var/www/html/owncloud/apps/user_ldap
  - user_shibboleth:
    - Path: /var/www/html/owncloud/apps/user_shibboleth
  - windows_network_drive:
    - Path: /var/www/html/owncloud/apps/windows_network_drive
  - wopi:
    - Path: /var/www/html/owncloud/apps/wopi
  - workflow:
    - Path: /var/www/html/owncloud/apps/workflow

After the reboot the oath2 message was still appearing. I tried adding a new user with the identical username and password and it worked! However:

  1. It has created a new directory tree for me.
  2. My largest set of files were not marked for synchronisation and it warned me that unsynchronised directories would be removed from the cloud. I therefore ticked it and clicked on manual to ensure that 137 GiB of photos weren’t deleted! This has triggered a copy from the cloud on the server to my home directory (also on the server). There are also 171 files that didn’t sync with the message:
The downloaded file does not match the checksum, it will be resumed. '<a long hex string>' != '<a different hex string>',Photos/XXX/XXX/IMG_XXXX.JPG  ,ownCloud2  ,6.8 MB,jmr@tamar.home      ,2022-08-11T14:17:48.000,Error ,

(excess spaces removed)

Thanks all for your help, I’ve finally nailed it. In ~/.config/owncloud.cfg, adding the second connection meant that under [Accounts] there were two sets of parameters prefixed by 0 and 1 respectively. Examination of the two http_oauth values showed one as true and the other as false. I recalled @eneubauer 's comment about “I would only edit this file after closing the client” (which arrived after I did the original edit), so closed down the desktop client first this time. I made the edit and both accounts now worked. :grinning: Thanks.

I removed the temporary account, and have deleted the ~/ownCloud2 tree, logged out and back in again and all starts up as expected.

Once again, thanks for your patience and expertise.

2 Likes