TOTP 2FA doesn't seem to work with OwnCloud Server 10.15 docker container

Server
,
1

I have managed to successfully setup a docker-compose.yml containing owncloud/server:10.15, Traefik, MariaDB and Redis containers and using my SSL certifcate succesffuly.

I can access ownCloud login page and login as the admin user and set allthe various options I want.

Everything is working well except when it comes to enabled 2FA. I enabled apps for Password Policy, OAuth2. These both work, as it correctly applies password settings I have selected and also using a desktop client makes use of OAuth2.0 correctly.

When I go to the security tab and enable forced 2FA for all users. I then create a new user, the email arrives, I follow th elink and was expecting the login page to have a QR code and work like shown in the documentation but it does not. It only has the usual login option with username and password.

I read that it requires imagemagick and php-imagick when I interrogate the docker container I can see that it apepars to have these present inside the container.

Note that I can reproduce the issue if I use the simpler example docker compose setup from ownCloud’s documentation on the web.

Any help would be much appreciated.

Steps to reproduce

  1. Create a running instance of ownCloud using: Installing with Docker
  2. Login as the admin account, enable enforced 2FA for all users
  3. Create a new user and let it email them the link to setup their account.
  4. Follow the link fro mth eemail and the user sees normal login screen not a 2FA login screen.

Expected behaviour

Expect to see 2FA based login screen like show here: User Two-Factor Authentication

Actual behaviour

See the normal log in screen requireing user name and password.

Server configuration

Operating system:
Ubuntu 20.04 (Ithink from ownCloud docker container)

Web server:

Database:
Maria DB 11.6

PHP version:
From docker container seems to be 7.4.3

ownCloud version: (see ownCloud admin page)
10.15

Updated from an older ownCloud or fresh install:
Fresh setup using docker compose

Where did you install ownCloud from:
Official ownCloud docker hub images.

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...
2

Anyone got any ideas about this?

Still stuck with it, everything else is working but I see no way to activate 2FA for users with the docker based setup.

I saw other people say it is related to ImageMagick but when I accessed the container and ran a console inside it, it appears that it has ImageMagick package installed.

3

You need to have a 2FA app installed, otherwise enforcing it won’t do anything because there is no app to delegate to.

The recommended 2FA app is twofactor_totp , specially if you want to enforce 2FA because it’s prepared for it. Other apps might not be prepared and might have problems with the enforcement.
If it’s a new installation, you can try other 2FA apps and check how they behave when 2FA is enforced.

1 Like
4

Thanks for the reply.

As I’m a bit new to this, how do I install that within the docker based version of ownCloud?

When I log in as the ownCloud admin account in a browser and look at what apps I can install I do not see that application available, even when I check the box to show disabled apps.

5

You should have the “market” app installed and enabled (top left icon). From the “market” app, you can find and install the app you want. Note that the apps will be downloaded from https://marketplace.owncloud.com so you must have internet access.
Also note that some apps will require a license, so you should double-check that. In particular, the app I’ve proposed it’s free so you can install the app without worries.

From the settings page you can only enable or disable the apps you already have installed. The 2FA app isn’t part of the default bundle, that’s why it isn’t shown in the settings page.

1 Like
6

Great thanks for the details. I’ll give that a try now.

1 Like
7

That worked thanks for the help.

1 Like