Problems when logged in with a Webauthn device

[as400l]

When I login with security key to Nextcloud and try to Sync in Keeweb it asks for username and password.

[arnowelzel]

Can you be a bit more specific which kind of WebAuthn device you use and how you registered this with your Nextcloud server? At the moment I don't have any WebAuthn device available to test, but might try to get one if needed.

[as400l]

Hey @arnowelzel,

I am using OnlyKey (https://onlykey.io/). It's great as it is fully open source.

I register it going to Settings --> Security --> Passwordless Authentication --> Add WebAuthn device. It is actually very straightforward.

[arnowelzel]

Thanks for the info. Well - nearly 100 EUR to get a such device just for testing is a bit hefty. I'll check first if this problem can be reproduced with a virtual device.

[arnowelzel]

I just verified it with ctap2 and u2f emulation in Chrome - both work fine here. I also don't think that using OnlyKey would not work here - but as I already mentioned, it's nearly 100 EUR and much too expensive just to test something.

[as400l]

Sure, I don't expect you to buy a device just to test.

Try to login with webauthn device. Open a password file and then wait for 30 minutes or so. It should trigger username/password prompt.

[arnowelzel]

After 30 minutes without any activity the authentication token is not valid any longer. This also applies to any other authentication not only WebAuthn. However this is controlled by Nextcloud and not KeeWeb and KeeWeb can't do anything to change this,

[as400l]

I actually tested it. When logged in using username/password, and 30 minutes passes, it does not ask me for nextcloud user/pass when trying to sync. This only happens when logged in using the device.

[arnowelzel]

In this case the authentication by the device is no longer valid. In any case - it's not Keeweb controlling this, but Nextcloud. We can't do anything to change this. Keeweb just asks for a token and uses it, see https://github.com/jhass/nextcloud-keeweb/blob/master/keeweb/controller/pagecontroller.php#L83-L102

[as400l]

OK - thanks for taking interest anyway.

[My1]

sure that the login token would be dead but doesnt the active session have a token?

[arnowelzel]

sure that the login token would be dead but doesnt the active session have a token?

The token is useless after a certain time period. There is no "active session", just the token. You can see the token like a train ticket which contains a validity period. After the period has passed, the ticket is no longer valid and will not be accepted any longer.

[My1]

okay but you have to be logged into next cloud to be able to keep keeweb, right?
and I dont remember nextcloud kicking one out after 30 minutes

[arnowelzel]

okay but you have to be logged into next cloud to be able to keep keeweb, right? and I dont remember nextcloud kicking one out after 30 minutes

Yes, you need to be logged in to use Keeweb. I have to admit I don't know if it is possible to renew the token automatically if needed, but since Keeweb itself is just a browser app which has nothing to do with Nextcloud, I don't see any chance for this. The way how the integration works is more like this:

1. Get a token from Nextcloud to be able to access the Keepass file via WebDAV
2. Open Keeweb and pass the WebDAV URL to it, so it can read the file

And as soon as Keeweb is active, all what is happening then is just inside Keeweb without any knowledge about Nextcloud at all. For Keeweb there is just a WebDAV-Server serving a file, nothing else.

[My1]

oh okay, could it ask for a new token of the old one is expired? also one thing that's interesting is that according to OP it only happens with device login (aka FIDO2 only) which is certainly something that might give some info about something

[arnowelzel]

For Keeweb the token is just a text as part of the URL without any meaning at all - it just uses it to send to to Nextcloud to get access. Keeweb does not know that there is a token and it also does not know how to renew it.

[My1]

oh okay. I thought as a nextcloud app it's a little more aware of the nextcloud hosting it.
a little deeper integration might be cool tbh but I guess the point of this is just a relatively quick and simple way to just access it I guess.

[arnowelzel]

oh okay. I thought as a nextcloud app it's a little more aware of the nextcloud hosting it. a little deeper integration might be cool tbh but I guess the point of this is just a relatively quick and simple way to just access it I guess.

Yes, KeeWeb is not a Nextcloud specific app. You can even use https://app.keeweb.info with the "WebDAV" option to open a file on Nextcloud. However there you need to enter username/password - but the data will never transmitted anywhere else than to your Nextcloud server since KeeWeb runs completely in your browser only.

[My1]

Sure keeweb itself isn't nextcloud specific. I meant that i thought that this repo specifically integrates keeweb into nextcloud a bit more.

[arnowelzel]

Sure keeweb itself isn't nextcloud specific. I meant that i thought that this repo specifically integrates keeweb into nextcloud a bit more.

Sorry - no. KeeWeb itself is just used as it is and loaded into an app frame inside Nextcloud with a paramter for the URL to access the file.