Guest users can't use 2FA

[schiessle]

If I try to enable 2FA (U2F) for a guest user I get a 500, the response body contains following message:

This application requires JavaScript for correct operation. Please enable JavaScript and reload the page.
Nextcloud
Error

    Access to this resource is forbidden for guests.

Nextcloud – a safe home for all your data

Also generating backup codes throws the same error.

[drhirn]

I had to whitelist the 2FA-app (twofactor_totp in my case) for guests to get it working.

[nursoda]

This still is an issue for multiple twofactor apps. As guest, in https://cloud.nextcloud.com/settings/user/security one cannot create Backup-Codes, enable TOTP or add webauthn-Tokens. "Nextcloud notification" can be switched on but it is not used. So it seems that 2FA isn't available for Guest accounts at all, at least in NC25.

[sebastiaanveld]

If I enale 2FA for Guest accounts on first logon they get a message that 2FA is enabled for them but not configured and to get in contact with the admin user. For internal accounts this works fine as at this same point you are forced to setup 2FA for your account.

Environment: Nextcloud 27.1.2, PostgreSQL, PHP 8.1, Apache2 (running on Ubuntu)

Result: guest account is not able to setup 2FA

Expected result: guest account should be able to setup 2FA at this point. For NC local admin account I've setup it this way and new local accounts are forces to setup 2FA at first logon. I would expect this to work the same wat for guest accounts.

Steps to duplicate:

• Enable the Guest App
• NC> Administration> Guests:
• Enable "Limit guest access to an app's allowlist", add "twofactor_totp" and "twofactor_backupcodes". << mind with or without those you get the same messag at logon to nc as a guest.
• NC> Administration> Security:
• Two-factor authentication is enforced for all members of the following groups.: Add "guest_app". Mind that "admins" is also lised here for local admin accounts.
• Now share an folder with an email address and select "Invite guest" to let them create an account
• User receives the invite link. Create an account by adding the reuqested password.
• The login dialog now apprears, so login with teh guest email and password just set.
• Now the dialog appears on link https:///login/selectchallenge popping up "Twofactor authentication is enabled, but not configured for your account. Please contact yoiur admin for help".
• Only option the user now has is to click "dismiss login".

Screenshot:

Now if you for NC> Administration> Security, remove "guest_app" from "Two-factor authentication is enforced for all members of the following groups." again and the logon as teh guest user Settings> Security also does not list the 2FA option which sloud be enabled by "Limit guest access to an app's allowlist" adding "twofactor_totp" and "twofactor_backupcodes" in the admin settings.

To add some context on the use case: We use the Sendent for Outlook plugin and would like to leverage sharing with guest accounts. For protecting shared data this requires 2FA for guest accounts.

[sebastiaanveld]

Thanks @st3iny, hope your work makes it into NC31.

[st3iny]

Thanks, I guess we can close this now.

[st3iny]

PS: Yes, this is part of 31.