Application passwords without 2FA: problem with Nextcloud client

Hello all,
Please let me know whether I’m doing something stupid or else I’m really running into a bug.
I’ve thorougly read the directions on how to enable 2-Factor Authentication, and as far as I understand them, they seem to imply that you can use application passwords without enabling 2FA.
So I decided to create application passwords without enabling 2FA (yet), because one of the devices I want to connect to my Murena cloud (a Sony Xperia tablet) doesn’t get security updates anymore and I want to reduce the attack surface. Maybe I’ll enable 2FA as well later (as far as I understand you must use application passwords if you use 2FA, but not the other way around).
I followed the directions and could connect the /e/OS installation in my Samsung Galaxy S9 with my Murena account with an application password.
I could also connect the Xperia tablet running LineageOS 16 with the Nextcloud Android client (version 3.24.1) with a second application password
However, I’m having trouble with linking my Mageia Linux desktop with the Nextcloud client (version 3.6.6). After entering the application password (a third one), I get this error:

Error intern del servidor

El servidor no ha pogut completar la vostra petició.
Si això torna a passar, si us plau, envieu els detalls tècnics de sota a l'administrador del servidor.
Podeu trobar més detalls al registre del servidor.
Detalls tècnics

    Adreça remota:
    ID de la sol·licitud: kLxwc5LswN7ySnrFr6Sg

Does anybody know what can be the cause? Does what I’m doing make sense?

Hi! You can use app passwords without 2FA, they are independent features. The nextcloud clients use a different authentication flow, OAuth-based, and don’t accept this static authentication. Just use the browser login flow proposed by it.

Thanks for the clarification but shouldn’t the Android and the Linux Nextcloud clients behave the same way in that respect then? The Android client on LineageOS seems to be using the application password just like eDrive in /e/OS; only Mageia Linux fails.

Not necessarily. I remember my Android client also doing the browser flow but it may still be using a legacy auth implementation.

Well, the problem seems to be caused by KDE Wallet. Actually, only now I remembered that every time I log into my Linux account, Nextcloud asks me to open KDE Wallet, which actually contains 10 Nextcloud credentials (although I don’t recognize any). OAuth authentication seems unrelated.

So, to summarize, Linux Nextcloud clients should be able to use application passwords without 2FA just like Android clients. I just need to find out how the Linux Nextcloud client interacts with KDE Wallet (which I don’t have time to do right now, alas). Thanks for the help anyway.

1 Like