Comments (5)
The received token is not supposed to authenticate against the Nextcloud server, it is purely local and only authenticates against the local Nextcloud Android app (see Flow Chart).
Maybe an actual token can be fetched using the network stack of the Nextcloud app and used from there?
from android-singlesignon.
that would be against the idea of the SSO lib at this point
It is partially against the idea 😉 The benefit of a better UX remains - however other aspects as same network stack and zero-knowledge about security related stuff are gone this way.
In my opinion better than "nothing" 🙂.
from android-singlesignon.
As a DAVx5 user myself I'd love to see a SSO integration for Nextcloud. As @stefan-niedermann already mentioned it is not possible to use the Token as an Auth-Token with Nextcloud directly. That means when a third party app wants to make a request to the Nextcloud, the requesting app never knows anything about the credentials for the server and thus even if this third party app had bad intentions or some malware got injected they couldn't exploit the credentials for the server as the token only works on the device itself.
Maybe an actual token can be fetched using the network stack of the Nextcloud app and used from there?
Sure, that could be an option - but that would be against the idea of the SSO lib at this point. May I ask what kind of network stack you are using under the hood? I know the whole DAV situation is a little messy (or at least it was ~10 years ago when I tried to take a shot at it..)
from android-singlesignon.
Sure, that could be an option - but that would be against the idea of the SSO lib at this point. May I ask what kind of network stack you are using under the hood? I know the whole DAV situation is a little messy (or at least it was ~10 years ago when I tried to take a shot at it..)
We have our own library: dav4jvm which is based on okhttp. Also, there's much HTTP code in DAVx5 itself (like here, but there are HTTP requests virtually everywhere). We also control things like timeouts, do things on TLS layer (like client certificates), …
If I understand it correctly we would have to change/generalize all okhttp calls, which seems cumbersome and I don't know whether I want it. Also, the Nextcloud app process would have to be active for every synchronization (to pipe network traffic through), which consumes additional resources.
Maybe SSO is just not the correct approach for apps like DAVx5? In the next version we support at least a better Login Flow where you can enter the Nextcloud address, so that you can also use Login Flow when the Nextcloud app is not installed.
Alternatively I could imagine that apps could somehow request "real credentials", and the SSO lib could show an extra warning for the user and then issue an app password or a Bearer token. But I understand that this is still against the SSO lib network concept.
from android-singlesignon.
Sorry for the delay - yes - I agree, that integrating SSO wouldn't be a trivial tasks for an app like DAVx5 as some of the features that you probably need are not available yet. So I do agree that an option to "request" real credentials / app password would be a nice addition. Probably something that should be feasible but I'm not sure if anyone has the time right now to implement it. I'm happy to give some pointers and assist though if anyone wants to have a crack at it.
Maybe someone from the App team can give their opinion about this feature as well as this is a feature that would have to be implemented there as well. @tobiasKaminsky maybe?
from android-singlesignon.
Related Issues (20)
- Provide convenience class for OCS requests HOT 4
- Support .qa package id of the files app
- Convenience features for `NextcloudRequest.Builder`
- Handle `QueryParam` with key "`c`" HOT 4
- SEARCH HTTP method is not supported HOT 7
- Support Activity Result API HOT 3
- Rotation issues
- i18n: `Benötigt keine Übersetzung. Für Android wird nur die formelle Übersetzung verwendet (de_DE).` HOT 7
- If only dev app is installed SSO doesn't work HOT 8
- Break on minified app HOT 12
- Migrate to Material 3 theme HOT 1
- Option to create new token on `TokenMismatchException` HOT 3
- Availablity on Amazon store HOT 1
- Instantiating `Void` does no longer work with AGP 8 HOT 18
- Improve SSO error dialogs shown by 3rd-party-apps HOT 2
- Check `NetworkRequest#mDestroyed` before each network request? HOT 1
- Readme contains bad R8 advice HOT 1
- Reportedly not working when used within Samsung Knox HOT 1
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from android-singlesignon.