-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS support in login v2 and OAuth2 flow #34898
Comments
I looked into similar issues like #3131 and all the solution attempts and temporary hacks mentioned in the issue were based on the suggested mentioned in the issue, NextCloud login v2 flow doc and NextCloud OAuth flow doc but I was not able to find a solution which doesn't involve changes in NextCloud server. |
Gentle Reminde : Can someone help me into this ? |
Can please someone help me on this issue? |
same problem here. |
I think for the Login Flow V2 controller it should be fine to set the For Oauth or CORS in general I think we should have some way so that admins can configure a potential allow list. Maybe we could start with just having a config.php option for this to set the header accordingly in
@julien-nc Didn't you also recently setup something with the oauth app? |
@juliushaertl Not really, no. The only topic where it is currently possible to canonically deal with CORS headers is WebDAV endpoints (by adding a Sabre plugin like the WebAppPassword app does). @salonikumawat28 By the way, out of topic, if you want to avoid having WebAppPassword as a dependency, you can easily implement a similar Sabre plugin in your app that will whitelist your website's domain. IMO you can avoid dealing with CORS issues if you implement the login flow v2 or OAuth2 code flow using your website's backend which will be able to reach the "/token" endpoint. Once you get an OAuth token (or an app password), you can provide it to your frontend which can then use it for requests to WebDAV endpoints (CORS being dealt with by WebAppPassword). But maybe you have a strong constraint to perform the auth flows entirely in the browser. The integration_* apps implement the OAuth2 code flow (to connect to external services) using the NC backend to perform the last So for you, the OAuth implementation would be:
|
Hi, I develop a open-source Progressive web app (PWA) for nextcloud deck. I want to use login v2 too, but I got the same CORS issue like described above. |
I'm also confused by this, I've made a browser extension for someone else's Nextcloud app. I want to be able to use the login v2 flow but because my app is in a browser and respects CORS I can't without asking the user for full permission to the servers domain. I don't understand why the login flow would be configured to only work for the same origin, I'd assume using it from other origins is one of the main reasons it exists. Of course this works fine from a mobile app or something which doesn't respect CORS but just not for client only webapps. |
Is someone still working on this? Honestly, this is an essential feature. |
Context
I have created a NextCloud app which adds a file menu item in
Files
app. When you click this menu item, it opens our website. From this website, I want to login into NextCloud so that I can get credentials which I can use to download and upload files.First step I did was using the hardcoded
username:password
and passed it inAuthorization
header to download and upload URLs which failed on CORS. I was able to resolve the CORS issues once I installedWebAppPassword
and whitelisted my website.As a second step, I replaced the hardcoded
username:password
with the login v2 flow and it failed on CORS. This was surprising as my websiteorigin
was already whitelisted inWebAppPassword
and was working for download and upload URLs. As a temporary hack, I added@CORS
annotation in the login v2 controllers and it worked on all URLs exceptlogin/v2/poll
because it fails onpreflight
request as it's aPOST
call withjson
content type. To solve this, another temporary hack I did was to add preflight URL forlogin v2 flow
.As a third step, I tried the OAuth2 flow. Similar to second step, I faced CORS and preflight issues. As a temporary hack I added
@CORS
inapps/oauth2/lib/Controller/OauthApiController.php
methods and added preflight URL route.Problem
As these hacks were direct code changes in the NextCloud server code, I want to replace these hacks with a proper solution. Things I tried:
Feature request
Ask: Generic solution for CORS for NextCloud app developer
As a NextCloud app developer, we can't make changes in the NextCloud server. So what's the generic solution for NextCloud app developers to resolve CORS and preflight issues?
Ask: Update login flow documentation
As a NextCloud app developer, we rely on login flow documentations(Login v2, OAuth) which doesn't talk about CORS issues and how to resolve. This ask is to update the login flow documentation to cover such issues and ways to resolve them.
Ask: Extend WebAppPassword for login URLs
As
WebAppPassword
works for download and upload URLs, can you extend theWebAppPassword
support for login flows (both login v2 and OAuth) as well?The text was updated successfully, but these errors were encountered: