-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added parameter to disallow app auth token creating #33879
Conversation
Added config parameter `allow_create_app_auth_tokens` to disallow creating application authentication tokens (i.e. when Nextcloud setup does not allow this kind of authentication for security purposes). Use ``` config:system:set allow_create_app_auth_tokens --value='true' --type=boolean ``` to allow (default if not set) and ``` config:system:set allow_create_app_auth_tokens --value='false' --type=boolean ``` to disallow creating application authentication tokens. Related: nextcloud#3228 Author-Change-Id: IB#1124945 Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
Thank you! We would use the option to disable app passwords in our Nextcloud Enterprise installation. I hope it will be merged. |
please test if desktop client and mobile clients still work as they partly rely on app password creation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most importantly this should hide the UI as well. But i really dislike the idea.
Clients are currently not blocked as the login flow is allowed to generate app tokens, which at least deserves a line in the config comment, so admins know there is still a way to generate app tokens. Also you could simply abuse that method to get an app token for anything else.
What is it exactly that you are trying to achieve? Why are app tokens so bad? 🤔
Okay read the comments in the issue and then as state above the login flow needs to be broken and the config should state that it will prevent usage of all clients for Nextcloud, being it CalDAV, CardDAV, WebDAV, Talk, Notes, Deck, ... |
App tokens are not required for clients that authenticate using SSO like client TLS certificates (i.e. web browsers, thunderbird). Other clients should also allow client cert auth as alternative to passwords/tokens (should be extended in future if not already have this option like Nextcloud client apps). This param is for systems that do not allow passwords/tokens (and agree not to use clients that cannot use SSO auth).
Please let me know if something else should be added to this PR and where exactly. |
Added config parameter
allow_create_app_auth_tokens
to disallow creatingapplication authentication tokens (i.e. when Nextcloud setup does not allow
this kind of authentication for security purposes). Use
to allow (default if not set) and
to disallow creating application authentication tokens.
Related: #3228
Author-Change-Id: IB#1124945
Signed-off-by: Pawel Boguslawski pawel.boguslawski@ib.pl