Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added parameter to disallow app auth token creating #33879

Closed
wants to merge 1 commit into from
Closed

Added parameter to disallow app auth token creating #33879

wants to merge 1 commit into from

Conversation

pboguslawski
Copy link
Contributor

Added config parameter allow_create_app_auth_tokens to disallow creating
application authentication tokens (i.e. when Nextcloud setup does not allow
this kind of authentication for security purposes). Use

config:system:set allow_create_app_auth_tokens --value='true' --type=boolean

to allow (default if not set) and

config:system:set allow_create_app_auth_tokens --value='false' --type=boolean

to disallow creating application authentication tokens.

Related: #3228
Author-Change-Id: IB#1124945
Signed-off-by: Pawel Boguslawski pawel.boguslawski@ib.pl

@pboguslawski
Added parameter to disallow app auth token creating
d6bd415 
Added config parameter `allow_create_app_auth_tokens` to disallow creating
application authentication tokens (i.e. when Nextcloud setup does not allow
this kind of authentication for security purposes). Use

```
config:system:set allow_create_app_auth_tokens --value='true' --type=boolean
```

to allow (default if not set) and

```
config:system:set allow_create_app_auth_tokens --value='false' --type=boolean
```

to disallow creating application authentication tokens.

Related: nextcloud#3228
Author-Change-Id: IB#1124945
Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
@pboguslawski pboguslawski mentioned this pull request Sep 2, 2022
Closed
@rriemann
Copy link

Thank you! We would use the option to disable app passwords in our Nextcloud Enterprise installation. I hope it will be merged.

@PVince81
Copy link
Member

PVince81 commented Nov 4, 2022

please test if desktop client and mobile clients still work as they partly rely on app password creation

@PVince81 PVince81 added 3. to review Waiting for reviews enhancement labels Nov 4, 2022
nickvergessen
nickvergessen requested changes Nov 4, 2022
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most importantly this should hide the UI as well. But i really dislike the idea.

Clients are currently not blocked as the login flow is allowed to generate app tokens, which at least deserves a line in the config comment, so admins know there is still a way to generate app tokens. Also you could simply abuse that method to get an app token for anything else.

What is it exactly that you are trying to achieve? Why are app tokens so bad? 🤔

@nickvergessen
Copy link
Member

Okay read the comments in the issue and then as state above the login flow needs to be broken and the config should state that it will prevent usage of all clients for Nextcloud, being it CalDAV, CardDAV, WebDAV, Talk, Notes, Deck, ...

@pboguslawski
Copy link
Contributor Author

pboguslawski commented Nov 4, 2022
edited
Loading

please test if desktop client and mobile clients still work as they partly rely on app password creation

App tokens are not required for clients that authenticate using SSO like client TLS certificates (i.e. web browsers, thunderbird). Other clients should also allow client cert auth as alternative to passwords/tokens (should be extended in future if not already have this option like Nextcloud client apps).

This param is for systems that do not allow passwords/tokens (and agree not to use clients that cannot use SSO auth).

Okay read the comments in the issue and then as state above the login flow needs to be broken and the config should state that it will prevent usage of all clients for Nextcloud, being it CalDAV, CardDAV, WebDAV, Talk, Notes, Deck, ...

Please let me know if something else should be added to this PR and where exactly.

@juliushaertl juliushaertl removed their request for review April 5, 2023 14:17
@blizzz blizzz added this to the Nextcloud 29 milestone Nov 23, 2023
This was referenced Mar 12, 2024
Merged
Merged
Merged
This was referenced Mar 20, 2024
Merged
Merged
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Jul 27, 2024
This was referenced Jul 30, 2024
Merged
Merged
@skjnldsv skjnldsv closed this Aug 3, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 30 milestone Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen requested changes

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

Assignees
No one assigned
Labels
2. developing Work in progress enhancement stale Ticket or PR with no recent activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pboguslawski @rriemann @PVince81 @nickvergessen @blizzz @skjnldsv