Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added parameter to disallow app auth token creating #33879

Closed
wants to merge 1 commit into from

Conversation

pboguslawski
Copy link
Contributor

Added config parameter allow_create_app_auth_tokens to disallow creating
application authentication tokens (i.e. when Nextcloud setup does not allow
this kind of authentication for security purposes). Use

config:system:set allow_create_app_auth_tokens --value='true' --type=boolean

to allow (default if not set) and

config:system:set allow_create_app_auth_tokens --value='false' --type=boolean

to disallow creating application authentication tokens.

Related: #3228
Author-Change-Id: IB#1124945
Signed-off-by: Pawel Boguslawski pawel.boguslawski@ib.pl

Added config parameter `allow_create_app_auth_tokens` to disallow creating
application authentication tokens (i.e. when Nextcloud setup does not allow
this kind of authentication for security purposes). Use

```
config:system:set allow_create_app_auth_tokens --value='true' --type=boolean
```

to allow (default if not set) and

```
config:system:set allow_create_app_auth_tokens --value='false' --type=boolean
```

to disallow creating application authentication tokens.

Related: nextcloud#3228
Author-Change-Id: IB#1124945
Signed-off-by: Pawel Boguslawski <pawel.boguslawski@ib.pl>
@rriemann
Copy link
Contributor

Thank you! We would use the option to disable app passwords in our Nextcloud Enterprise installation. I hope it will be merged.

@PVince81
Copy link
Member

PVince81 commented Nov 4, 2022

please test if desktop client and mobile clients still work as they partly rely on app password creation

Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most importantly this should hide the UI as well. But i really dislike the idea.

Clients are currently not blocked as the login flow is allowed to generate app tokens, which at least deserves a line in the config comment, so admins know there is still a way to generate app tokens. Also you could simply abuse that method to get an app token for anything else.

What is it exactly that you are trying to achieve? Why are app tokens so bad? 🤔

@nickvergessen
Copy link
Member

Okay read the comments in the issue and then as state above the login flow needs to be broken and the config should state that it will prevent usage of all clients for Nextcloud, being it CalDAV, CardDAV, WebDAV, Talk, Notes, Deck, ...

@pboguslawski
Copy link
Contributor Author

pboguslawski commented Nov 4, 2022

please test if desktop client and mobile clients still work as they partly rely on app password creation

App tokens are not required for clients that authenticate using SSO like client TLS certificates (i.e. web browsers, thunderbird). Other clients should also allow client cert auth as alternative to passwords/tokens (should be extended in future if not already have this option like Nextcloud client apps).

This param is for systems that do not allow passwords/tokens (and agree not to use clients that cannot use SSO auth).

Okay read the comments in the issue and then as state above the login flow needs to be broken and the config should state that it will prevent usage of all clients for Nextcloud, being it CalDAV, CardDAV, WebDAV, Talk, Notes, Deck, ...

Please let me know if something else should be added to this PR and where exactly.

@juliusknorr juliusknorr removed their request for review April 5, 2023 14:17
@blizzz blizzz added this to the Nextcloud 29 milestone Nov 23, 2023
This was referenced Mar 12, 2024
This was referenced Mar 20, 2024
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Jul 27, 2024
This was referenced Jul 30, 2024
@skjnldsv skjnldsv closed this Aug 3, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 30 milestone Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2. developing Work in progress enhancement stale Ticket or PR with no recent activity
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants