[OAuth2] Allow username:password combination to be forbidable on basic auth

[SamuAlfageme]

Following a discussion on the OAuth2 app, we should make the regular user password not to be allowed as a way to authenticate with ownCloud when enforced. Using, for non-compatible clients (e.g. DAV, WND...), an application password instead.

@DeepDiver1975 mentioned the approach might be similar to what happens with U2F already.

cc/ @PVince81 @butonic @pmaier1 @michaelstingl

[PVince81]

This needs to be configurable, don't have the enabling of an app suddenly disable core features.

Please check if setting this https://github.com/owncloud/core/blob/master/config/config.sample.php#L214 already makes it work or whether more work is required.

That option was added to enforce the "app password" style tokens and also the future client tokens that got obsoleted by oauth.

[SamuAlfageme]

@PVince81 it does seem to work out, yup 🎉 And allows basic auth. by using application passwords. Pretty cool.

I think a switch to enable/disable this config in the Admin > User Authentication pane when OAuth2 / U2F apps are enabled would be desirable (additionally to the obscure occ config:system:set token_auth_enforced --type boolean --value true)

Closing here, will request that feature in a different ticket.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.