Support for SSL client certificate and Basic/Digest at same time
@dg10a #1 is also more secure. First, it authenticates the device (certificate), then it authenticates the user (password). It would be so elegant. ^^
Now I’m not sure what you’re planning to do. I hope you’re still using an encrypted private key and you’re not just asking for no credentials anymore. If you’re doing that, you might as well just save the password.
@marki I was asking about disabling user/pass authentication to be able to test client certificate authentication in the current DAVdroid build. My ideal setup would be as you described, with the device authenticated via certificate and the user via password.
I have created a new thread for that.
Technically, username/password together with client certificates are not that hard. As always, the UI part is more difficult.
All these possiblities:
- Service discovery (email) + password
- URL (+ service discovery) + password
- Service discovery (email) + client certificate
- URL (+ service discovery) + client certificate
- Service discovery (email) + password + client certificate
- URL (+ service discovery) + password + client certificate
- In the future: OAuth
- Maybe: no authentication at all (yes, this was also requested)
should be grouped in a way that makes sense (and is “material”), and for the most common methods (printed bold above), there should be as little distraction as possible (no talking about strange “certificates” etc. when you choose one of these two methods). Maybe hide everything then 1+2 behind some “expert” button?
It should be possible to change the credentials in the account settings, like now. Maybe it would make sense to change the authentication method, too? For instance, could you change from username/password to client certificates without password at all? In this case, the username/password field would have to disappear.
I guess the whole login activity should be re-worked and probably “materialized” (colors, images, whatever). Would be nice if someone could provide a good draft for the login fragments
You could probably combine everything like this:
By default, only “password” is checked. Like that you can choose to either have no authentication at all (“password” is unselected), one of the two, or both (“password” as well as “client certificate” are selected).
Depending on what is selected, you either show both password and certificate selection at the top (below whatever connection method is chosen), one of the two, or nothing at all (email or username/URL only).
Maybe you could hide the entire lower part “Authenticate using” behind some “Advanced mode” button.
Remains OAuth. I’m not sure about that, would have to read up on how it works first (what data is needed to connect).
@marki @Tilo-Mey Internally we’ve already thought about this in more detail and basically we’re willing to implement it. However we are thinking of more streamlining the setup options GUI in general and when we finally do this step this feature will also come to DAVx5!
I modified the ‘Login with URL and user name’ to allow an optional client certificate.
The change is for 3.0 and is available at https://gitlab.com/2010.plai/davx5-ose/-/commits/forum-1728 for those who need it now and willing to build their own.
foresto last edited by
@Patrick-Lai That mock-up looks encouraging. I don’t see a merge request at the bitfire gitlab, though. Are you going to submit it?
For the record, I am another user seeking client certificate + password support. I connect to an internet-facing reverse proxy that uses client certificates for network access authorization. It passes authorized requests to a DAV service that uses passwords for user authentication. Firefox and Thunderbird (TbSync) handle this fine, but DAVx5 currently does not.
@foresto, thank you for your interest. I did not submit a merge request because there was a ‘pipeline’ failure in my GitLab fork. And I did not want to spend much time to investigate as I didn’t feel it would get much traction. That’s partly because of the age of this issue, and partly because my change might not fit DAVx5’s UI plan (e.g. per this comment by @devvv4ever).
Anyway, my change is against v3.0 and so is outdated. Not sure how much work would be required to bring it up to current DAVx5 version.
Some has requested access to my code and I’ve granted it. So hopefully we can see some progress.
Besides update to the current DAVx5, I think the label of the “SELECT CERTIFICATE” button needs to be changed to indicate it is optional, or it may be confusing to users. (If we had more options we could group have an ‘Advanced Options’ button.)
I’ve updated https://gitlab.com/2010.plai/davx5-ose/-/commits/forum-1728 to v3.2.2 of DAVx5.
Also in 4ef59333 the button to select certificate is shown only if the user selects “Connection options” when setting up a new account.
@Patrick-Lai Thank you for your work! We have put some more thoughts on this and additionally on more use cases for logging in and there will be a combined expert login in the one of the next versions! This will offer the option for client certificates with user name and password as well!
@devvv4ever Thanks for the update. An ‘expert login’ where all the underlying options are available would be wonderful.
In the meantime I’ve submitted a merge request #42. It may be a point solution if the full expert login is going to take a while.
Thanks for your efforts.
The advanced login is scheduled for DAVx5 3.4 and will allow:
- anonymous login (no username/password)
- login with username/password
- login with client certificate (without username/password)
- login with username/password and client certificate
Can I send an APK (of course you can compile yourself instead) to someone who is willing to test basic auth + client certificates?
@rfc2822 I would be happy to test. Can I install over the playstore version? And will the playstore version upgrade over the manual installed version?
@rfc2822 If you could provide an APK that would be great. I’d be happy to give it a try asap.
@Patrick-Lai Yes, dev-3.x-ose!
I can set up account with the new ‘advanced login’ option, connecting to my test server. Finally
p.s. My build uses commit f3655709.