• I propose you to use this library:
    It would make the configuration for many Nextcloud users much easier.

  • developer

    Thanks for the idea and the link! Let us discuss that internally.

    The problem with such things is that we don’t want to favor specific services or products over other ones and thus stick to the standards and server-independent solutions. Maybe this could be solved over a plugin system… but who will make and maintain it? 😐

  • @rfc2822 Thank you for your statement.
    I can understand your concerns about that.
    Let me know when you discussed that internally.

  • developer

    What do you think of this solution:

    In the normal DAVx⁵ Login activity, there’s no special “Login with Nextcloud”. However, when the activity is launched from the Nextcloud app with a certain parameter, DAVx⁵ will show a special “Login with Nextcloud” fragment. This fragment then uses Nextcloud Login flow in a WebView to support two-factor auth without the need of app-specific passwords.

  • Hm… I think it is better than the current app-specific-password but worse than Single-Sign-On.
    So if you are not able to implement Single-Sign-On, I would be more happy about this solution, than the current situation with the app-specific-password, of course.
    Nonetheless, thank you for thinking over it!

    What about this: When launching the activity from the Nextcloud app with a certain parameter, DAVx^5 will show a Single-Sign-on-with-Nextcloud-popup instead of the Nextcloud Login flow?

  • developer

    @szaimen said in Please support Nextclouds SingleSignOn SSO:

    What about this: When launching the activity from the Nextcloud app with a certain parameter, DAVx^5 will show a Single-Sign-on-with-Nextcloud-popup instead of the Nextcloud Login flow?

    What would be the advantage? A Nextcloud developer told me that Login flow would be the preferred way for third party apps to access Nextcloud, because it allows access to features like remote wipe (= just disable the auth token for a specific app). For me, it makes sense to separate access permission for the various apps.

  • The main advantage would be, that I than do not have to enter my username, password and 2FA for each app, that I want to use. When using more than a few Nextcloud-Apps it gets very fast really annoying, when I have to login into every single one.
    So the more apps support SSO, the better it gets from a user’s point of view.
    Look at Google Apps and Services: there is a reason you do not have to think about login into every Google Service you want to use anymore: it is just fast and very convenient - I am not saying, that everything they are doing is great, but this ist just really nice.

    Also I do not know, if remote wipe is not supported with SSO. Because of that I created an issue here: Issue and ask there for a clear statement on that. Maybe remote wipe is possible but then with just one click for every service, that is connected with this one app-specific-password. Because e.g. why should I disconnect and remote wipe every single app, that I connected on that special device I have lost, if i can do this with just one click?

    Also if you support remote wipe you most likely have to implement it into your app.
    But I know many other services that can do that just better and these do not have to be implemented for each app, because they work for the whole OS.
    So why not using this time and implementing SSO instead of the Nextcloud Login flow with remote wipe?

  • @rfc2822 said in Please support Nextclouds SingleSignOn SSO:

    Currently there are indeed some limitations in-place when using SSO which seem unlikely to be solved in the “near” future - some of them include remote wipe and push notifications.

    Do you need them or not is up to you, but that’s just how it is which is why I still recommend the login flow.

    Signed: Nextcloud developer™

  • developer

    @mario I have now implemented the Login flow as recommended and it works fine 🙂 I’m especially happy that I now can use 2FA without having to transfer the app password manually. However the Webview method with the redirect to nc:// doesn’t work with Android 10 (and maybe 9); I will have to find out why. Do you know anything about it?

  • @rfc2822 where can I get the source for this to help you debug?

  • developer

    I have pushed it to the https://gitlab.com/bitfireAT/davx5-ose/tree/nc-login-flow-ose branch. I hope it’s working (not the development repo). To start the Intent, I use adb shell am start-activity -d https://nextcloud.example.com/index.php/login/flow --ei loginFlow 1 --es davPath remote.php/dav/ at.bitfire.davdroid/at.bitfire.davdroid.ui.setup.LoginActivity

  • @rfc2822 tested on both 9 and 10 and the redirect works as expected 😕

  • developer

    @mario Thanks for testing. I have set up the emulator again and now it works. Maybe there was something wrong with the image (there was also an image update from Android SDK).

    So I think this will make it to the next DAVx⁵ beta. Then I’ll document it and suggest it to the Nextcloud app so that they can call the new Intent 🙂

  • developer

  • @rfc2822 Thanks for implemneting the login flow.
    Will SSO implemented, too?

  • developer

    @jakob At the moment, we don’t plan Nextcloud SSO.

    @mario Is SSO even intended to be used by non-Nextcloud apps?

  • @rfc2822 ideally it would be used by all apps that use Nextcloud login but it currently has shortcomings which can only be addressed by further work on how the server (Nc) handles app tokens.

    One would say the most important thing is push, but that takes along quite a lot of things with it - ATM that means remote wipe for example and potentially other things in the future. Like I said above, this will hopefully be addressed in one of the future versions of Nextcloud.

    I’d also say UX is currently better when you just do the auth screen on your side, but that’s a matter of opinions as both ways have their pros’ and cons’.

  • Hi @rfc2822,
    do you think that Nextcloud’s SSO is finally feasible or do you still have the same opinion regarding this?

  • developer

    @szaimen As I understand it, Login Flow is the way how DAVx⁵ should do it. And so DAVx⁵ supports Nextcloud Login Flow. Are there any problems with it for you?

  • @rfc2822 Thanks for the fast response!
    No, there are no real problems with it. I think SSO is a bit easier to configure, though, since you don’t need to enter your credentials another time if you already configured the Nextcloud app.
    An idea to improve things could be to maybe make Nextcloud’s Login Flow a bit easier to discover from the DAVx5 app by adding an additional option below extended login when adding a new account directly?

Similar topics