Please support Nextclouds SingleSignOn SSO
What about this: When launching the activity from the Nextcloud app with a certain parameter, DAVx^5 will show a Single-Sign-on-with-Nextcloud-popup instead of the Nextcloud Login flow?
What would be the advantage? A Nextcloud developer told me that Login flow would be the preferred way for third party apps to access Nextcloud, because it allows access to features like remote wipe (= just disable the auth token for a specific app). For me, it makes sense to separate access permission for the various apps.
The main advantage would be, that I than do not have to enter my username, password and 2FA for each app, that I want to use. When using more than a few Nextcloud-Apps it gets very fast really annoying, when I have to login into every single one.
So the more apps support SSO, the better it gets from a user’s point of view.
Look at Google Apps and Services: there is a reason you do not have to think about login into every Google Service you want to use anymore: it is just fast and very convenient - I am not saying, that everything they are doing is great, but this ist just really nice.
Also I do not know, if remote wipe is not supported with SSO. Because of that I created an issue here: Issue and ask there for a clear statement on that. Maybe remote wipe is possible but then with just one click for every service, that is connected with this one app-specific-password. Because e.g. why should I disconnect and remote wipe every single app, that I connected on that special device I have lost, if i can do this with just one click?
Also if you support remote wipe you most likely have to implement it into your app.
But I know many other services that can do that just better and these do not have to be implemented for each app, because they work for the whole OS.
So why not using this time and implementing SSO instead of the Nextcloud Login flow with remote wipe?
Currently there are indeed some limitations in-place when using SSO which seem unlikely to be solved in the “near” future - some of them include remote wipe and push notifications.
Do you need them or not is up to you, but that’s just how it is which is why I still recommend the login flow.
Signed: Nextcloud developer
@mario I have now implemented the Login flow as recommended and it works fine I’m especially happy that I now can use 2FA without having to transfer the app password manually. However the Webview method with the redirect to nc:// doesn’t work with Android 10 (and maybe 9); I will have to find out why. Do you know anything about it?
@rfc2822 where can I get the source for this to help you debug?
I have pushed it to the https://gitlab.com/bitfireAT/davx5-ose/tree/nc-login-flow-ose branch. I hope it’s working (not the development repo). To start the Intent, I use
adb shell am start-activity -d https://nextcloud.example.com/index.php/login/flow --ei loginFlow 1 --es davPath remote.php/dav/ at.bitfire.davdroid/at.bitfire.davdroid.ui.setup.LoginActivity
@rfc2822 tested on both 9 and 10 and the redirect works as expected
@mario Thanks for testing. I have set up the emulator again and now it works. Maybe there was something wrong with the image (there was also an image update from Android SDK).
So I think this will make it to the next DAVx⁵ beta. Then I’ll document it and suggest it to the Nextcloud app so that they can call the new Intent
@rfc2822 Thanks for implemneting the login flow.
Will SSO implemented, too?
@jakob At the moment, we don’t plan Nextcloud SSO.
@mario Is SSO even intended to be used by non-Nextcloud apps?
@rfc2822 ideally it would be used by all apps that use Nextcloud login but it currently has shortcomings which can only be addressed by further work on how the server (Nc) handles app tokens.
One would say the most important thing is push, but that takes along quite a lot of things with it - ATM that means remote wipe for example and potentially other things in the future. Like I said above, this will hopefully be addressed in one of the future versions of Nextcloud.
I’d also say UX is currently better when you just do the auth screen on your side, but that’s a matter of opinions as both ways have their pros’ and cons’.