Android: User and password in provisioning link not working

Why is this an "enhancement". According to https://nextcloud.com/blog/nextcloud-android-client-1.4.0-has-been-released/ this should work. Even though this blog post says that the url-scheme is "nextclound" and not "nc".

My fault ;) It´s a bit tricky and this works only for me in firefox. But nevertheless since the new login method is used standardly it isn´t working at all ;)

What is tricky and only working in firefox?

In Chrome it opens for me the google search :D So there should be an improvement in the code to be able to do it also in chrom ;) That was the tricky one on my testing purpose :D

I just put the link in the href attribute of an html link element. Chrome on Android correctly launches the nextcloud app.

@LiamHD The issue is basically that this worked until pre-3.0.

@tobiasKaminsky any change to get this fixed as in transffering the user/password within the new web login? Since this feature has been build long before the web login via the app has been implemented.

The "new" login flow is used/created to have a session password instead of using the regular user password for all connections: user "test" and password "test" becomes to test:aiesaie23423, which will then be used for all further communication between app and server.
This kind of password/login is also needed for push notifications.

So we could just create an account with provided user/pass via provisioning link, but this then has to be a session based login.
Or the server needs to be enhanced so that we can pass user/pass to the new login flow without human interaction and get back the desired password.
@rullzer

Aaah this is less easy that I thought.

We can't create a simple endpoint where you submit your username + password and get back an apptoken. Well we could in theory. But it would not work if users have 2FA enabled.

Sending the username+password when opening the current page is not really an option as it would have t be done via GET and thus probably gets logged in the webserver log.

mmm I'm not fully sure yet how to solve that. I'll think about it some more.

Why not just store the username & pass we get directly in the account manager? Then people can pass app passwords via provisioning link.

I don't know where these provisioning links are generated. But if they use apppasswords sure.

But even then I would prefer it to generate a new app password specifically for this device. To avoid multiple devices registered to the same app password because the link is passed from device to device.

AFAIK manually? That's the point - admin generates them for each of the users devices that he's aware of (say corporate devices?), and they're separate. Sure, they're potential for abuse (you do it on multiple devices) it's probably an edge case.

In the current setup admin users can't create apppasswords for users.

At least not without them manually loggin into the account. Which would mean the admin needs to know the user password.

Well, that's true, but in a "world of provisioning" you could "manually"/via script provision users with app passwords in the database, couldn't you?

No you can't. The apppassword contains information that is only available when the user is explicitly logged in.

Well ... damn.

On Wed, 14 Mar 2018 at 09:32, Roeland Jago Douma notifications@github.com
wrote:

No you can't. The apppassword contains information that is only available
when the user is explicitly logged in.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
https://github.com/nextcloud/android/issues/2308#issuecomment-372942277,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAAWskltxhLdNijKxLUiNuVsIB3XO8Miks5teNWzgaJpZM4Sf-hB
.

Maybe we just skip the password part of the story. I also don't think that it's a good idea to pass them around.
But at least the user name could be taken over. So a user clicking on that link does not have the need to enter the server-url and the username. But only needs to enter his password.

In addition it would be cool if nextcloud server could show that provisioning link as QR-Code on that "first start wizard" that comes up a user logs on for the first time. That wizard already provides download links for the native clients. So it would be a perfect place to provide that provisioning link as the first step you do after installing the native app is entering the credentials.

I like @LiamHD's idea! That would help with the worst part, putting in the URL :+1:

the url part is working as afar is i know.

Sending the loginname via get is fine. This can then be autofilled in the login page.

The android app can then just open the same 'add new account' stuff we have now. Just it enters the server directly. And then when opening the webflow your pass ?user=<user>

Would that work?

@rullzer That would be perfectly fine for me.

Any progress on this?

There's no progress, no - as this is not a priority.

If I understand @rullzer in https://github.com/nextcloud/android/issues/2308#issuecomment-373140199 correctly, we would have to wait for NC14 to have this enhancement implemented on server side?

I already implemented automated login using both username&pass (not via link though yet) for Talk, so I can do the same for Nc app.

@tobiasKaminsky yes. Well you could already have the url entered on scanning. I need to look in if/how you can pass on the username.

With next NC16 you can generate a QR code on security page and this can be scanned and will directly login you into NC app.