Core: For all new installed ownClouds enforce application specific passwords

Should probably be a config switch, and have it enabled by default on new installs ?

Should probably be a config switch, and have it enabled by default on new installs ?

Correct. And the config switch is set to "password allowed" on upgrade. That means by default it will use application specific passwords and only allow the password if the instance was upgraded. See https://github.com/owncloud/core/commit/0e922b1841ff85e9557ee61a85112f169caa7694#diff-2af2ba33b6e46e7c274bfe956b1cda78R25

@PVince81 should we re-open this? We agreed on disabling strict token auth by default. Maybe set it to 9.2 then.

@MTRichards @cmonteroluque @MorrisJobke @LukasReschke the config option for enforcing app specific passwords (enforce token auth) was merged into master / 9.1.

However we haven't yet set it as default for new installations because we'd like to discuss this.

When talking with @ChristophWurst @nickvergessen and @schiesbn we realized that for the community users, having enforced token auth would cause a bad out of the box experience. It is likely that we'll get bug reports, support requests, etc about people not being able to login with their desktop/mobile clients because they don't know they need to generate the passwords in their personal page now.

Also in use cases like privately used ownClouds, some users like parents/grandparents might not always be skilled enough to go through the steps for generating that password and even having to type it into the mobile phone.

Short term we suggest to leave it disabled by default. For enterprise, we should recommend enabling this in the docs.

In the future, mobile and desktop clients will gain the ability to automatically retrieve tokens instead of using passwords, as per https://github.com/owncloud/core/issues/24794 (browser-based login where the client goes to the browsers). Whenever this feature is implemented, we can reconsider making it a default because from the user's point of view it won't make much difference whether they enter their own password inside the client's UI or the popup browser window.

Please let us know whether you agree with this decision or have other arguments to enforce it out of the box.

I think this makes a lot of sense as a first step. When it is seamless and automatic, fantastic. Until then, requiring an act of commission on the part of the admin ensures fewer issues are encountered, and folks are generally happier with their ownCloud experience. As always this is a security/usability tradeoff for now, and I am ok with this.

@MTRichards thanks for the feedback.

@ChristophWurst can you make a new ticket to change the default in 9.2 or future ? Then close this one. (but refer back to point at the rationale)

@PVince81 why don't we just set the milestone to 9.2 on this one? I don't see the reason for re-creating the same issue

Ok done.

great

So should we do this if OAuth2 works and tokens can be retrieved automatically by clients ?

I still don't think it's good to have this enabled by default...

CC @PhilippSchaffrath @pmaier1 @felixboehm

So should we do this if OAuth2 works and tokens can be retrieved automatically by clients ?
I still don't think it's good to have this enabled by default...

I agree with you. IMO it should be disabled by default to avoid confusion of non-technical users. It's the admin's responsibility to enable and explain to users why and how they should use it.
Please close if nobody disagrees.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.