Desktop: Basic auth not working with client
Expected behaviour
Open the client. Put in the url with basic auth for example: https://username:[email protected]
And then accept the connection and then have fun by uploading and downloading some data.
Actual behaviour
Hello, i moved to nextcloud from owncloud. I use nextcloud with the official docker container image and it worked perfectly :)
But i have a problem. A big problem. I use for more privacy basic auth provide from a nginx reverse proxy. Yes i configuired this right in the configuration. Everything works i can download and upload some files. Can view text pictures and more....
The client cannot login with the right credentials. I use https://username:[email protected] this works with the owncloud client but not with the nextcloud client.
I write my url with the style https://username:[email protected] and then the nextcloud opens a browser window i accept the connection and then nextcloud try to connect without basic auth and not use credentials. If i correct this nextcloud try this step again .. again and again.
Steps to reproduce
- Install nextlcloud with nginx reverse proxy with htpasswd file
- Download the client
- Try to connect to your server
Operating system: Windows 10 latest version
OS language: German
Installation path of client: Standart click click next :)
Syntax3rror404
All 16 comments
I hope realy for some help or for fixing this issue or implement this feature.
Syntax3rror404
on 28 May 2020
I tryed only for fun a connection with the ownCloud Client to the Nextcloud Server with the URI: https://username:[email protected] and it works perfectly. Interessting, this says that the problem ist nextcloud desktop client.
Syntax3rror404
on 30 May 2020
Same here with linux client too.
einhander
on 3 Jun 2020
I'm not sure if that kind of setup is supported.
cc @rullzer sounds like login flow.
kesselb
on 3 Jun 2020
If not, it can be implement. I meen the old old owncloud client support this :D and I will secure my private cloud with basic auth.
Syntax3rror404
on 3 Jun 2020
I guess if you create the app token for the client yourself and use it as username / password tuple it should work.
kesselb
on 3 Jun 2020
How with basic auth? If i try to get the token via the client that opens a nextcloud window it fallback to the uri without basic auth and it dont work.
Syntax3rror404
on 3 Jun 2020
Ah. It seems that login without login flow is not longer possible. Feel free to send a pull request that adds that credentials to the login flow polling url.
kesselb
on 3 Jun 2020
What you are trying to do is not supported. Nextcloud handles the auth (also basic auth). So you should not do this on a webserver level.
rullzer
on 4 Jun 2020
Ok thanks for this information, then i go back to ownCloud ;)
You can mark this as a Feature Request.
Syntax3rror404
on 4 Jun 2020
I wonder how that works. Are username:password the same for reverse proxy and nextcloud? Requests for the dav endpoints are using basic auth to authenticate. It's not possible to "stack" basic auths. They only case I could image is if the same credentials are used.
kesselb
on 4 Jun 2020
Yes, in my case ownCloud and nextcloud runns on a docker container and on the front are a nginx reverse proxy with basic auth. The htpasswd username and password are the same as in ownCloud and Nextcloud.
Syntax3rror404
on 4 Jun 2020
I make this, because I dont't want, that anyone can access the webinterface from nextcloud and OC.
Syntax3rror404
on 4 Jun 2020
Nextcloud uses app passwords for the clients to authenticate. If you connect the client to nextcloud for the first time and authenticate with username:password a app password is generated and used for all requests. Means the basic auth username:password tuple is always different. I don't think that will change anytime soon. It would basically require the client to use something different than basic auth to authenticate.
kesselb
on 4 Jun 2020
I have the same setup and I am really annoyed by this. The old Nextcloud client did work with an Reverse Proxy doing basic auth and that suddenly stopped a few versions ago and now is "not supported".
Using basic auth in Apache was great because you could easily do SSO via ldap groups and setup fail2ban to block users and lock out the script kiddies.
The login via browser still works this way and I can not understand why the clients do no longer support this as an alternative login.
As a workaround I added something like that to have at least basic auth on the browser login pages
<LocationMatch "^/$|^/index.php$|^/index.php/login$">
AuthType Basic
AuthName "Your Realm"
AuthUserFile /srv/www/vhosts/domain/wwwusers
AuthGroupFile /srv/www/vhosts/domain/wwwgroups
Require group cloud
</LocationMatch>
andreas-wolf
on 24 Jul 2020
With SAML SLO being broken AND this being broken by the move to the new auth system...
I get the feeling that someone really wanted to push a new auth system without thoroughly thinking about the consequences.
Same case here: SAML wasn't an option, but I could do something with basic auth... But ran into this issue.
Also: It's kinda odd that they also didn't add "logout forward url" for ages now (which would also help people integrating nextcloud into reverse proxies and custom auth systems like ones using basic auth).
Ornias1993
on 31 Oct 2020
Related issues
joephein
路
47Comments
vberger
路
41Comments
Germano0
路
60Comments
e-alfred
路
71Comments
tabp0le
路
119Comments
Most helpful comment
With SAML SLO being broken AND this being broken by the move to the new auth system...
I get the feeling that someone really wanted to push a new auth system without thoroughly thinking about the consequences.
Same case here: SAML wasn't an option, but I could do something with basic auth... But ran into this issue.
Also: It's kinda odd that they also didn't add "logout forward url" for ages now (which would also help people integrating nextcloud into reverse proxies and custom auth systems like ones using basic auth).