Server: Show QR code with new app password and other settings to allow easier client setup

Sounds good to me :+1:
Besides I also have custom URLs on my agenda (haven't opened a ticket yet) which will allow the app to open a certain URL which contains the server address which will then launch the apps login screen with the server address being prefilled :)

One thing though. In the Android ecosystem we should not ship a QR code scanner but integrate with a QR code scanner (which does have the downside of the scanner having to be installed on the device already...).

(EDIT: I removed "to develop" since it should first go to "approved")

cc: @tobiasKaminsky @przybylski

As said by @AndyScherzinger already, the giant downside of this is that a QR code scanner is needed. Building one in the app is probably a ton of work, and integrating with an existing one seems a bit pointless since … well, let’s face it, no one really uses QR code readers. ;) (That is, a tiny technical minority.)

Just putting in the server address on the mobile and then doing something with OAuth or such would be a much better time investment and valuable for everyone I’d say. cc @LukasReschke @karlitschek

Android (and in a slightly similar but not exact same way) has the capability for our app to react to certain URLs. So we could implement the server side generation of emails with hyperlinks including this URL send to the potential users, which could then just click on the link, choose Nextcloud as the app to open the url, login screen appears with pre-filled server address.

Would this be something worth implementing?

Not sure since this is kind of a strange flow:

1. Download the app
2. Open the app
3. Ah no, open the web interface in the mobile browser instead
4. Go to the settings and understand that you can click the link to have your stuff prefilled
5. Okidoke

It seems actually more cumbersome than just the flow now:

1. Download the app
2. Open it
3. Put in the address, username and password
4. Go

I've seen the QR code-configuration in the bittorrent sync-client (https://github.com/owncloud/core/issues/12071). It is really nice to use. Entering long addresses, usernames and passwords is not very handy on mobile devices (however it is only done once).

@jancborchardt it is slightly different ;)

1. Recieve an E-Mail with a link
2. Click on the link
3. Use Nextcloud to open the link
4. Put in user/pwd

We can also define a fallback URL wihtin the URL, so we will route the user to the play store :D - for details please see: https://developer.chrome.com/multidevice/android/intents#example

This makes total sense imho for the scenario where an admin would setup a Nc instance and then send out an e-mail to all potential users and it also makes sense for mailings whenever in an enterprise scenario a new employee joins the company, gets and email to his cellphone and everything works from there :dancer:

Why not doing both?
I imagine that integrating the qr code thing is not that much work...

The QR code thing is rather easy I guess (calling an Intent for results with a pre check if the intent is present)

well, let’s face it, no one really uses QR code readers. ;) (That is, a tiny technical minority.)

I doubt so, in some motorala phones a QR scanner is already built into the camera and some of my friends use it to distribute their wlan...

It seems actually more cumbersome than just the flow now:

1. Download the app
2. Open it
3. Put in the address, username and password
4. Go

This is not true in some cases as that won't work with the new app passwords if 2fa is enabled for a user. There is no way around using an app password in that case and you'd have to either generate/copy the app password from your mobile phone's browser or create the password on your PC and type the password into your phone.

One thing though. In the Android ecosystem we should not ship a QR code scanner but integrate with a QR code scanner (which does have the downside of the scanner having to be installed on the device already...).

Right, ideally apps should not ship a QR code scanner. However, apps like Signal or the OTP Authenticator have a reader built-in and I like that a lot, UX-wise. Actually, I was inspired by the easy setup of the Signal desktop client – you scan a QR code with your phone and everything else is set up for you automatically. I thought we could do something similar.

I think a QR code would be fine. I mean we also have a QR code if people enable the TOTP app.

Basically you will have 2 types of users (of course very much oversimplified but still).

1. Users that use the same password everywhere and don't care. Nothing changes for them.
2. Users that want a secure setup. Want tokens. Want 2FA enabled and all that.

This app passwords is for the second group. Of course users could become part of the second group by force of the admin. But that is not a problem we can solve. Same as if the admin requires passwords to be 32 chars long.

Now if I'm part of the second group I want my stuff to be as secure as possible. Which means long app passwords! Which is a problem if I'm typing it. But absolutly fine if I can use a QR scanner.

Using QR for setup is some state of the art. Compare with FritzBox WLAN setup or Signal desktop client sync, and it increases usability dramatically :)

The feature I am currently working on for Android will/should be able to handle the following URLs (nextcloud://... hasn't been tested yet, but http://... and https://... works). So Nextcloud will be offered as Application to open the URLs following a simple pattern. The follwoing URLs are within the pattern and can be read by the implementation:

http://logindata.nextcloud.com/user:testuser123&password:testpassword123
https://logindata.nextcloud.com/user:testuser123&password:testpassword123
nextcloud://login/user:testuser123&password:testpassword123
http://logindata.nextcloud.com/user:testuser123&server:testserver123
https://logindata.nextcloud.com/user:testuser123&server:testserver123
nextcloud://login/user:testuser123&server:testserver123
http://logindata.nextcloud.com/server:testserver123&user:testuser123
https://logindata.nextcloud.com/server:testserver123&user:testuser123
nextcloud://login/server:testserver123&user:testuser123
http://logindata.nextcloud.com/server:testserver123&password:testpassword123
https://logindata.nextcloud.com/server:testserver123&password:testpassword123
nextcloud://login/server:testserver123&password:testpassword123
http://logindata.nextcloud.com/password:testpassword123&user:testuser123
https://logindata.nextcloud.com/password:testpassword123&user:testuser123
nextcloud://login/password:testpassword123&user:testuser123
http://logindata.nextcloud.com/password:testpassword123&server:testserver123
https://logindata.nextcloud.com/password:testpassword123&server:testserver123
nextcloud://login/password:testpassword123&server:testserver123
http://logindata.nextcloud.com/user:testuser123
http://logindata.nextcloud.com/password:testpassword123
http://logindata.nextcloud.com/server:testserver123
https://logindata.nextcloud.com/user:testuser123
https://logindata.nextcloud.com/password:testpassword123
https://logindata.nextcloud.com/server:testserver123
nextcloud://login/user:testuser123
nextcloud://login/password:testpassword123
nextcloud://login/server:testserver123
http://logindata.nextcloud.com/user:testuser123&password:testpassword123&server:testserver123
https://logindata.nextcloud.com/user:testuser123&password:testpassword123&server:testserver123
nextcloud://login/user:testuser123&password:testpassword123&server:testserver123

Since the Signal example was brought up: They ship their own QR code reader. I think qr codes aren't necessarily bad, but requiring someone to install a separate app to do that is cumbersome. Especially if you don't expect to be needing it.

Hence - if we use QR codes in one of our main flows, we should _properly_ integrate it by shipping the app with a QR code reader in it. Or not do it at all.

Hence - if we use QR codes in one of our main flows, we should _properly_ integrate it by shipping the app with a QR code reader in it. Or not do it at all.

Yeah, let's ship a reader :+1:

Feedback by @tobiasKaminsky would be nice ;)

I would go the android way: use a decent barcode/qr scanner app, which then redirects to NC.
Also there are nowadays quite a few devices that have a qr scanner in their camera app built in.

So let us do it in two steps:

• first integrate it with a 3rd party scanner app --> how and where do I get this QR code?
• if too many people want to have it built in, we can see how to implement it (please not that this will then have to be supported for eternity, and I fear supporting camera on all those different vendors)

As the nextcloud android app uses app-tokens now, I was wondering if the existing flow mentioned by @AndyScherzinger supports them? Is it possible from a servers point of view to have some button "create login qr-code" which generates a new app-token which is then embedded into a qr-code?

It would be great to push this feature a little as it might be a great addition to the new SSO feature for Android. The user won't even have to enter his password once while setting up all his Nextcloud Android Apps!

I would go the android way: use a decent barcode/qr scanner app

I agree with @tobiasKaminsky as most default camera apps already ship support for scanning qr-codes. However from the UX perspective and the fact that every device ships its own camera I would recommend using something like zxing, as it lets you create a custom scanning experience (similar to WhatsApp Web).

Issue is related to / duplicate of: https://github.com/nextcloud/server/issues/5659 and https://github.com/nextcloud/server/issues/8992

@ChristophWurst do we wanna hack this together on contribution week? :beers:

Sure!

Done, waiting desperately for integration on server by @ChristophWurst

For the sake of completeness here is the link to the Android PR: https://github.com/nextcloud/android/pull/3383

@tobiasKaminsky Your PR implements this feature, doesn't it? (the android side of it)

@David-Development, yes :+1:

App passwords are needed for other apps on mobiles as well (like for example DavX/Davdroid, News apps, SMS app, bookmarks apps), so installing a QR code reader app shouldn't be a big deal. These apps probably won't integrate well with other solutions. Copying the QR code from one app to another is probably the easiest way to handle this.

A 3rd-party app called Phonetrack implemented this using a JQuery QR code library already and it works extremely well:

https://gitlab.com/eneiluj/phonetrack-oc/commit/37582661bb30294eb18b2c5204f2eefd5e8059c2
https://github.com/jeromeetienne/jquery-qrcode

Let's move it to 17.

PR is at https://github.com/nextcloud/server/pull/14450

Who can gave me a test ambient for this ? (I have my personal provider session down)

^ does that work for you?

Hey, I just discover this issue and thought that I will be better if we can directly generate a QR code by clicking the profile icon > Connect a new device, rather than go in the setting, security, then new device

Hey, I just discover this issue and thought that I will be better if we can directly generate a QR code by clicking the profile icon > Connect a new device, rather than go in the setting, security, then new device

Mind to open a new ticket about this UX topic?

Mind to open a new ticket about this UX topic?

Sure