API: "Password confirmation is required"

Nextcloud version: 27.1.3
Operating system and version: Ubuntu 20.04
Apache or nginx version: Unknown (Snap)
PHP version: 8.1.25

The issue you are facing:
I’m experimenting with the API for a project at work, and to this end I have installed a local version of Nextcloud via Snap. (I didn’t go for the Docker version, because it only allows connection via HTTPS, from what I understood, and I do not have a local certificate.)
Overall, the API works fine, I can see details and lists and everything, but when I try to, for example, create a new user via POST Request to http://localhost/ocs/v2.php/cloud/users?, I get the response message of, “Password confirmation is required”.
I’ve tried authenticating both through Bearer (i.e. App Password), as well as Basic (username:password in base64) authentication, but both resulted in the same error message.

What am I doing wrong? How do I confirm the password via the API?

when I try to, for example, create a new user via POST Request to http://localhost/ocs/v2.php/cloud/users?, I get the response message of, “Password confirmation is required”.

How are you testing/implementing this? What happens when you test with curl?

e.g. see the Example heading at Instruction set for users — Nextcloud latest Administration Manual latest documentation

(I didn’t go for the Docker version, because it only allows connection via HTTPS, from what I understood, and I do not have a local certificate.)

For the record, definitely not the case. There’s just strong language in the README recommending one put a HTTPS server in front of it. :slight_smile:

Thanks for your reply!

I’m sorry, I should have specified earlier. I’m testing with curl directly at the moment. For this example, the command that I use is:
curl "http://localhost/ocs/v2.php/cloud/users?format=json" -X POST -d userid="test" -d password="initial" -H "OCS-APIRequest: true" -H "authorization: Bearer <app password>

Ah, okay. Thanks! Then I might try it again in future, once I figure out what’s currently going on…

Keep in mind that an app password (aka: “app token”) is not the same as an OIDC token.

Try using it specifically as described in the manual and you should have no issues.

I’m not clear why you’re trying to provide credentials as part of the form data (via -d).

Just use:

-u myusername:mypassword

You can use either your actual password or your app password for mypassword. If using OIDC the latter is required.

If you’re using OIDC you can also use the an OIDC ID token via Bearer I think for OCS API calls, but that’s basically a third option. And it’s not the app token/password.

Because the endpoint in the example is for creating a new user, which requires a userid and either an e-mail or initial (hence the example password being “initial”) password.

The trouble is that I wasn’t able to find the manual you linked before then. The one I worked with is this one.
I thought that using the app password via the “Authentication: Bearer […]” header, as described in the manual worked fine, because without it I got an error message like “Not logged in” or something like that.

Anyway: I wasn’t aware of curl’s -u option (I usually work with Python’s requests and APIs that use oAuth or similar), and because I thought I was already logged in, I would probably not have tried it anyway. But with it instead of the Authorization header, it now works, so thank you very much!

1 Like

Oops. Guess I needed more coffee when I wrote that! Glad you figured out the rest despite my misdirection. :slight_smile: