Authentication Stack

NextCloud should implement an authentication stack that allows for easy connecting existing authentication backends without having to bother about user management.

The authentication of the user should be independent of the authorization and the user backend.

E.g. in a simple case connecting to a radius server this would be single call with username and password can say YES or NO. But the users are still stored in the NextCloud backend.

This is also important for adding two factor authentication solutions like privacyIDEA.
I added some requirements at github.

This way new authentication techniques can be added easily without any hassle.

As far as a desktop client or smartphone app is concerned, please take a look at OAuth. This way the desktop client does not need to cache the password, which is not possible with one time passwords.

Kind regards

cc @ChristophWurst FYI

I second this idea, similar to what I’ve proposed here: Enable SSO with OAuth 2 (for Azure AD and Google Apps) (allowing authentication using OAuth so we can use identities stored in Azure AD or Google Apps).

Is Azure AD any different from MS AD/LDAP? Out of curiosity.

@blizzz Yes. You’re an LDAP developer so I assume you know AD too well already :slight_smile:

Azure AD is a SaaS identity and access management service, based on OAuth 2, SAML and WS-Federation. Azure AD in the basic tier is completely free, and it’s wildly deployed across organizations worldwide, as it’s a requirement for example for Office365, Exchange and SharePoint Online, etc.

Similar service is offered by Google Apps: organizations that implemented the Google suite will almost certainly have their identities on the cloud. Both Google Apps and Azure AD allow synchronizing identities from a traditional ADDS server.

You can see how much easier it would be to implement something based on OAuth rather than LDAP, and much lighter… And it would have benefits such as single sign on (and not just “same sign on”!).

(Disclaimer: I work for the Azure field team in Canada)

1 Like

Of course each organization probably has some kind of LDAP talking directory server. But in my opinion @AlessandroS is right. Supporting e.g. SAML might be far more important, since this is what you are doing in the browser.
A Nexcloud installation probably is not always only located in the Intranet. So authenticating with SAML mit be the far better solution.

But in my opinion the authentication stack should be designed this way, that it does not matter. An authentication plugin should be implementable with about one hundred lines of code.

Having a well thought, well documented, easy authentication API will make it easy for everyone to add such plugins.
I would be happy to add one for two factors with privacyIDEA!