I’ve been running Nextcloud in docker for years and using ldap integration for user login with no issues.
Recently, I installed authentik and setup Nextcloud to use that for login, using oidc. This all works great for browser login, and I setup an app password in Authentik and managed to get my contacts synced with iOS, however, I cannot seem to be able to do the same using caldav.
No matter what I try, I get a failure to login. Even tried setting up both carddav and caldav from scratch, and still caldav does not work.
Has anyone got this working?
P.S. I am on Nextcloud 30.0.4 and using open ID connect login from pulsejet and do not see anything useful in the logs.
I’m not deep into it but my impression is caldav doesn’t support MFA and you need a client/device password you can create in you Nextcloud profile security settings. mfa
and I have no idea if the protocol is aware of Webauthn authentication and could utilize follow authentication redirect and in turn utilize device password from a 3rd party IdP…
The client app (Calendar app on iOS) does not know how to handle this but nextcloud does and the app is just passing the app password to nextcloud like it would if I was using 2FA with Nextcloud. Nextcloud should then verify the password with Authentik.
this not the way how OIDC works. at least not the common way. usually the application has no knowledge of the users credentials - this is the maybe the best security feature of OIDC - if one application consuming IdP identities is compromised there is no threat for the IdP nor for all other applications.
there is one flow (resource owner password flow) which results in proxying the credentials through the application to the IdP but this flow is less secure and is deprecated.
The Resource Owner Password Credentials (ROPC) flow is deprecated - basically from the start - because it defeats one of the primary purposes of OAuth 2, which is to not disclose the end user credentials to the Client. The draft you are referring to is slated to be incorporated in to OAuth 2.1, a revision of the spec that will make it a MUST NOT based on the experience of over a decade of OAuth 2.0 deployment.
The rationale: if you really want to embed direct username/password authentication in an application, there’s no reason to use OAuth 2.x. Just use basic authorization, LDAP or some other existing way of presenting a username/password from an application to a backend. The OAuth working group recognises in hindsight that incorporating ROPC in to OAuth 2 was a mistake because it defeats the purpose of OAuth , creates confusion and doesn’t offer any benefit over existing alternatives, hence the MUST NOT in the revision.
I see and what you say makes a lot of sense. Creating an app password in Authentik would really allow that password to be used for any service and not just for Nextcloud. Then I am not sure how carddav is working, but it seems to be.
Having said that, I did take another look at Nextcloud and I CAN create app passwords. It was just buried at the bottom of all the sessions listed on the security page so I had not scrolled that far down. The issue now is that Nextcloud prompts for confirmation (enter your password to confirm), and this part does not seem to work. Must have been an option I turned on a while back that I cannot recall. Will take another look.
@wwe you were absolutely right. Once I recalled how to create app passwords in nextcloud and got around the password prompt issues (had to logout and login again so it is a fresh session), I was able to resolve this issue.