Hi. I’m developing an Android app which log in to Nextcloud server and interact with Nextcloud Files (upload, delete, share files). I use LoginFlowV2 to log in. After logging in, I wanna call APIs without user’s password. I think about using JWT but the request from LoginFlowV2 returns an appPassword, not a JWT. So once user logged in, how can I use the appPassword for calling APIs? I really dont wanna use 3rd party app for JWT.
Are you using the Nextcloud Android libraries?
No. I login by using login flow v2.
Just use the app password as a password, see https://docs.nextcloud.com/server/latest/developer_manual/client_apis/OCS/ocs-api-overview.html
I see. But I realized that flow v2 only used for known device. I run curl -X POST https://cloud.example.com/index.php/login/v2 on the server and it works, but in other devices, it doesn’t. So I decided to use webview.
I can log in successfully in WebView but cannot grant access, even though I set 'overwriteprotocol' => 'https' in config.php. After logging in, I want to use appPassword for calling APIs, but the API to convert an appPassword requires a username and password, which the user has already provided in the webview:
curl -u username:password -H 'OCS-APIRequest: true' https://cloud.example.com/ocs/v2.php/core/getapppassword
Check https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html on how the login flows work, there’s V1 and V2 which work a bit differently, depending on what you want to achieve.
Yes I’ve checked. The v2 is for known devices so that I choose to use v1, which is opening a WebView. But for that, I cannot receive the appPassword. As I said, I need to do this to get an appPassword:
curl -u username:password -H 'OCS-APIRequest: true' https://cloud.example.com/ocs/v2.php/core/getapppassword
But the user has already provided username and password in WebView. I can force them to type it again and to be honestly, storing password in a client app is not safe.
No, V2 is not for known devices, it just provides a url which needs to be opened and another url which needs to be polled.
V1 works without polling and uses a url scheme.
A call to getapppassword is not needed in both cases.
Please read the documentation on how login flow works.
1 Like
For V2, there’s no need to call an API to get appPassword. As I understand it, after verification successfully, the appPassword will be returned. But in V2, I do not see the username and password, so the verification process cannot be successful.
In both cases (V1 and V2) you receive (after successful auth) a username and a password/apptoken. Either via an redirect (V1) or via the polling endpoint (V2)
1 Like