Client authentication without manual steps

Hello,
I would like to know if it’s possible to login my users only with 1 link.
For exemple https://nextcloud.exemple.com/index.php/login?user=user&password=password
But any kind of link is valide.
Tank you in advance

But what you would like to achieve when user clicks on a link?

  • user get authorized UI access to files?
  • user get authorized webdav access to files?
  • user should be registered with provided username and password?
  • user should be registered with provided username, but enter own new password?

The already existing user should login to the web UI (dashboard) without typing userid nor password

:warning::warning::warning:
Here should be discussion that this is not secure at all and not recommended to do it to anybody.
:warning::warning::warning:


What you provide is usual GET Request, you need to create a POST request to endpoint:

https://FQDN/index.php/login

with corresponding data in a body:

user=USERNAME&password=PASSOWORD&timezone=Europe%2FBerlin&timezone_offset=2&requesttoken=TOKEN

Where TOKEN is, I suppose CSRF Token.

So, sort answer - there is no link that you can share with user that will login him to to UI.

But, you can create HTML that will do the job: get CSRF Token and create a POST Request.


I would recommend to use keepassXC to your users and simply user autotype username/password feature there or add plugins for browsers to do the job.

1 Like

@Allder
If your user is in a a e.g. company network with SSO services you maybe can connect your Nextcloud with SSO & SAML or other tools. Unfortunately I have no experience with it.

If you do not want that your user uses user/password maybe he/she can use the Nextcloud app on desktop or mobile. Then you can use a session key.

Web access from a normal browser worldwide is however difficult and if so as described above very insecure.

But you can create a public share with read/write access to a directory. Then the user can access directly to this directory.

1 Like

As other already stated this is definitely not a secure way to access your system. Without a password the system can not distinguish different users so every user becomes anonymous at the end. If you are looking only for file sharing a simple share without password could be good enough for you - there is an URL everybody can access without password and the attack vector is limited to files existing within this share.

If your only tool is a hammer everything looks like a nail” but if you describe your complete use case maybe we can recommend better and secure solution.

1 Like

I need to connect multiples users to a nextcloud on a local network non connected to the internet.
The login must be without typing any username nor password.
the credentials of the user are known by the computer of the client, so it can be passed via API or URL or something else.

This is completely different situation - you still want authentication but don’t want to perform this manually. In this case I would recommend some SSO solution like SAML or OpenidConnect.

but if i understood correctly with SAML i still need to enter the credentials at some point even if it’s not on the nextcloud login page.

you can use this credentials to authenticate against your SSO server

Thank you very much, if you have any recommendation of open source server feel free to indicate it.

As you requirement a very specific I can’t tell if it fits. Keycloak is known to be very flexible open-source identity server. It offers SAML and OIDC, lot of guides exists even for Nextcloud the integration… but you need to find out how you can receive access tokens “automatically”, I think nobody can help you with this task.

2 Likes

Why not a public share from the known user?
And then share the public share. :wink:

This is no more unsafe than your approach, whereby safety does not play a role for you anyway for your issue.

Then the client must know the public share https://lancloud.server.tld/s/SXjyzcckXdEzc7r
Knowing about the url is also a kind of knowledge.

I would say, you can research in a NTLM direction too. This should give you SSO on Windows machines, but within the Active Directory, what, I suppose, is not the case.
Or even try with Keycloak and NTLM if you have it to add Nextcloud in the chain.

To be honest I use nextcloud as OAuth2 provider and attach e.g. gitea to it. This means user needs to authorize himself once in a nextcloud and he can use gitea afterwards.