How to log-in on Nextcloud web UI with oauth

barrydegraaff · February 24, 2020, 3:29pm

Hello,

I am trying to integrate Nextcloud in a 3rd party web application using OAuth. I want the user to be able to access the nextcloud web UI, when clicking a link in the 3rd party web application. So the end result will resemble a lite Single Sign on.

I have it working by combining these two documentation pages:
https://docs.nextcloud.com/server/15/admin_manual/configuration_server/oauth2.html
https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html

The LoginFlow seems to assume I develop a mobile app, as in the final step the user is redirected using a custom protocol handler nc:// And there are some curl examples, they all works fine.

Since I need to log-in from a web browser, from a different domain, I need to honor CORS.

When I POST a request to Nextcloud with a valid HTTP header Authentication Bearer the CORS OPTIONS request is rejected by Nextcloud.

I have made sure that this is all set-up well in apache, because if I create a test.php and post to there, it all works, I can even log-in by reposting using javascript from test.php. So it seems the PHP code from Nextcloud is rejecting CORS OPTIONS requests.

So my question: What end-point can I call to make the user log-in in the NC web UI when I have a valid HTTP Bearer token and come from a different domain?

kesselb · February 24, 2020, 4:22pm

https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html#login-flow-v2 is not an option?

barrydegraaff · February 24, 2020, 5:00pm

No that does not work, as it also reject the HTTP OPTIONS method, which is a CORS preflight check.

You can see the headers here (click show original !!!):

gist.github.com

https://gist.github.com/barrydegraaff/cc02bcf9d6fd16a97f822459e0e03b4b

gistfile1.txt

    xmlhttp=new XMLHttpRequest();
    xmlhttp.open("GET", "https://nextcloudtest.barrydegraaff.tk/nextcloud/index.php/login/v2/poll");
    xmlhttp.setRequestHeader("OCS-APIRequest","true");
    xmlhttp.setRequestHeader("Authorization","Bearer ......");
    xmlhttp.onload = function() {
    console.log(xmlhttp.resonseText);
    }
    xmlhttp.send();

This file has been truncated. show original

Again, if I put a self-coded test.php on the Nexctloud server, and http post to test.php from my webapp domain, then all posted data is reaching test.php and the XMLHttp (cross domain) succeeds. With said test.php I can repost using javascript to nextcloud’s index.php, then it works. Since it is not a CORS request anymore (no OPTIONS request to nextcloud).

Of course I do not want a custom php file on my nextcloud server for this.

barrydegraaff · February 24, 2020, 5:03pm

Here is the Apache config

gist.github.com

https://gist.github.com/barrydegraaff/b0713b3e0c524f718113ecf91b9b1227

gistfile1.txt

<VirtualHost _default_:443>
    SSLEngine on

    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on

    SSLCertificateFile /etc/letsencrypt/live/barrydegraaff.tk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/barrydegraaff.tk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/barrydegraaff.tk/chain.pem

This file has been truncated. show original

kesselb · February 24, 2020, 5:54pm

The issue is actually about WebDAV but the option request is also discussed. I guess the best way to solve that today is to proxy the request with your application until Nextcloud support the preflight request

cc @rullzer @blizzz

barrydegraaff · February 25, 2020, 7:15am

As a matter of fact the back-end of my webapp is written in Java and does proxy all webdav requests.

So I have no issue there, but I would like to use the oauth code and bearer token I already have (for using webdav) and use it to log in to the Nextcloud web-ui. The only thing why this is not working, is because I dunno why cors options is rejected by NC. Maybe it is a setting somewhere…?