If I’m reading this page right (http://tech.saigonist.com/b/code/how-login-any-website-using-curl-command-line-or-shell-script) then this is only needed if authentication can’t be sent via the URL, but according to the documentation “Authentication is done by sending a Basic HTTP Authorization header”.
Interestingly enough, when I view source on the page, I can clearly see the data-requesttoken= and its value and something else called requesttoken= and its value.
If it helps, these are the log records associated with my last attempt…
{“reqId”:“mqHkfb2WD04IphGGhVOm”,“remoteAddr”:“192.168.1.1”,“app”:“admin_audit”,“message”:“Login attempt: “redacted””,“level”:1,“time”:“2016-12-14T22:40:20+00:00”,“method”:“GET”,“url”:"/ocs/v1.php/cloud/users/testuser",“user”:"–",“version”:“11.0.0.10”}
{“reqId”:“mqHkfb2WD04IphGGhVOm”,“remoteAddr”:“192.168.1.1”,“app”:“admin_audit”,“message”:“Login successful: “redacted””,“level”:1,“time”:“2016-12-14T22:40:20+00:00”,“method”:“GET”,“url”:"/ocs/v1.php/cloud/users/testuser",“user”:“redacted”,“version”:“11.0.0.10”}
{“reqId”:“mqHkfb2WD04IphGGhVOm”,“remoteAddr”:“192.168.1.1”,“app”:“no app in context”,“message”:“CSRF check failed”,“level”:0,“time”:“2016-12-14T22:40:20+00:00”,“method”:“GET”,“url”:"/ocs/v1.php/cloud/users/testuser",“user”:“redacted”,“version”:“11.0.0.10”}
According to these, the login was successful so at least there’s that.
Something else that may be useful is that I upgraded from v10 to v11 this morning and this is the first time I’ve tried to get a handle on user provisioning via API. The MariaDB was the existing instance from the previous Nextcloud version but everything else seems to be working perfectly so I’m not sure it is related.