Login flow WITHOUT form


Hallo experts!
After days of trials and unsuccessful Google searches I’m here to ask for a technical help.


  • I developed a custom web app (in Java language, but it doesn’t make any difference) which has its own login form (it is connected to an LDAP server to make the authentication check);
  • inside such app there is an iframe where the whole NextCloud application runs;
  • initially, the above iframe’s source points to an html page which holds and runs - at a startup - a “vanilla” (old-style, without NodeJs, jQuery or similar frameworks) pure javascript;
  • the javascript contains few methods which sends http requests and, of course, parse their responses;
  • starting from the NextCloud official documentation regarding the “Login flow” (v1 and v2, available here: https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html) I began developing the series of javascript methods which send the appropriate request calls;
  • the above offical documentation is a bit lack of information so I had to proceed by “trial & error”, unfortunately without any appreciable success: even if I grant access through the “Grant your access” page, I am redirected to the page where it is mandatory to fill the login form (which is, in my case, redundant due to the fact that I already have my page with its own login form).

The login form is presented if I didn’t logged in previously, otherwise a Cookie is picked up from the browser and the login flow continues: in any case the two previous pages “Grant your access” and “Connect your account” pages are always shown (which is undesirable in my case).

Looking here and there, on the web, I found many suggestion on how to “intercept” the various login page’s sources with the purpose of capture the inner webmethods called by the various tags and their respective input tags, containing the different tokens to be used in the entire login flow.

Currently, some of the above webmethods/routes, involved in the login process, that I have “intercepted” are:

  • /index.php/login/v2
  • /index.php/login/flow
  • /index.php/login/flow/apptoken
  • /index.php/login/flow/grant

And, subsequently, the input type=“hidden” fields enclosed inside the forms:

  • stateToken
  • requesttoken

Now, considering that the above webmethods can be called sometimes with POST requests and some other times with GET requests, sometimes with a json body e sometimes with plain-text body, sometimes they require an Authorization header, some other times they need the “OCS-APIRequest”, or a moltitude of combination of the above… evirything ends in a big headache!

Oh, I was forgetting to mention the “small” issues related to CORS, Preflight, CSRF, and IFrame-Level authorizations, HTTPS/TLS/Certificates… (on both sides, nginx server and client-side, the browsers, mainly Chrome and Firefox).

Having spent 1 week (night and day, 2 human resources, 30 years of IT experience each) to identify and solve all the security issues while developing the javascript code which makes the http requests, we are still unable to bypass the NextCloud login form (using, so, exclusively the http requests and the DOM - Document Object Model) functions.

Does someone of you knows the exact http request sequence (with the appropriate headers, methods and fields for each request) to completely jump over the “Grant your access” page, “Connect your account” page and, last, the “Login form” page, landing finally to a NextCloud page chosen by us ?

Many many thanks in advance

Fabrizio, Rome, Italy

What you tries to do is to create an application that will have an access to the Nextcloud. In this case you need Backend that will save and manage access tokens for a longer period, otherwise you have to go via login and grant access procedure every time.

I would rather connect nextcloud to the same IDP via SAML/LDAP/OIDC application to authorize users. Preferably OIDC or SAML in this case user can login once in your Application and nextcloud should take valid token from the IDP and do aka “automatic login”.