After days of trials and unsuccessful Google searches I’m here to ask for a technical help.
- I developed a custom web app (in Java language, but it doesn’t make any difference) which has its own login form (it is connected to an LDAP server to make the authentication check);
- inside such app there is an iframe where the whole NextCloud application runs;
- the above offical documentation is a bit lack of information so I had to proceed by “trial & error”, unfortunately without any appreciable success: even if I grant access through the “Grant your access” page, I am redirected to the page where it is mandatory to fill the login form (which is, in my case, redundant due to the fact that I already have my page with its own login form).
The login form is presented if I didn’t logged in previously, otherwise a Cookie is picked up from the browser and the login flow continues: in any case the two previous pages “Grant your access” and “Connect your account” pages are always shown (which is undesirable in my case).
Looking here and there, on the web, I found many suggestion on how to “intercept” the various login page’s sources with the purpose of capture the inner webmethods called by the various tags and their respective input tags, containing the different tokens to be used in the entire login flow.
Currently, some of the above webmethods/routes, involved in the login process, that I have “intercepted” are:
And, subsequently, the input type=“hidden” fields enclosed inside the forms:
Now, considering that the above webmethods can be called sometimes with POST requests and some other times with GET requests, sometimes with a json body e sometimes with plain-text body, sometimes they require an Authorization header, some other times they need the “OCS-APIRequest”, or a moltitude of combination of the above… evirything ends in a big headache!
Oh, I was forgetting to mention the “small” issues related to CORS, Preflight, CSRF, and IFrame-Level authorizations, HTTPS/TLS/Certificates… (on both sides, nginx server and client-side, the browsers, mainly Chrome and Firefox).
Does someone of you knows the exact http request sequence (with the appropriate headers, methods and fields for each request) to completely jump over the “Grant your access” page, “Connect your account” page and, last, the “Login form” page, landing finally to a NextCloud page chosen by us ?
Many many thanks in advance
Fabrizio, Rome, Italy