just
March 20, 2021, 3:50pm
1
What would be the best practice here?
Goal
To allow Nextcloud users to access other local services such as Moodle, DokuWiki, Kanboard, etc.
Somehow protect oauth keys across services with full r+w access?
Setup and manage an LDAP server.
Authenticate users via User SQL app
Would appreciate input from someone who has experience managing account credentials in a successful + secure manner that allows existing Nextcloud accounts to connect with other selfhosted services such as DokuWiki and Kanboard.
Continuing the discussion from Anyone got DokuWiki integrated with Nextcloud? :
Security Warning!
Nextcloud OAuth2 implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the OAuth2 tokens in a safe way!
Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.
opened 05:51PM - 20 Mar 21 UTC
closed 01:53AM - 07 Dec 21 UTC
enhancement
needs info
0. Needs triage
stale
See [the official documentation](https://docs.nextcloud.com/server/latest/admin_… manual/configuration_server/oauth2.html) for reference. Filing in the hopes of Oauth tokens adding scoped access to address the security risk of only supporting full read+write access. Thanks for your consideration!
> Nextcloud OAuth2 implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the OAuth2 tokens in a safe way!
>
> Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.
>