SSO with Nextcloud

Hello,

I am the developer of otpme (GitHub - the2nd/otpme: OTPme: A flexible One-Time-Password system.) and i want to do a login to nextcloud from the otpme sso page (not yet implemented). otpme will generate a session password that is only valid for nextcloud. nextcloud will authenticate against otpme via pam/radius.

My question is, how should i pass username and session password to nextcloud to do a login. I guess something like that is not already possible. so i think i have to write a nextcloud addon or something like that. What would be an easy and secure way to pass username/session password to nextcloud.

Thanks for any information.

Regards
the2nd

I don’t think there is a way to authenticate using only a “session” key/token etc…

Multiple mature sso integrations exist like openidconnect and saml - likely it is easier to build around existing IdP eco-system (keycloak authelia authentication webauthn) and add you custom MFA as IdP plugin… otherwise you can directly add you application as MFA plugin to Nextcloud look at Nextcloud two-factor apps

Thanks for you answer. I’ll have a look at saml i think.

But i also found this plugin GitHub - nextcloud/loginviapost: Login to Nextcloud via HTTP POST.

i guess it is archived for a good reason. But as far as i understand CSRF it should not be a security implication for just sending username/password with a post request. Can you telll me whats the danger of using this plugin? What could an attacker do when using this plugin?

Regards

I’m sorry I have no idea why the mentioned plugin is archived, this may or may not be related to security impact due to CSRF (which not good idea AFAIK)… but single factor auth is always bad idea - today each service exposed to the internet must enforce MFA. In my eyes there is reason why protocols like OIDC and SAML exist - the are prooven by security experts and survived many attacks - I would always prefer “known good” things over something self-implemented unless there is a very very very good reason.