I am the developer of otpme (GitHub - the2nd/otpme: OTPme: A flexible One-Time-Password system.) and i want to do a login to nextcloud from the otpme sso page (not yet implemented). otpme will generate a session password that is only valid for nextcloud. nextcloud will authenticate against otpme via pam/radius.
My question is, how should i pass username and session password to nextcloud to do a login. I guess something like that is not already possible. so i think i have to write a nextcloud addon or something like that. What would be an easy and secure way to pass username/session password to nextcloud.
i guess it is archived for a good reason. But as far as i understand CSRF it should not be a security implication for just sending username/password with a post request. Can you telll me whats the danger of using this plugin? What could an attacker do when using this plugin?
I’m sorry I have no idea why the mentioned plugin is archived, this may or may not be related to security impact due to CSRF (which not good idea AFAIK)… but single factor auth is always bad idea - today each service exposed to the internet must enforce MFA. In my eyes there is reason why protocols like OIDC and SAML exist - the are prooven by security experts and survived many attacks - I would always prefer “known good” things over something self-implemented unless there is a very very very good reason.