Why no OAuth from nextcloud instance to help.nextcloud?

I notice the signup form has options to signup via OAuth using Google, Facebook, Github and Twitter, but no option to use your own nextcloud instance. That seems a bit counter-intuitive, especially for a platform focused largely towards privacy advocates. I’d say it’s something to seriously consider making a priority.

1 Like

As you realized the listed OAuth providers are “optional”, so there is no need to use them. To which central Nextcloud instance are you referring? Afaik no central Nextcloud instance exists where all Nextcloud users are already having an account yet? So how should authentication work?

To better understand your request, please explain IN DETAIL what function you’re looking for.

1 Like

I wasn’t aware an OAuth provider needed to be centralised/hard-coded in order to work. Would it not be possible to simply type/paste a url to one’s own instance into a form in order to initiate authentication? Or perhaps a link within the nextcloud instance itself to automatically authenticate to help.nextcloud.com. If that’s technically not possible, then you’ll need to forgive me for my lack of familiarity with the technical inner workings of OAuth.

1 Like

Imagine someone want to get access to your flat or house. I think you would want to personally control and grant access to it instead of just letting someone, who you might personally not know, authenticate himself by pointing to his own personal key ring in his pocket, right?! :wink:

As you are realizing, there are problems with providing Oauth from your own Nextcloud. The best of my understanding:

You’ll need a central Nextcloud instance to provide Oauth.

Oauth would have to be from a specified Nextcloud instance. So only from cloud.nextcloud.com rather than my.cloud.xyz or anywhere else. That instance would generate the Oauth token and then the token could be added to the forum via a plugin.

Oauth token currently grants full r+w access

This is a security concern for even just one central Nextcloud instance being used until scoped access is introduced. This caveat is also explained in the admin documentation at the bottom.

For the moment, Oauth is not a great choice for this.

DiscourseSSO is an app for adding specific Discourse access from a specified Nextcloud

Note this means you’ll be dependent on this app and can still only use one specified Nextcloud instance.

OpenID is yet another choice for Nextcloud and Discourse.

Here is an app, which I’ve never used. You’ll have to read up on OpenID to learn more, but it also uses Oauth so the same caveats above will apply.

Hope this helps you to search out more info.

2 Likes

IndieAuth login would provide a work-around here: https://indieauth.net/.

If help.nextcloud supported IndieAuth, a person wouldn’t need to pre-register their OAuth client with help.nextcloud. All they have to do is prove that they own their Nextcloud domain name. I imagine a IndieAuth plugin would be trivial to build and make the end-user experience dead simple.

I might even write such a plugin if Nextcloud was written in a language I was more familiar with.

That would be a plugin for Discourse, which is what powers the forum. You can learn more about any possibilities for writing plugins, OpenID and everything else at meta.discourse.org/

Well, to be clear, I was actually suggesting an IndieAuth plugin for Nextcloud. Partially because it would be dead-simple. The plugin would just write a configuration file and make it public. The only gotcha that I can think of are some issue with permissions.

As you kind of suggested over at meta.discourse, maybe IndieAuth could be built on top of the existing OAuth options for Discord.

Then the two-sided auth problem would have a tidy solution.