Authentication
Teifun2 opened this issue · 4 comments
This is not really an issue rather a question.
I'm currently testing some potential ways to create an android app for the cookbook.
I was wondering if you could give me some insight into how you are authenticating with nextcloud? There seem to be various ways and i'm unsure what is the "safest" way to do so.
Hi Teifun2,
I let the user generate an application password in NextCloud (this is only necessary when you have two-factor authentication activated otherwise you can use your normal user + password combination although a do not recommend this). Then you can use Basic access authentication for your server requests. In order to keep things secure, you should make sure to not store the password in plain text on the device and force a https connection. There are still a couple of security problems with this approach, but I think they are negligible if your NextCloud instance is setup correctly and you use two-factor authentication.
Thanks for your quick response!
I'm currently not using two-factor authentication but maybe i should switch to that. So far ionly
missclick ....
I'm currently not using two-factor authentication but maybe i should switch to that. So far i only use the base64 method for testing. Conserning these security issues then it would not be safe to store the base64 key? Should this still be obfuscated somehow?
And if i use two factor authentication is the process still the same? base64 key from username and the newly created application password?
Thanks for helping me out :)
And if i use two factor authentication is the process still the same?
Yes the process is still the same.
Conserning these security issues then it would not be safe to store the base64 key?
Considering that the application password can not be used to log into your NextCloud instance when you have Two-Factor authentication enabled, that it can be easily revoked and that Android already applies a lot of default UNIX security mechanisms it should be okay to store base64 key (which is basically the user + password in plain text). If you get the App up and running with this configuration you can add additional encryption or different login solutions on a later point in development.