search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
59 stars 18 forks source link

Compatibility with user_saml & app passwords? #26

Closed poVoq closed 7 years ago

poVoq commented 7 years ago

I am currently thinking of ways to transition to a SAML based SSO, but I would really like to keep this XMPP integration working.

Thinking about how the user_saml plugin works (and the reasons why the cloud_auth was created) lets me believe that enabling user_saml will for sure break this? Maybe there could be an option in the setting to add an Nextcloud provided "app password" per user as a work-around?

MarcelWaldvogel commented 7 years ago

First of all, if you are using the built-in JSXC chat with time-limited tokens activated in the JSXC admin settings, then JSXC will not rely on the password.

I started looking into the app passwords thing a few days ago, but did not make progress then, therefore the delay. I will look at it again.

MarcelWaldvogel commented 7 years ago

A PR is to enable app passwords is in nextcloud/jsxc.nextcloud#38

Can you test it?

poVoq commented 7 years ago

Sorry, I don't have SAML logins working yet as I just finished my SAML IDP solution. Therefore I can't test it. Thanks a lot for looking into it though.

Hmm... looking at the commit, wouldn't that only work with the build in client? What about the common use case that you also want to connect to the XMPP server with an external client which needs to be supplied with some sort of password (hence the app passwords)?

MarcelWaldvogel commented 7 years ago

The idea behind the JSXC time-limited tokens is to have the JSXC web client be able to seamlessly connect and reconnect when reopening a web page or after a network disconnection (see jsxc/jsxc#427, coming up in JSXC 3.3 soon).

This needs to be supported both by the application under which JSXC is running (currently supported by the Nextcloud JSXC app only) and the XMPP server (by having xmpp-cloud-auth as the backend). This is enabled by a shared secret between the web app and the backend and avoids the need to store a password (insecurely) in the web browser's localStorage.

So for JSXC on Nextcloud, everything is automatic, given the xmpp-cloud-auth backend and the right checkmark.

If other clients (e.g., desktop, mobile XMPP clients) want to connect, they cannot use this mechanism. For them, create an app password in Nextcloud.

Does this answer your questions?

poVoq commented 7 years ago

Yes, clear now. Thanks!