Implement Intergated Login Based on Ldap, or nextcloud credentials #48
Comments
gary-kim
added
enhancement
|
This would be a very welcome feature but I doubt it's easy to realize. |
|
at least should it be possible, that a user can add his personal login credentials in his personal Setting area (similar to the Rainloop approach). That would avoid adding the matrix credential every time when logging into NC and calling Riot Chat. |
|
yes,that also sounds like an idea which can be used by the system to initiate this. And come to think of that, if this can be implemented, then even the builtin nextcloud credentials can be used in some way, so that all users are automatically given username based on the records used to login to nextcloud by the admin |
|
the last comment I don't understand: if you use the builtin nextcloud credentials to log into matrix via riot, than riot has to support this and be adapted to this way of authentication. am i wrong? you still might want to have a setting area where the user can set his matrix-ID while the default might be @nextcloudusername:domain. The domain can be extracted from the configured matrix-homeserver-URL if I rembemer correctly. |
Still trying to understand it, maybe this is what you meant: Nextcloud uses once the password given in the setting area to login. Then matrix generates an access token, which nextcloud should save and keep safe. After that nextcloud always uses this token, thus never logging out. You would have to trust the nextcloud to keep your access token safe, similarly as you trust your riot-desktop app to keep its access token safe. On second thought: no, I think the access token of riot-web is stored in the local storage of the browser, thus nextcloud will not be able to keep that across browser sessions. on third thought: well, my cloud does store a local storage object under its domain just as well as a regular riot-web server does. So the nextcloud would only have to set the local storage entry again, if the user logs in to the nextcloud the next time. This might also be on a completely different system. My current nextcloud-riot session identifies itself as: "cloud.mydomain.de/apps/riotchat/riot (Firefox, Ubuntu)" while it should then read "cloud.mydomain.de/apps/riotchat/riot (Firefox, Nextcloud)". I kept "Firefox" since I don't know, if a local storage object is cross-browser compatible. If it were one could replace this with "(Somebrowser, Nextcloud)". Does any of that make sense to you? |
|
The matrix server does indeed supply the client with an access token upon login, which can happen through some form of SSO just fine, but sharing access tokens between sessions (browsers) is generally a bad idea, this will break end to end encryption. The device ID is something you're free to set, so setting it to anything including nextcloud is fine. |
|
Are there ambitions to implement this feature? |
Might not be the ideal way for some people but if that can be implemented easily, it will improve this app greatly for now. |
|
I'd accept the addition of this feature in such a way that the user can decide to save their credentials in their personal settings (with a warning that Nextcloud server admins will be able to see the password). I'd rather not do this with end-to-end encryption keys, though. Saving those would defeat the point of end to end encryption in my eyes. |
|
I am with you: end-to-end encryption should not be weakened. Can the session = device also be stored in the nextcloud database. I guess that this would be tricky: loading a session environment into the local storage of the browser before logging into element and saving the session from time to time to the nextcloud database. Especially the last part is probably error-prone. Anyway: saving the password in personal settings would already be great. |
|
It sounds like a good compromise for now. I'm just wondering if the password could not be hashed to solve the problem of Nextcloud server admins. But a warning is already a very good start. Step by step is good :-)
|
I don't think it is possible to use the matrix user password in a hashed form to authenticate against a homeserver 🤔 |
In settings/user/externalstorages, users can store global identification, in our case, this global identification are equal to ldap identification. Could this app offer to use these credential? |
|
I would love have a feature like this, which woud approve the ux. The Rainloop plugin is offering a similar feature, does this help in the discussion on how to implement? https://github.com/pierre-alain-b/rainloop-nextcloud/ |
|
I don't understand. If we update Riotchat to the last update in Nextcloud, the login will be automatic from now on? |
Some of the matrix/synapse installations that we have running on our servers, make use of Ldap authentication for login.
Same applies to the nextcloud instance that we will be possibly running on Nextcloud.
Instead of asking users to login again, Allow the system to use the bakedin nextcloud authentication, This is in a possibility that nextcloud use ldap, and also, to remove the reequipment for login, in instances where the server has been pre-defined with no ability to change it.
The text was updated successfully, but these errors were encountered: