[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libreoffice-website] Authentication issue with Nextcloud


Hi Guilhem,

On 23/03/2019 00:44, Guilhem Moulin wrote:
> On Fri, 22 Mar 2019 at 22:32:02 +0100, William Gathoye wrote:
>> It appears the location of these fonts haven't been whitelisted properly
>> leading to the Nextcloud client webview (qt5-webengine) to not load them
>> to avoid a potential XSS vulnerability.
> The CSP violation looks somewhat odd to me:
>
>
> I don't understand why your client tries apply that policy when loading
> resources from https://auth.documentfoundation.org . There is a 303
> redirection in the middle, and the CSP doesn't apply to the Location
> target.

Weird is indeed what I thought. I had hoped you had the solution though :-/

My client is the latest version published by Nextcloud on GitHub. (not
the one on their website, they are always lagging behind there).

> That's rdm#2658 right? If so, please avoid cross-posting.
Yes it is. But i think this is better to discuss things here as the
issue is less a bug to me but rather an open discussion which could lead
to a bug report or not. "Always privilege mailing lists when you can",
this is what has been said to me :)
>> Could you please disable "Use SAML auth for the Nextcloud desktop
>> clients (requires user re-authentication)" in the Nextcloud server admin
>> settings? SAML SSO remains active without this parameter.
> From https://github.com/nextcloud/user_saml/blob/master/appinfo/app.php#L124
> it's not exactly clear to me what that would entail.
>
> * Does that require authentication via application-specific passwords?

According to the answers we can read on the Nextcloud bug report and
forums (the links I gave to you), it appears changing the settings
hasn't required changes in the way users where connecting.

But again their use case is not the one from TDF, this is why I was
thinking to have some sort of sandbox. Do you think this would be
possible to clone the current Nextcloud + saml config somewhere and try
to debug from there? I don't know if this is possible. I assume TDF has
enough resources and that 2 additional VM (SAML+Nextcloud) won't cause
any burden to the infra. If that's the case I could offer
infra/computation/storage power.

> * Does it mean that the Nextcloud server hijacks the SAML challenge
> and perform authentication on behalf of the user?

I don't think there is some kind of hijacking here. I have the same
opinion as you here. But this needs to be confirmed. Do you want me to
post on the Nextcloud bug issue on Github and ask if some Nextcloud dev
veteran can confirm this assumption?

Regards,

--
William Gathoye
<william@gathoye.be>



--
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy

References:
[libreoffice-website] Authentication issue with NextcloudWilliam Gathoye <william@gathoye.be>
Re: [libreoffice-website] Authentication issue with NextcloudGuilhem Moulin <guilhem@libreoffice.org>
Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.