[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libreoffice-website] Authentication issue with Nextcloud
- Subject: Re: [libreoffice-website] Authentication issue with Nextcloud
- From: William Gathoye <firstname.lastname@example.org>
- Date: Mon, 25 Mar 2019 20:46:28 +0100
- To: email@example.com
On 23/03/2019 00:44, Guilhem Moulin wrote:
> On Fri, 22 Mar 2019 at 22:32:02 +0100, William Gathoye wrote:
>> It appears the location of these fonts haven't been whitelisted properly
>> leading to the Nextcloud client webview (qt5-webengine) to not load them
>> to avoid a potential XSS vulnerability.
> The CSP violation looks somewhat odd to me:
> I don't understand why your client tries apply that policy when loading
> resources from https://auth.documentfoundation.org . There is a 303
> redirection in the middle, and the CSP doesn't apply to the Location
Weird is indeed what I thought. I had hoped you had the solution though :-/
My client is the latest version published by Nextcloud on GitHub. (not
the one on their website, they are always lagging behind there).
> That's rdm#2658 right? If so, please avoid cross-posting.
Yes it is. But i think this is better to discuss things here as the
issue is less a bug to me but rather an open discussion which could lead
to a bug report or not. "Always privilege mailing lists when you can",
this is what has been said to me :)
>> Could you please disable "Use SAML auth for the Nextcloud desktop
>> clients (requires user re-authentication)" in the Nextcloud server admin
>> settings? SAML SSO remains active without this parameter.
> From https://github.com/nextcloud/user_saml/blob/master/appinfo/app.php#L124
> it's not exactly clear to me what that would entail.
> * Does that require authentication via application-specific passwords?
According to the answers we can read on the Nextcloud bug report and
forums (the links I gave to you), it appears changing the settings
hasn't required changes in the way users where connecting.
But again their use case is not the one from TDF, this is why I was
thinking to have some sort of sandbox. Do you think this would be
possible to clone the current Nextcloud + saml config somewhere and try
to debug from there? I don't know if this is possible. I assume TDF has
enough resources and that 2 additional VM (SAML+Nextcloud) won't cause
any burden to the infra. If that's the case I could offer
> * Does it mean that the Nextcloud server hijacks the SAML challenge
> and perform authentication on behalf of the user?
I don't think there is some kind of hijacking here. I have the same
opinion as you here. But this needs to be confirmed. Do you want me to
post on the Nextcloud bug issue on Github and ask if some Nextcloud dev
veteran can confirm this assumption?
To unsubscribe e-mail to: firstname.lastname@example.org
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
|[libreoffice-website] Authentication issue with Nextcloud||William Gathoye <email@example.com>|
|Re: [libreoffice-website] Authentication issue with Nextcloud||Guilhem Moulin <firstname.lastname@example.org>|
- Prev by Date: Re: [libreoffice-website] Authentication issue with Nextcloud
- Next by Date: [libreoffice-website] Today's infra outage
- Previous by thread: Re: [libreoffice-website] Authentication issue with Nextcloud
- Next by thread: [libreoffice-website] Today's infra outage