Allow to restrict app password data access

[j-ed]

Expected behavior

If a user creates individual app passwords, it should be possible to restrict to which data the app should have access to and what kind of access should be allowed.

Example:

App         RO  RW  CREATE  DELETE  UPLOAD
----------  --  --  ------  ------  ------
Calendar    X
Contacts        X
Files                                 X          

Current behavior

If a user creates individual app passwords, he couldn't restrict to which data the app should have access.

Steps to reproduce

1. Login as as a user
2. Choose Personal -> App passwords

Environment

Server Configuration

OS: Linux 3.2.82 Web server: Apache2 2.4.25 Database: MariaDB 5.5.53 PHP version: 5.6.29 Nextcloud version: 10.0.2

Client Configuration

Browser: Mozilla Firefox 50.1.0 Operating system: Windows 7

EDIT by @jospoortvliet : Please see https://github.com/nextcloud/server/issues/30331 for a few more details and use cases.

[MariusBluem]

See: https://github.com/nextcloud/server/pull/719

What is the current plan/state? @icewind1991

[nickvergessen]

The problem is that this is not really that easy.

E.g. you wouldn't want your activity reader to do anything right? But it needs access to all of those to display the related events, get the contact names for displaying and file access for handling of paths in activities.

So while it is nice in theory, we need to make this easily checkable and somehow a way to correctly deal with this for other apps.

[benyanke]

@nickvergessen It would seem that to implement this, a permissions framework would need to be built into the core of NC, at which point apps could register the permissions they have available, which would be namespaced with the app name, etc, etc.

A framework I'm using on my own projects is https://github.com/spatie/laravel-permission. While it's deeply integrated with laravel, so not very suitable for this, perhaps a similar model could be used: create a list of permissions - as you mentioned, separate out read vs write permissions in each section, and then assign to users.

[nickvergessen]

Yeah something similar to the bruteforce protection we added in 12 (or was it 11?). https://github.com/nextcloud/server/blob/0bccd5a0d9cda570f405e4f6add4d0a27ec3aee4/core/Controller/LoginController.php#L219

[j-ed]

The issue has still not been fixed in Nextcloud v13.0.6.

[szaimen]

I suppose this issue is still valid? If not, please close this issue!

[j-ed]

Yes, you're right. It is still not possible to restrict the data access.

[riedel]

Actually it makes sense to go even further. IMHO it would make sense to use the sharing functionality to share a file or subdirectory with an "app password". Particularly if one needs to upload or download data for a longer timeframe in a multiuser environment keeping any password on disk or in memory with such wide permissions does not much lessen the attack surface.

Context: I am currently looking on a good way how to instruct users to include nextcloud files in projects in their HPC project. Registering an extra user for sharing files with yourself seems to be the only good solution.

[InRiPa]

I'm using Android Apps, which access a specific App from nextcloud (e.g. app for calendar, app for tasks, ..). It would be nice to restrict the access of given "app password account" to the exact purpose.

[jsalatiel]

This has become the most requested feature from my users. They need to share specific folders through webdav to some android apps and they do not want to give those apps full access to their data.

[sunjam]

As an aside, also worth considering implementing scoped access for oauth, rather than always granting full access to Nextcloud itself when using it for authentication with external services.

• https://github.com/nextcloud/server/issues/26233

[K0-RR]

Linking related posts on the forum: https://help.nextcloud.com/t/app-specific-passwords-folder-file-permissons/2162 https://help.nextcloud.com/t/limiting-access-of-external-apps-clients-to-a-limited-folder-or-even-file/18939

[jsalatiel]

It is a pity such a great feature is not given proper priority.

[sbrudenell]

The problem is that this is not really that easy.

E.g. you wouldn't want your activity reader to do anything right? But it needs access to all of those to display the related events, get the contact names for displaying and file access for handling of paths in activities.

Not every case needs such complexity.

For example I want to sync my keepass db, and only that one file, to my phone.

It would be totally reasonable to start with file/folder based permissions for this feature. Let users manage the complexity for now. The permissions framework can evolve later into a fancier, feature-based framework.

[joshtrichards]

Related:

• #9117
• #35262
• #17339

[sunjam]

@joshtrichards wondering if this would also be done with scope access in Oauth (as is done in Slack). See

• https://github.com/nextcloud/server/issues/26233

[DFINITYManu]

What I would like is an app password just for contacts and calendar, so the device I sync my PIM info with doesn't have access to files at all.

Would be similarly good to have an app password just for News, so the device I do my news reading doesn't have access to my PIM or file data at all.

This feature reduces the consequences of a password or device compromise enormously.

For fine-grained file access control, I think using separate accounts and folder shares is fine, but even then, app password just for file access would still limit the blast radius of a compromise.

[NiklasBeierl]

I'd also be a huge fan of this feature. As mentioned by other folks, you can grant limited file access by creating separate users for separate clients / devices and sharing files with those users. But for calendars / contacts, this would be a pain in the rear.

One place where I have seen this implemented quite nicely is ~~sogo.~~ mailcow.
When creating an app password you get a dialogue like this:

(Further distinguishing between calendar and contacts would be a plus)

[saywebsolutions]

Yes this feature is desperately needed. Consider wanting to use an app's API, for instance the cookbook API. It would be ideal if you could limit that credential to only be able to access the Cookbook API instead of risking the whole nextcloud account being pwned.

[riedel]

One place where I have seen this implemented quite nicely is sogo.

@NiklasBeierl : can you point me to the place where this SoGo feature is implemented? (docs, source code). It seems super great (background: we are using sogo webmail with an underlying cyrus with ldap auth and it would be a charm if we didn't have to pass the original clear text password of the user to SoGo.) (Edit: could it be that you actually took a screenshot from mailcow which only integrates sogo?)

Having said that. Nextcloud should have much less difficulties, since they already have app passwords/tokens implemented and this is only about scoping them. I guess here the user dialog is the easy part, but rather passing different sub-user-id through the whole stack could be a hell.

[NiklasBeierl]

@riedel I looked into it and it turns out this is not a feature of sogo but of mailcow dockerized. Couldn't find dedicated documentation, but if you search the repo for "app passwords" you get to some php code.

[My1]

at least in terms of files one HUGE step forward would already be the idea to scope an app password to a folder which basically becomes the new "root folder" for that application, so you can make a folder for e.g. your password manager, or automatic backups from a website and it can do all the things it normally can do except that all starts within that folder.