nextcloud
JSXC does not autologin with SAML/SSO and external prosody server
Expected behavior
When users successfully login to Nextcloud (via SAML/SSO) they will be successfully logged in to jsxc as well.
Actual behavior
After initial Nextcloud login, jsxc panel shows "No connection! relogin." Clicking on the relogin link and re-entering credentials results in a successful login to jsxc
Steps to reproduce the behavior
Set up Nextcloud for SSO/SAML authentication using Auth-TKT to pass authentication data from a Roundcube login screen. Set up jsxc within Nextcloud to use an external prosody server. Then log in to Nextcloud. Results as above. Can successfully log in to jsxc using either the internal xmpp server and SSO/SAML authentication, or native Nextcloud authentication and the external server. But cannot combine SSO/SAML authentication with the external server and maintain automatic login to jsxc.
Environment
JSXC version: 3.4.0 (installed via Nextcloud app store) Host system and version: NextCloud 13.0.4 on Debian 9 (Stretch) Browser vendor and version: Firefox, Chrome, newest Any browser plugins enabled? No XMPP server vendor and version: Prosody 0.10 Is your XMPP server working with other clients as expected? Yes
If the login does not provide a password which JSXC can intercept and use toward the XMPP server, you need to use xmpp-cloud-auth and time-limited tokens.
Hmmm...
That somewhat improves the situation in Chrome (on Windows, version 67.0.3396.99). I still get the "No connection! relogin" message, but now when I click to relogin it does so automatically w/o asking for a username and password. But on Firefox (also windows, version 61.0.1) the situation is entirely unchanged -- still getting the "No connection! relogin" message, and still need to enter credentials when I click to relogin.
JSXC needs at least one successful login, so it knows that the authentication backend supports time-limited tokens or a similar authentication method. Currently I have no time to change that, but please remind me in 1-2 weeks.
Any news on this? Is it actually possible to avoid re-entering credentials even on first login?
By reading this issue xmpp-cloud-auth-89, it looks like it has been working at some point.
My setup is a bit different (ejabberd instead of prosody) but I don't think it's relevant. But just in case: ejabberd 21.01 + nextcloud 20 + xcauth 2.0.4 + ojsxc 4.2.1 with time-limited auth tokens enabled.
No there is no news on this. I'm currently preparing a new version for Nextcloud 21 and working on video group calls. So there is only little time to look at other things. Sorry for that.
As I said, JSXC hat to learn that time limited tokens aka passwordless authentication is possible and than automatically connect if the user didn't disconnect before. To get this working, the information has to be provided via https://github.com/nextcloud/jsxc.nextcloud/blob/master/lib/Controller/JavascriptController.php and in a second step you have to check if the user has forced a disconnect and connect otherwise.
I have found a possible fix (works for me) but I don't know if it breaks other things (see PR #169). Would be nice if someone else could review or test my changes. @skug67 maybe?
I'd be willing to give it a try, but I don't quite understand how to build a custom version of the nextcloud app from source..... (Sorry for cluelessness)
Thanks @fangebee for providing the build, but it would be great if you could create a dev build with node ./scripts/build-release.js, because otherwise there could be conflicts when updating to the next stable version.
I actually created my build with node ./scripts/build-release.js (but manually disabling tests).
But I did this before creating the git tag v4.2.2-beta.1. I don't know if this is problematic.
I gave it a try and it didn't seem to break anything but it also did not completely log me in automatically -- I arrived with my status being "offline", but I could change it to online w/o re-entering any credentials. So definitely an improvement even if not quite 100% of the way there....