oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard

Published 20 hours ago verified publisher icon owncloud

Does not work with user-key encryption

Open PVince81 opened this issue 7 years ago • 4 comments

OAuth2 should use the oc_authtoken API and pass access token instead of app password.

This would make it possible for the encryption code to decrypt the user's password to access the user's private key.

And whenever the access token is changed through refresh token, need to decrypt user password from oc_authtoken, delete the old entry, then add a new entry with the new access token.

I expect all this to be possible using the core's DefaultTokenProvider.

@DeepDiver1975 @pmaier1 @SamuAlfageme

PVince81 avatar Dec 08 '17 11:12 PVince81

This also means that the access token should not be stored plain text in the database. One can simply store a hash of the access token instead.

In order to be able to re-encrypt the password with a new access token, the password also need to be encrypted using the refresh token. Which means that the refresh token also can't be stored plain text and need to be hashed.

ogoffart avatar Dec 08 '17 11:12 ogoffart

still open for 10.0.7.RC2

thommierother avatar Feb 17 '18 20:02 thommierother

this will likely require changes in the oauth2 app

PVince81 avatar Feb 19 '18 09:02 PVince81

I've now added an entry to the limitations of user-key encryption that need to be documented: https://github.com/owncloud/documentation/issues/4179#issuecomment-409189593

PVince81 avatar Jul 31 '18 11:07 PVince81