nextcloud-oidc-login icon indicating copy to clipboard operation
nextcloud-oidc-login copied to clipboard
verified publisher icon pulsejet

Disable default login

Open ksarink opened this issue 3 years ago • 6 comments

As discussed in issue #110 there are options to hide the regular login screen. For security reasons I'd like to completely deactivate it, since it is still possible to access it:

When you have 'oidc_login_auto_redirect' => true and 'oidc_login_auto_redirect' => true it is still possible to access the regular login form using https://<domain>/login?direct=1&noredir=1

Is there a solution to really disable the regular login form and not just hide it?

ksarink avatar Jun 01 '22 16:06 ksarink

Huh, surprised. ~~The bellow worked till v23, with v24 it obviously doesn't work anymore. Till v23 and with option 'hide_login_form' => true, the web login form was disabled, but you could still login to WebDAV, CalDAV and CardDAV. We can disable this with option 'token_auth_enforced' => true, so the login to *DAV is disabled, so you could only login to *DAV with App token, and this still works with v24. But 'hide_login_form' => true, doesn't. And you can login via web login form with normal password, which should be disabled because of 'token_auth_enforced' => true,.~~ ~~Are you also on v24?~~

~~I really didn't test this with v24 as I thought it should be working, but obviously it's not. This is a security issue for us.~~

~~Can somebody confirm this? If it's true, we have to rise a issue in Nextcloud repo.~~

EDIT: Oh my was I mistaken, 'hide_login_form' => true, only hides the form, but you can access it with ?direct=1, and 'token_auth_enforced' => true, only works for clients, and not web login form. So yes, we are having the same question (again) :D

l00v3 avatar Jun 01 '22 16:06 l00v3

Yes I am on v24.0.1 Since I'd like to enforce 2FA via SSO it is a security issue when regular logins are allowed.

ksarink avatar Jun 01 '22 16:06 ksarink

Should we rise an issue at the main Nextcloud repository or is this something that needs to be handled in this projects code?

l00v3 avatar Jun 10 '22 11:06 l00v3

I would say: if this is a feature from core nextcloud that should be disable, maybe the question should be raised on the core nextcloud bugtracker. What do you think?

azmeuk avatar Oct 19 '22 07:10 azmeuk

There might be an ugly way to do this here by failing the script in the pre login hook if we can't authenticate with OIDC (AFAIK these hooks are called synchronously), but that's probably going to have unintended consequences (e.g. might break app passwords for instance unless we also implement checking that). At the least we need to ask folks at nextcloud/server where this belongs; they probably know better.

pulsejet avatar Oct 19 '22 11:10 pulsejet