Making the Android cloud account central about android-singlesignon HOT 64 CLOSED

Hey guys.. I did some refactoring and brought the nextcloud news app as well as the ownCloud Account Importer up to date and fixed some bugs. The nextcloud news app is fully functional now and it should be possible to compile the project on Android Studio 3.1.2.

Make sure you have the nextcloud-news app installed on your server to test the setup. After starting the app on your phone, click on "Import Account", select the account and click on Sign-In after. After that, the app will use the network stack of the nextcloud-android app.

git clone https://github.com/nextcloud/android.git -b sso nextcloud-android
git clone --recursive https://github.com/owncloud/News-Android-App.git -b sso

from android-singlesignon.

Hey Jan, thanks for the hint. I think this is a really great idea and I would support the development of a centralized ownCloud/Nextcloud login app/interface. I don't have much time right now but I would be down to work on it with some other developers! Maybe exchange some ideas, improve this app (ownCloud Account Importer) or create a new, better one.

from android-singlesignon.

Currently I am also quite busy with E2E, but I will try to find some spare time for this.
On Friday I will try to rebase both branches to latest master to have a decent test. 👍

from android-singlesignon.

Dear @AndyScherzinger @ardevd and @tobiasKaminsky : I consider the work of @David-Development done here of utmost importance. I would like you to take the time this week and review what he did, including the diagrams and the code and give feedback.

The sooner we can get this properly merged where it belongs and properly advertised, the better.

Suffice to say, this is the best thing since sliced Oreo.

from android-singlesignon.

As rugk mentioned in the linked issue above, I think the integration of the network stack is something we should/need to consider here as well. It is difficult and very time consuming for app developers to handle and test all the different edge cases (like the ssl certificate expires / changes / self signed ssl certificates / etc ... ).

I think making the network stack central would be a really huge step forward to make it easier for third party developers to access nextcloud without the need to think about all the different authentication technologies and edge cases that might occur during a request (And we don't need to share credentials with them at all). I'll try to think of a good solution and build a prototype to see what's possible on Android. (We also need to support stream processing etc.)

from android-singlesignon.

Just pushed some small bug fixes and improvements. The nextcloud news app now supports both Single Sign On as well as the "normal" standalone login. The following video shows a small demo of the single sign on feature and how the sign-in flow looks like. Would love to hear some feedback! :)

https://nextcloud.luhmbox.com/s/cGgNTGPnMcNfDwE

from android-singlesignon.

@David-Development I had a very deep look at it and it looks very good so far.
I would like to have a chat with you, I guess this is easier than to write all here.
(I also wrote you an email to your address, which is linked on your homepage).

from android-singlesignon.

Hi, just a message to encourage you. This topic is a must-have feature for the Nextcloud App.

Every time I try to convince someone to discover this self-hosting universe, and all the applications that go with Nextcloud, I arrive at the moment when it is necessary to configure three, four or five applications, and there, the person totally abandons because of the difficulty of each setup.

We count on you, and we hope that you will succeed to centralize a minimum of things (at least contacts + calendar + files) !

Thank you !

from android-singlesignon.

We (@David-Development and me) plan to get this done during our Conf.

from android-singlesignon.

I did some research and here is a brief summary of my results:

Option 1:

The easiest way to share data between apps is to use the same "package" identifier and use something like a shared preference (where the credentials are stored encrypted). However this would require us to use the same signing certificate for all apps. I think this is not possible since we might not "fully trust" all 3rd party developers 100%. And sharing sensitive certificates is never a good idea.

Option 2:

Another solution would be to create an external app which acts as an authentication app and the credentials can be retrieved through a content provider.
I was thinking about the following scenario:

App --> Content Provider --> Authenticator App
App <-- Credentials <-- Authenticator App
(This whole process wouldn't be visible to the user)

However, if no account has been registered yet, it's not possible to start the login process from the content provider. So we need to do something like the following on the first login:

App --> Content Provider --> Authenticator App
App <-- No Credentials <-- Authenticator App
App --> Start Login Intent --> Authenticator App
App <-- Activity Result <-- Authenticator App
// request credentials again...

• Advantages:
  • Single Login dialog
  • Easy to use/integrate in other apps
• Disadvantages:
  • Security? (I have no idea how secure this is by default (if we only allow certain apps with read permission))
  • Additional App required

Option 3:

Use the AccountManager (like the app in this repo does right now). In most cases we don't have to worry about security issues here since the Account Manager will handle the permissions of the different apps.
However I'm not sure how to create ONE account which can be shared between apps yet. If an app creates an account, the account will be created under the apps namespace. Meaning, that the ownCloudAccountImporter needs to recognize all the possible/different nextcloud apps.

This means that every nextcloud app needs to know about all the other possible nextcloud apps that might be installed on your device. They need to test then if another app is really installed (if so, they need to check if an account already exists). Also this means that if there is a new nextcloud app that wants to use the sso mechanism, all the other nextcloud apps need to be updated in order to make sure that they know about the new app.
Furthermore there are some serious security concerns regarding the Account Manager (if your device is rooted one might be able to steal your credentials - if they're stored in plain text - if we want to share them between different apps we need to store them in plain text). (See https://developer.android.com/training/id-auth/custom_auth.html#Security)

Also each app would need to implement their own login dialog. All in all I think this is not the right way to go.

• Advantages:
  • No additional App required
• Disadvantages:
  • Each app needs it's own login interface
  • Filters to detect existing accounts are required.
  • Possible Security concern (as mentioned in Option 3)

Option 2+3:

I think a good compromise would be to use the advantages of the Account Manager but also use a seperate SSO App.
We can use the Account Manager to handle permission requests of different apps (more info here: https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android#accesstoken).
But instead of creating a new account for each app we create exactly one. For this we need to have a standalone SSO App.

• Advantages:
  • Single Login dialog
  • Easy to use/integrate in other apps
  • Less implementation work (since the AccountManager does most of the permission work already!)
• Disadvantages:
  • Additional App required
  • Possible Security concern (as mentioned in Option 3)

Summary

My favorite Option is 2+3 as it is the simplest and easiest solution. We still need to consider the security concern since a lot of nextcloud users have rooted devices (maybe we can find a smart solution for this problem - like having OAuth2 support in Nextcloud :P).

If anyone has another idea, feel free to join the discussion! :)

@jancborchardt What about the official nextcloud files app? Are the developers interested in having a "SSO" solution for all nextcloud apps on android as well?

@mjohenneken ping

from android-singlesignon.

@David-Development sure, we're interested. Just need time to digest all this with our busy schedules, sorry :(

I promise I'll take a look, and thanks for all the thought you put into this! :)

from android-singlesignon.

@tobiasKaminsky well.. as I mentioned earlier we shouldn't store the password in the Account Manager. Be Smart About Security!

Yes, the code provided needs to be implemented in the nextcloud app. I can try to work on this and create a pr when I'm done.

from android-singlesignon.

👍 for the Readme/Documentation, this is awesome and truly helpful for devs integrating Nextcloud 🥇

from android-singlesignon.

@David-Development my Feedback regarding UX. I would suggest using a button instead of a switch, as it reflects better that a new View opens up. Is it possible to check if there is an existing account on the device the user can select ? If yes you could enable/disable the button based upon that(see img). Another alternative would be to directly show which existing account are available.

Alternative idea:

from android-singlesignon.

I am now on it, testing and reviewing it.
Thank you very much so far for updates and readme 👍 🎉

from android-singlesignon.

I'd be happy to help but my day job is keeping me quite busy these days, but like I said happy to help whenever, wherever I can. From what I understood your lib @David-Development does what is needed to provide a lib for apps to not having to re-implement login/credential storage over and over again but choose an existing account (in case the corresponding cloud app is present). So afaik it would have to be extended to support both ownCloud/Nextcloud, like you mentioned while the general basis is already there.

from android-singlesignon.

What about the official nextcloud files app? Are the developers interested in having a "SSO" solution for all nextcloud apps on android as well?

@David-Development yes, that's why @AndyScherzinger and @mario of Nextcloud Android are involved here. :)

Do I understand that it would be possible to make the Nextcloud Android app the SSO solution? Cause that's the one which is trusted, and installed anyway. :) I would much prefer that rather than to have to install an extra app, which kind of defeats the purpose of simplicity. ;)

from android-singlesignon.

Option 1: Note that Shared Preferences save what you put there in plain text

I agree with @David-Development using the Android Account Manager feature as this is the "android way" is the best option.
Having a seperate SSO App reduces UX as the user has install a seperate app. I think using the Nextcloud app as the app responsible for handling the Account is a good idea.

As a starting point: Here's a nice blog post about creating a Authenticator using a single login dialog.

from android-singlesignon.

This is the way how another app is checking if an owncloud/nextcloud account is available:
https://github.com/tobiasKaminsky/MyOwnNotes/blob/ad5361b288d65eeee66d11054850986476105b4d/app/src/main/java/org/aykit/MyOwnNotes/activities/LoginActivity.java#L200

If I recall it correctly we can get username and server url out of this. For security reason the password cannot be re-used, I think.

from android-singlesignon.

@jancborchardt Yes, that's correct. We could use the Nextcloud Android App as the SSO "base app".

@tobiasKaminsky Thanks! I didn't knew that the MyOwnNotes App is using the Account already.

I think the code snippet Tobias mentioned is exactly what we need here. However we need also to find a "secure" solution to share the password between the apps. I think it is inacceptable to let the user reenter his password in each app.

I still need to do some more research on the following topics but at a first glance it looks like we could use a service to access the nextcloud password.
Create a service that is accessible only by other apps with "special" permissions
Access a service from another app

Does anyone have another idea? Like encrypting the password and storing it inside the AccountManager? So that we don't have to create an extra service for accessing the password.

from android-singlesignon.

Account[] accounts = accountManager.getAccountsByType(MainApp.getAccountType());
Account account = accounts[1];

String password = accountManager.getPassword(account);
String username = account.name.split("@")[0];
String server = account.name.split("@")[1];

This gets all what we need to expose this to another app with a service.
As I am currently quite busy, maybe you have time and want to give it a try? Of course I will help you.
This should be in the nextcloud app, right?

from android-singlesignon.

This sounds awesome! @David-Development if you need any help with the Nextcloud Android app let @tobiasKaminsky , @mario and me know. I'll try to help wherever I can while unfortunately I am quite busy with the day job / partly on vacation until the end of next week but like I said happy to help wherever I can.

I think it is inacceptable to let the user reenter his password in each app.

fully agree !

from android-singlesignon.

@tobiasKaminsky well.. as I mentioned earlier we shouldn't store the password in the Account Manager. Be Smart About Security!

Well...this is the current way 😨

from android-singlesignon.

from android-singlesignon.

Talked briefly to Lukas and he suggests to use the new login flow to get a new auth token, which is independent from the user password.

But this is/can also independent from the this scope ;-)

from android-singlesignon.

from android-singlesignon.

As mario said, we need to find a solution for older nextcloud versions as well. Switching to a new, safer authentication method is a great goal but we need to support older versions as well. I found a great blog post about how to store credentials somewhat more securely. As stated in the article, it'll never be 100% save.

I got a working prototype now. Can I create a new branch in the nextcloud android repo where I can push my current results to? (maybe call the branch "sso"?)

For the "client" library I created a new branch in this repo here (called "sso").

Here's a quick "todo" list:

• Permission based (via AndroidManifest) service access
• Receive account information (incl. password)
• Add new account (Opens FileDisplayActivity right now. --> But we need to open the "Add Account" dialog immediately)
• Handle edge cases (e.g. if the nextcloud app is not installed --> link to play store?)
• Add option to retrieve account information without a dialog (** see below)

One thing that I noticed is, that every app that has the following permission (<uses-permission android:name="com.owncloud.android.sso" />) can access the service and therefore receive the credentials of all accounts.
I'm not sure about the whole OAuth2 or Token based authentication. But.. in order to avoid that we need to implement a security mechanism to prevent attackers to steal our credentials, we could do the following. Just send the password to every app that wants to have it - but the password will be strongly encrypted. We can use a CustomAccountManager then to provide a "AuthToken" which will be used as the decryption key. I think this could work pretty good and it is secure since we don't have to implement the permission check on our own. (The user would see a dialog like this when an app tries to access a nextcloud account for the first time)

** In the current state of the prototype, there is a dialog presented to the user where the user can select one of the many accounts that are available on his device. Consider the following example:

Given: Two Apps (App A = official nextcloud app, App B = some third party app)

• User creates two nextcloud accounts (in app A)
• User opens app B and sees a dialog where he can select one of his two accounts that he wants to use in app B.
  • Question: which information do we store in app B to identify the account used? (username@url maybe?)
• User opens app B again
  • App B knows, my last account was "username@url". So it sends a request to app A to ask for the credentials (password).
  • Edge case: What happens if the account has been deleted?

from android-singlesignon.

I got a working prototype now. Can I create a new branch in the nextcloud android repo where I can push my current results to?

@David-Development awesome! Yes, you are part of the Nextcloud organization so just go ahead and create a branch in the Android repository. :)

from android-singlesignon.

@David-Development great, really looking forward to test this!

from android-singlesignon.

@David-Development awesome! Also eager to see and test the prototype 👍

from android-singlesignon.

Okay guys, I just pushed my code to a new branch called "sso". If you want to test the prototype, you'll need to install the nextcloud app and then the ownCloud-Account-Importer app. Hopefully everything works! :)

This is the callback that is called when the user selected an account and the "third party" app receives the credentials.

Oh and btw. the "account picker" dialog has it's own dummy activity right now. In the production version, the dialog will be visible in the third party app right away. So that it feels like it's a native account picker of the app itself. (So that it doesn't look like that we start another app to pick the account).

from android-singlesignon.

I tested it and in its current state it is working fine 👍

You have implemented it currently in the way that the 3rd party app has the account picker.
Shouldn't this all be in the nextcloud app:

• 3rd party app requests account
• nc app shows all accounts
• user chooses one
• 3rd party app gets credentials only for this account

With this approach we make sure that only a specif/chosen account is sent and in this dialog we can add also some kind of warning. Also we make sure that the user has done it and verified/confirmed via UI.

from android-singlesignon.

I need to think about it again but it should work too. However, if an app requires some special handling (like selecting multiple accounts etc.) we need to have a solution for those cases as well. Since we're creating a library, it's nothing that the third party developers have to implement by themself. They can just use the selector that comes with this library or extend it to their own needs.

Consider the following case: (Client App (B) is responsible for account handling/selection)
If we implement a CustomAccountManager, we can send the useraccount/url of all accounts to the client app (B). The user can select an account in App B. The app (B) requests to get the AuthToken from the Account Manager which is the password in plain text. This is a secure solution since the AccountManager makes sure that the app is allowed to access the AuthToken. I think this is the most sophisticated solution (and easiest one)? What do you guys think?

Creating our own "Security System" for checking if the user already approved the usage for his credentials for a third-party app is pretty hard to implement (and time consuming). By all means, I'm not a security expert and there are a lot of risks to consider on android so I think the easiest way is to stick to some existing solutions that are already doing exactly what we need (like the AccountManager).

from android-singlesignon.

@David-Development maybe it would be cool to do a proof-of concept version of both your News reader and Task sync apps to see how the flow works. :)

Also cc the devs of other Android apps: @stefan-niedermann of Nextcloud Notes, @nerzhul of Nextcloud SMS sync and @brantje of Passman. :)

from android-singlesignon.

Okay, I build a simple preview of how the integration/sharing between the Nextcloud app and the News Reader could work.

You can test it by cloning the following two repos: (Install the nextcloud before the news app)

git clone https://github.com/nextcloud/android.git -b sso
git clone --recursive https://github.com/owncloud/News-Android-App.git -b sso

I removed the whole service communication. The account sharing is now solely based on the Android Account Manager now. The code for the client apps is fairly simple.

The client only has to do the following:

Call the dialog to choose an account --> The app will receive a callback with the selected account

public class SomeActivity extends Activity implements IAccountImport {
    public void import() {
       ImportAccountsDialogFragment.show(getActivity(), LoginDialogFragment.this)
    }

    @Override
    public void accountAccessGranted(final Account account) {
    try {
        SingleAccount singleAccount = AccountImporter.BlockingGetAuthToken(getActivity(),             
        // Do something useful with it...
       this.importetAccount = account;
     }
}

The app can test, if the connection to the server is working (e.g. maybe the news app is not installed?). If everything works, just tell the library to use this account as the default account by calling:

AccountImporter.SetCurrentAccount(getActivity(), importetAccount);

From now on the client app can receive the account data by calling

Account account = AccountImporter.GetCurrentAccount(context);

If the app needs the password:

Account account = AccountImporter.GetCurrentAccount(context);
SingleAccount singleAccount = AccountImporter.BlockingGetAuthToken(context, account);
String username   = singleAccount.username;
String password   = singleAccount.password;
String baseUrlStr = singleAccount.url;
Boolean dhnv      = singleAccount.disableHostnameVerification;

For the news app it was just a change of ~10 lines to include the new authentication system. And.. hey! I don't need to worry about the safety of my users credentials anymore! ... Now It's the job of the nextcloud app 😋

Looking forward to get some feedback :)

from android-singlesignon.

Great! Thank you for this contribution!
I wanted to test if, but after checkout of News-Android-App on sso branch I get
"Error:Project :News-Android-App declares a dependency from configuration 'compile' to configuration 'default' which is not declared in the descriptor for project :ownCloud-Account-Importer."

from android-singlesignon.

@tobiasKaminsky Did you run the git clone --recursive command? There are submodules that need to be pulled too.

from android-singlesignon.

@David-Development I tested it. Great stuff! It is working really fine!

As this is a central part of security it needs to be directly in the app with an API described to use for external apps. I think we cannot allow "any" app using this library to access all accounts credentials.
@mario @AndyScherzinger @jancborchardt

I would glad to work together with you including this in the nc app, if you have time.

Thanks again for your great enhancement!

from android-singlesignon.

@tobiasKaminsky I'm glad you liked the prototype! As far as I understand, every app that wants to access the credentials will see a dialog (from the android account manager) asking if the user really wants to allow the app to access the credentials. You won't see this dialog in the prototype since you've probably signed both apps with the same signing key. If you sign the two prototype apps with two different keys, you should see a confirmation dialog from the android account manager. So I don't see any security concerns here.

Of course! I would love to see a centralized Single Sign On App soon! :)

Another thing: As you might have seen in this commit, I've added some extra code to the nc app. However in the getAuthToken() method, there are some other authentication technologies implemented as well. I'm not sure how nextcloud handles them exactly. I think right now most apps only support BasicAuth (at least my news reader and task sync app does right now). So I'm not sure if my additional code is really required and/or if we'll run into other problems with other authentication technologies.

Furthermore we need to work on Line 179 and Line 180. I'm not sure how to access information about whether the user uses ssl or not and if he does, if he wants to disable the hostname verification.

from android-singlesignon.

cc @LukasReschke for security considerations and @ChristophWurst for token-based authentication. :)

from android-singlesignon.

Alright guys... it's time to get excited! I got a prototype working with a remote network stack! I rewrote the News-Android-App to use the Nextcloud's network stack. I also implemented an API (for the client Apps) that works with Observables (from the rxjava package). If you're already using Retrofit in your app, it's really simple to use the new api. And even streaming works! So if you need to transfer huge amounts of data (like tons of rss items), they can be streamed into the client app without the need to load the whole result into the memory at once.

Another advantage is, that the client app only needs to store an account identifier (like [email protected]). So no need to worry about the safety of your password and other things like ssl certificate handling etc. are handled by the nextcloud app!

However there is a new security concern: I'm using an AIDL Interface for communicating data between the client app and the nextcloud app. This interface is public, so in theory everyone who knows the interface implementation can use / access it. So we need to add a security layer here. Right now I can think of two possible options:

1. we use the AccountManager to return a random token in the getAuthToken method. The client app stores this token and sends it every time it wants to make a request via the AIDL Interface. The nextcloud app receives this token and verifies it (the nextcloud app stores this token as well to keep track of apps that are allowed to access the app).

2. we use the AccountManager again. But we don't generate a token this time. We simply store the calling namespace of the app in the nextcloud app (something like: grant permission on de.luhmer.owncloudnewsreader). Everytime the client app tries to access the AIDL Interface we can determine the calling namespace and check if the client app has permission to access the api.

Maybe someone with more security expertise can give me some ideas / feedback? :)

TODO: Sending exceptions back to the client app doesn't work yet (Like network problems / server problems etc). I don't have a good idea how to implement this right now. The "problem" is, that I'm working with streams and AIDL Interfaces and those are pretty stiff. So no native support for exceptions here..

What do you guys think? Feel free to test the prototype! (You might need to re-import your account in the nextcloud news app --> Menu --> Server Settings).

from android-singlesignon.

Cool stuff, thanks for all the work! :)

Btw. we're talking Android-news-app located here? https://github.com/owncloud/News-Android-App

from android-singlesignon.

@mario Yes, you can get the required repos with the following two commands (Make sure you use the recursive parameter in the clone command):

git clone https://github.com/nextcloud/android.git -b sso
git clone --recursive https://github.com/owncloud/News-Android-App.git -b sso

from android-singlesignon.

Haha, no worries, I will test it out! :)

Chance I can talk you into moving the app under the NC umbrella? Not super important, but would be nice ;)

from android-singlesignon.

@mario Thanks, looking forward to some feedback!

Of course! :) Feel free to move the repo ;)

from android-singlesignon.

@David-Development you will have to add me to the repository as admin or an owner, and I can do it then ;)

from android-singlesignon.

@mario Apparently I'm not the owner of the repo (News-Android-App).

from android-singlesignon.

from android-singlesignon.

@David-Development let me know if you figure it out :)

from android-singlesignon.

@jancborchardt Did you create the git repo for me? Or do you have an idea of who's the owner? I can't seem to find any information about who has the ownership of this repo.. :(

from android-singlesignon.

Unfortunately cause moving is blocked from their side, we will have to create a new repo in our organization, and push the repo from local (with all branches and tags). This makes us lose all stars and issues etc but I think that's ok. We also had the same problem with all other apps. I'll set it up later and let you know. :)

from android-singlesignon.

from android-singlesignon.

@David-Development contact Deep Diver and he'll give you ownership :)

from android-singlesignon.

@DeepDiver1975 can you give me the ownership permission of the News Android App repository? We want to move the repo from the ownCloud to the Nextcloud namespace. Thanks in advance! :)

from android-singlesignon.

@mario Did you have time to test the prototype yet? :)

from android-singlesignon.

@mario, @jancborchardt, @tobiasKaminsky Guys, any feedback? How are we gonna proceed?

from android-singlesignon.

Hi David,
we are currently doing last stuff for 2.0 and after that I will definitively have a look into it.
Sorry for the delay!

from android-singlesignon.

@David-Development I am very sorry for coming back this late.
Now I found a little time to look into it...

Regarding your security question at #3 (comment) I think option 2 is safe enough as the namespace is unique and it is less work for the client app.

from android-singlesignon.

Okay, yes that sounds good. Do you guys have a plan on when to integrate this into the app? Like making it "production ready"?

University is keeping me quite busy lately so I won't have time to look into it anytime soon. But I'm happy to contribute to the discussions! :)

from android-singlesignon.

Any updates on this feature? How can I help to get this feature into production?

from android-singlesignon.

I updated the Readme/Documentation to represent the current version.

Beside the example on how migrate from an existing retrofit API to this Single Sign On API, the readme includes a flow diagram for the login process as well as the network request process (using retrofit).

The documentation also includes an example for non-retrofit users. Or for example if you want to stream huge files from the server into your app.

from android-singlesignon.

I completely agree with @mario while my capacity this is week (or probably the upcoming ones) is rather limited since I'll be starting in a new project of a customer of my employer so I can't say for sure how much time I'll be able to spend on this :(

from android-singlesignon.

@mjohenneken Thank you! 👍 Yes, I think that's a great improvement for the UX!

I'm not exactly sure if we need a login-dialog at all though. Below you can see a flow model that represents my thoughts on a simplified login-flow for the user. For example: If the user clicks on "server settings / login" in my news app, I can show the "choose account" dialog (provided by android itself). In the prototype the login dialog is still there simply because I support my own network implementation as well as the network stack provided by the nextcloud app. I will remove my own network stack in the future when the sso feature is ready for production. It's too much work to maintain a second network stack (handling self signed certificates / oauth / http2 / ...). And I think most developers might migrate if we provide a stable api.

In case the developer still wants to provide his own network stack he can do so by creating a custom login interface as presented by @mjohenneken. What do you guys think?

from android-singlesignon.

This is now ready and shipped with 3.3.0 and latest News app and SingleSignOn 0.1.0 lib release.

from android-singlesignon.