Comments (12)
rullzer
commented on August 14, 2024
1
Yeah something like that should work
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
To harden this further, we should also verify the calling package, so that both must match: calling package name and secret token
from android-singlesignon.
rullzer
commented on August 14, 2024
Also as a reminder to myself. We should extend the server scope. so that if you request a new token for appX. That token can no longer request new tokens.
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
@David-Development this then would mean that we also can avoid to provide server url and password to the 3rd party app, or?
from android-singlesignon.
David-Development
commented on August 14, 2024
I think even in the current setup it should be possible to remove that information. We just need an identifier for the account. However clients usually want to display that kind of information (as seen in my news app (e.g. https://lh3.googleusercontent.com/MD8OGFI6O_pbbbUz3_hFfXtaadQhhWpvBW_pftGKCSEMn48u4Di5ti0c3JCLp2tFhXM=w3360-h1952-rw)
However the password can be replaced with a token. (as already mentioned in the source code: https://github.com/nextcloud/android/blob/be3d90427cbccf16fae72dff1f238cd8223b0850/src/main/java/com/owncloud/android/authentication/AccountAuthenticator.java#L183)
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
Right, passing the server url should still be done, for UX 👍
But I would like to remove the password entirely, so that even the freshly generated token is not transferred within android and thus is never exposed.
I will give it a try.
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
Password is indeed not needed, so I will create a PR for this on Monday, based on #8, so that #8 is not cluttered up too much.
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
I would also include calling package as further security step, so that both must match: calling package and token.
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
I have added calling package, but for now we are using the same token as the original login.
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
@rullzer we can then use the passed calling package name to name the auth token, once this is ready.
from android-singlesignon.
David-Development
commented on August 14, 2024
@tobiasKaminsky I think this is already implemented by now, isn't it? (See https://github.com/nextcloud/android/blob/sso/src/main/java/com/owncloud/android/authentication/AccountAuthenticator.java#L182)
from android-singlesignon.
tobiasKaminsky
commented on August 14, 2024
@David-Development yes, this is implemented 👍
from android-singlesignon.
Related Issues (20)
- Provide convenience class for OCS requests HOT 4
- Support .qa package id of the files app
- Convenience features for `NextcloudRequest.Builder`
- Handle `QueryParam` with key "`c`" HOT 4
- SEARCH HTTP method is not supported HOT 7
- Support Activity Result API HOT 3
- Rotation issues
- i18n: `Benötigt keine Übersetzung. Für Android wird nur die formelle Übersetzung verwendet (de_DE).` HOT 7
- If only dev app is installed SSO doesn't work HOT 8
- Break on minified app HOT 12
- Migrate to Material 3 theme HOT 1
- Option to create new token on `TokenMismatchException` HOT 3
- Availablity on Amazon store HOT 1
- Instantiating `Void` does no longer work with AGP 8 HOT 18
- Improve SSO error dialogs shown by 3rd-party-apps HOT 2
- Check `NetworkRequest#mDestroyed` before each network request? HOT 1
- Readme contains bad R8 advice HOT 1
- Reportedly not working when used within Samsung Knox HOT 1
- Possibility to get WebDAV-capable app password/token from SSO HOT 5
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from android-singlesignon.