external icon indicating copy to clipboard operation
external copied to clipboard
verified publisher icon nextcloud

JWT Authentification

Open MichaelBarth opened this issue 6 years ago • 2 comments

Hello, I wrote a working fork https://github.com/MichaelBarth/external, where i implemented the possibility to encrypt the URL - Data by password. I need this for example for a linked page, which changes the password of the E-Mailaccount of a user. Without encrypting the URL it is possible to change the Password of another user just by editing the username written in the "src" attribute of the iframe.

The decrypting code can be found in the documentation folder of the app.

I would be happy, that my functions are included in the official version. I actually do not know how to... So I need help.

Maybe there are to issues to discuss:

  1. In the given version the link is guilty only 5 seconds, maybe users would like to change this value.
  2. The links are not working the NEXTCLOUD APP. The encryption mechanism should be include in the app.

Thanks for reading an discussing Michael

MichaelBarth avatar Sep 10 '19 16:09 MichaelBarth

I hope to find the time to take a look at it soon. Thanks for your work already :+1:

nickvergessen avatar Sep 11 '19 10:09 nickvergessen

Hi dear developers, I just want to remember, that there is one wish left ... Everything ist working well, but I have that problem: The uid is visible in the src of the iframe. So I can just change it to be different user. That is more than easy.

My wish is to prevent this possibility of manipulation by sending an additional checksum with the url. So I can check, if the url was manipulated or not. JWT is a good technique to do this. What is needed is something like this

  1. An additional field for a "Password"
  2. function "make_jwt (url_params, password)
  3. add the jwt to the url
  4. api call to function to check the url ...cloud/external/check_url/password

Thank you so much for your great work! Michael

MichaelBarth avatar May 15 '20 08:05 MichaelBarth

I implemented JWT tokens in https://github.com/nextcloud/external/pull/310

It comes with a docs/jwt-sample.php which shows how the info can be accessed.

Can you please test and verify that #310 solves your usecase? A testing package that hopefully works from 23-25 is attached there. But might be it's not enough to just allow the versions in which case 25 needs to be used for testing.

nickvergessen avatar Sep 16 '22 13:09 nickvergessen