Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scoped Access for Oauth Tokens #26233

Closed
sunjam opened this issue Mar 20, 2021 · 14 comments
Closed

Scoped Access for Oauth Tokens #26233

sunjam opened this issue Mar 20, 2021 · 14 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement needs info stale Ticket or PR with no recent activity

Comments

@sunjam
Copy link

sunjam commented Mar 20, 2021

See the official documentation for reference. Filing in the hopes of Oauth tokens adding scoped access to address the security risk of only supporting full read+write access. Thanks for your consideration!

Nextcloud OAuth2 implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the OAuth2 tokens in a safe way!

Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.
@sunjam sunjam added 0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement labels Mar 20, 2021
@sunjam sunjam mentioned this issue Mar 20, 2021
Closed
@szaimen
Copy link
Contributor

szaimen commented Jun 25, 2021

cc @nextcloud/server-triage is this feasible?

@sunjam
Copy link
Author

sunjam commented Jun 25, 2021

OAuth Scopes is a mechanism in OAuth 2.0 to limit an application's
access to a user's account. An application can request one or more scopes,
this information is then presented to the user in the consent screen, and
the access token issued to the application will be limited to the scopes
granted.

Full details at https://oauth.net/2/scope/

@ghost
Copy link

ghost commented Jul 25, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Jul 25, 2021
@sunjam
Copy link
Author

sunjam commented Jul 25, 2021 via email

@ghost ghost removed the stale Ticket or PR with no recent activity label Jul 25, 2021
@ghost
Copy link

ghost commented Aug 24, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Aug 24, 2021
@sunjam
Copy link
Author

sunjam commented Aug 24, 2021 via email

@ghost ghost removed the stale Ticket or PR with no recent activity label Aug 24, 2021
@ghost
Copy link

ghost commented Sep 23, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Sep 23, 2021
@sunjam
Copy link
Author

sunjam commented Sep 24, 2021

open please

@ghost ghost removed the stale Ticket or PR with no recent activity label Sep 24, 2021
@ghost
Copy link

ghost commented Oct 24, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Oct 24, 2021
@sunjam
Copy link
Author

sunjam commented Oct 24, 2021 via email

@ghost ghost removed the stale Ticket or PR with no recent activity label Oct 24, 2021
@ghost
Copy link

ghost commented Nov 23, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Nov 23, 2021
@ghost ghost closed this as completed Dec 7, 2021
@sunjam
Copy link
Author

sunjam commented Mar 23, 2022

I'd like this request re-opened as it is important to consider. It is just frustrating to have to re-open it and spam replies every few weeks to keep it open. Having to constantly reply just to leave the item open has worn me down, but I know it is extremely important. Scoped access is a standard Oauth feature used by all of the major companies for basic security: Google, Facebook, Slack, take your pick.

Appreciated if anyone knows a way to keep this issue open.

@BartG95
Copy link

BartG95 commented Aug 6, 2022

If you want this to authenticate to other services, consider https://github.com/H2CK/oidc

@sunjam
Copy link
Author

sunjam commented Aug 6, 2022 via email

@ganigeorgiev ganigeorgiev mentioned this issue Feb 10, 2023
Closed
@sunjam sunjam mentioned this issue May 27, 2023
Open
@sunjam sunjam mentioned this issue Dec 8, 2023
Open
@sunjam sunjam mentioned this issue Feb 9, 2024
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap enhancement needs info stale Ticket or PR with no recent activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sunjam @BartG95 @szaimen