Granular Permissions on App Passwords

[benyanke]

App passwords, in a sense, are like API keys for the "normal" user - they allow access to a resource without sharing the main account password. Frequently, at least in my usecase, app passwords are used for single-purpose software or situations (for example, a task-list or calendar client app).

I'd like to propose that app passwords be assigned granular permissions, which would allow one to set up, for example, a calendar app which can only access your calendar, instead of everything on the server.

Starting out, it could be as simple as:

• One blanket permission for each app (one for calendar, one for tasks, etc) - perhaps breakout read and write?
• File reading
• File writing/modification
• Account Administration/Ability to Log in (as opposed to WebDAV access)

As such, an example permission list on a typical NextCloud instance might look like:

• App: Calendar
• App: Tasks
• App: Notes
• File Read
• File Write and Modification
• Log-in

[j-ed]

I found several other app password related issues which could possibly summarized under this issue too:

• App password restrictions for specific nextcloud apps #6376 App password restrictions for specific nextcloud apps
• App passwords should be optional #3228 App passwords should be optional
• Allow to restrict app password data access #2866 Allow to restrict app password data access

[ChristophWurst]

* #6376 App password restrictions for specific nextcloud apps

Was just about to comment that 👍

Let's continue there 😉