Introducing OAuth2 secure authorization flow

We are happy to announce that ownCloud supports OAuth2 now!

OAuth2 is the open industry-standard protocol for secure authorization of Web APIs. It can be used as a way for users to grant web services or applications access to their data stored in ownCloud and the new generation of ownCloud Clients (Desktop/Android/iOS) fully supports OAuth2-based authorization. The use of OAuth2 in ownCloud greatly enhances security while facilitating the integration of third party applications or web services.

Brought to you by the Community

A student project at the University of Münster kicked this off: Students wanted to connect their ownCloud, powered by sciebo, to the Moodle learning platform. This awesome community project was later adopted, professionalized and stabilized by ownCloud engineers.

What is OAuth2 good for?

There are several use cases in ownCloud for the OAuth2 implementation:

First of all, with OAuth2 you can connect ownCloud clients (Desktop, Android, iOS) through a standardized and secure authorization flow. This enables on the one hand that clients or third party applications never get to know a user’s actual login credentials but automatically get a separate “password” or token, respectively. On the other hand such application-specific tokens can be revoked selectively enabling users to disconnect their authorized clients. When e.g. a device is lost, no passwords can be extracted from it and access to an ownCloud account can easily be revoked for this particular device by the user in self-service using ownCloud’s web interface.

Apart from that, OAuth2 provides a user authorization interface for developers to facilitate the integration of ownCloud in third party applications – this extends the possibilities for secure integration of ownCloud with other applications. That the authentication is now handled by the server makes integration of identity management services (SAML/SSO) easier, as clients just need to be authorized by the server. Previously all clients had to handle the whole authentication process themselves. Future support of various authentication protocols in ownCloud is highly facilitated as it can now be handled entirely by server-side implementations. Clients are authorized independently via OAuth2.

OAuth2 also introduces new possibilities for access control: In the future you will be able to use granular device- and application-specific access controls within an ownCloud account via OAuth Scopes. If you want your phone to only interact with files while other API endpoints (e.g. user management for administrator accounts) are only accessible using the “real” user credentials, you will be able to define access rights associated with applications. Furthermore read-only clients and even application-specific folder permissions (e.g. certain folders can’t be accessed via clients) are great use cases that can be realized based on OAuth2.

How to start using OAuth2

OAuth2 is designed to be the new default way of connecting clients to an ownCloud Server (basic authentication will still be possible for legacy WebDAV clients or when an ownCloud Server does not support OAuth2). It’s easy, seamless and the most secure method ever:

To connect the ownCloud clients you need a server which has the OAuth2 app installed and enabled. If this is the case, you can just open your ownCloud client, enter the address of your ownCloud and connect. Next the web view opens your ownCloud login page.

 

Now you have to enter your credentials and authorize the application. The ownCloud Server provides unique tokens (access and refresh tokens) to the client, so the client is authorized to start its operations.

 

Having completed this quick process an ownCloud client is connected instantly and operates as usual.

Platform feature status

 

We recommend using OAuth2 for all ownCloud installations to make users’ lives easier and more secure.

Discuss this on central!

Leave a Reply