The open industrial standard OAuth2 is now available for all ownCloud users. OAuth2 ensures a secure and simplified login process for ownCloud clients, as well as a significantly higher security level when embedding ownCloud into third party applications and web services. Due to the future integration, there is no need to store passwords in ownCloud desktop clients or ownCloud mobile apps for iOS and Android; the clients are instead authenticated in the automatically started web browser by entering a username and password. The corresponding client subsequently receives a unique access token, which together with the OAuth2 protocol, authorizes the login. The protocol is being used for all future connections to the ownCloud server. The ownCloud clients, as well as other third party web applications, will never see, nor store, the login credentials.
The usage of different access tokens for each client allows users to end their sessions selectively. Because the access-token is generated for each device and each application individually, users can check their authorised clients in their personal settings and revoke individual tokens. This comes in handy, especially when a device has been lost. The user now has more control and can simultaneously raise the access security.
The server-sided authentication facilitates the integration of identity management services (z.B. SAML/SSO) because clients only need to be authenticated though the server. The integration of other authentication protocols, such as CAS, within ownCloud will also take place entirely on the server. The clients are independently authenticated by OAuth2.
This new development is the result of a community-project from a group of students at the University of Münster for the education-platform Sciebo@Learnweb. The goal was to have ownCloud integrated in the education-platform Moodle (https://pssl16.github.io/). The initial development was then adopted by ownCloud developers and further developed for professional use.
OAuth2 is Available for the Following Platforms From Now On or Coming Soon:
Overview on the Secure Authentication and Authorisation Process with OAuth2 using the ownCloud Desktop Clients:
- The user opens the newly installed desktop-client and calls the ownCloud-address (URL).
- In the browser the user opens the login page. The authenticity of the login page can be verified by the user with the regular browser features.
- Now the login credentials can be entered (authentication) and the application is authorised.
- The ownCloud Server transmits the individual tokens (access & refresh) to the client.
- The client is now completely authorised and ready.