Auto-Login via URL

oc-internals
9.1.x

#1

I am looking to be able to auto-login by passing credentials via URL. Something like: http://xxx.xxx.x.xxx/owncloud/index.php/login?user=admin&pass=password. This will be used in a 'portal' environment which already has a login of its own.

Not sure if this is an existing feature, but I can't seem to find it. I am aware of the public sharing link option but this doesn't seem to allow me to use different permissions per user/group on a folder.


Auto-Login / Public-Login
#2

Hi,

i highly doubt that such a functionality is included in ownCloud.


#3

A proper solution would be single sign on (SSO) which was only available for the enterprise subscription, now it's not really clear:


#4

While its not clear from the request that this is looked for, that is correct. SSO via SAML is delivered with the Enterprise Edition. However the Community has provided an app called user saml for a long time: https://github.com/owncloud/apps/tree/master/user_saml which covers only the WebFrontEnd, but that seems sufficient in this case...
Of course the syntax is different then wished for ... so there might be also other authentication solutions available for the webfrontend to take care of the original request.

The Enterprise Version also does SAML authentication across Desktop and Mobile Clients which is important in large organizations.


#5

I appreciate the help but that seems overly complicated. I keep seeing various forms of authentication, such as username/password, username/token, and just a token, but nothing seems to be very clear. Is it not possible to have a webpage act as a 'client' and send/receive some sort of authorization? It doesn't really matter how it is done, as long as the user on our end doesn't have to enter a second pair of credentials for owncloud after already logging into our portal.


#6

So... I was able to get past the login screen using the following code, but it still shows a second authentification popup after being logged in asking for credentials again while trying to load the files and folders.

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8">
<title>OwnCloud Login Test</title>
<link rel="stylesheet" href="">
<link rel="shortcut icon" href="">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
</head>
<body>
<script>
<?php
$URL='index.php/login';?>
$.ajaxSetup({
    xhrFields: {
       withCredentials: true
    },
    beforeSend: function(request){
       request.setRequestHeader('Authorization','Basic <?php echo base64_encode($_GET["user"] . ":" . $_GET["pass"])?>');
    }
});
$.ajax({
    url: '<?php echo $URL?>',
    success: function(html){
        window.location.replace("<?php echo $URL ?>");
  }
});
</script>
</body>
</html>

It seems like it's coming from x.x.x.x/owncloud/remote.php/webdav saying that it wasn't passed the authentification headers.

Any idea why this is happening? Any guidance on how to make this work?


#7

You somehow also need to pass the credentials as Basic Auth credentials to /remote.php/webdav.


#8

Doesn't seem to work... think I need the request token but not sure how to generate one.

Is there documentation on how to login with php? It's fine if it's a server-side page that you send the credentials to, as long as the user doesn't see a login form... just trying out my options...


#9

Where did you put this code in order to get it to work? I'm trying to do the same thing you were, but don't know where to add this html.


#10

Hi Sean,

I never actually got this to work using that method. I was finally able to accomplish what I wanted to by editing a javascript file that is loaded on the login page. (/var/www/owncloud/core/js/login.js)

I added a function to fetch parameters from the URL (FYI, user parameter already works by default)

This will allow automatically logging in by putting the parameters in the URL like this: http://xxx.xxx.x.xxx/owncloud/index.php/login?user=admin&pass=cGFzc3dvcmQ= (I base64 encoded the password)

function getURLParameter(name) {
  return decodeURIComponent((new RegExp('[?|&]' + name + '=' + '([^&;]+?)(&|#|;|$)').exec(location.search) || [null, ''])[1].replace(/\+/g, '%20')) || null;
}

Then added some changes to existing code like below. You should easily see where this is if you locate the file. You could use the 'atob' function where I have decode64 instead, if you want to have the password encoded in the URL like I did.

$(document).ready(function() {
        var pass = getURLParameter('pass');
        if (pass && $('#user').val()) {
            $("#password").val(decode64(pass));
            $('#submit').trigger('click');
        }
        $('form[name=login]').submit(OC.Login.onLogin);
        $('#remember_login').click(OC.Login.rememberLogin);
});

#11

Thank you! I'll see if I can get this up for my site.


#12

Not working here, unfortunately. I've tried just about every way to auto login a user that I can come up with, nothing works. I don't understand why this can't be built into the API. You can create a user but you cannot sign on through curl. This is how single sign on should work, you set the cookies and then redirect the user to the owncloud page. If anyone has any idea of how to use single sign on with a custom user base from your main website, let me know, please.


#13

This also interests me... can somebody help us?


#14

I'm not even a security expert but I see real security problems with the solutions being proposed here.

The main problem here is that you can be uploading files to MY account without any notice (you might overlook things) or you can access to other people's account by mistake and get all of their files.

Just link the target url and let the user bump into the ownCloud's login page so they can fill their credentials there. They should be redirected to the target url once the login is completed. If they were logged in before, they'll likely jump over the login page.


#16
function getURLParameter(name) {
  return decodeURIComponent((new RegExp('[?|&]' + name + '=' + '([^&;]+?)(&|#|;|$)').exec(location.search) || [null, ''])[1].replace(/\+/g, '%20')) || null;
}

$(document).ready(function() {
    var code = getURLParameter('code');
    var user = getURLParameter('user');
    if (code && $('#user').val(user)) {
        $("#password").val(window.atob(code));
        $('#submit').trigger('click');
    }
    $('form[name=login]').submit(OC.Login.onLogin);
    $('#remember_login').click(OC.Login.rememberLogin);
});

Secure?

If the user doesn’t know the username and password, they can’t login to their account. Let’s say for example you have a website that has it’s own username and password system for logging in. You had this infrastructure in place for some time and then decided to implement owncloud on your server. Now you need 2 separate accounts, users don’t need any more accounts to be forced to keep track of. So, since owncloud doesn’t support single sign on api, you use your own account system to automatically create an virtual account under owncloud that would be used when a user clicked a certain link.

There should be no way for another user to access another users owncloud account or their files. They would have to be able to gain access to the member system already in place, which we presume is already secure. Unless they know the password somehow, if that’s the case, you have bigger problems on your hands. It would be nice if there were a token system in place so the 2 pages could talk to one another and limit the number of tries to login. Then the user would have to close the page and go back to the original link they clicked on to be taken to owncloud.

I am on v10 and the above code is working for me. It doesn’t automatically submit the form but it does fill the fields in with the appropriate information.


#17

now let me ask, why should I trust your site and put my ownCloud account, including the password, in your site? Sorry, but if I have to enter my credentials somewhere, I’d rather enter them inside the service (ownCloud in this case) instead of any external site.

OAuth should fit here I think.


#18

You shouldn’t trust any website until they have convinced you they know what they are doing when it comes to your privacy and security. A lot of people trusted Yahoo, that didn’t work out too well for them. Technically speaking if owncloud is on the same domain it would still be internal, not external.

You’re still trusting oAuth and the website that implemented it with your secret. If the site looks dodgy, you wouldn’t be using their owncloud presumably anyways. oAuth is a great solution and if you can use it, you should. Anyone who is serious about the security of their membership access on their website should have their site and code audited by a professional.

My implementation is for personal use only. Anyone who is using this on a large scale with hundreds of users should have their code audited and should be using a token authorization system for this handshake.