Security in Nextcloud 12: new authentication mechanisms

Nextcloud 12’s authentication for clients and third parties has received an overhaul. Nextcloud 12 supports a wide variety of authentication mechanisms including OpenID and OAuth 2.0, Kerberos and others thanks to its ability to authenticate via an environment variable. A major benefit of this approach is that, instead of re-inventing the wheel and writing fresh security-critical code, Nextcloud relies on widely used and battle-tested solutions. The new client authentication follows a similar pattern.

New client authentication

Simplicity is the highest ideal in security because doing less means a smaller attack surface and less room for mistakes. This was our approach when designing a new authentication mechanism for our (and other) clients. Rather than supporting a multitude of different authentication mechanisms, we let the client authenticate to the server in one, simple, effective way, letting the server thus handle all complicated authentication mechanisms supported for users. This leaves the client authentication easy to explain, easy to implement and with little room for ambiguity and vulnerabilities.

For a user it is equally simple. Enter the server URL in the client and you get a web page with your Nextcloud login. You log in with your usual credentials, be it a SSO system, two-factor hardware token, code, SMS, smart card or anything else that is configured by the server admin. Password accepted means you return to the app – done. In the background, an app password is generated on the server and handed back to the client with a specially formulated string. As a user, you can manage the app passwords and their permissions in your user settings, for example limiting access to the files.

Authentication for Nextcloud itself: improved two-factor authentication, SSO and options

Among the many security improvements introduced in Nextcloud 11 was built-in two-factor authentication. For Nextcloud 12, a number of improvements were made. First, TOTP and U2F now require password confirmation when changing their settings to ensure a malicious attacker cannot simply disable them. Second, U2F can have multiple tokens; and new is support for NFC tokens. Last but not least, 2FA actions now show up in the Activities app so you can keep an eye on when and where logins take place.

Nextcloud also offers deep integration with various enterprise authentication methods. These include:

This authentication functions through our SAML app and a description of how to configure it can be found on the Nextcloud Support Portal.

Start the discussion at The Nextcloud forums