Nextcloud Integration - REST API with user token authentication / query as given user / search query as given user

Hello,

I’m looking for ways to integrate Nextcloud with XWiki. One of the things I’d like to do is provide XWiki search results in Nextcloud.

In Nextcloud, this is done by writing a Search provider, server-side, in PHP. The user’s browser does not make the search query, the Nextcloud server does.

I need to figure out authentication. I see several possible approaches:

User token

One approach that could work is what Nextcloud GitLab integration does: as a user, you generate a user token in GitLab and put it in your Nextcloud user settings. For this to work, I’d need:

  • something to generate a token in XWiki
  • be able to use this token in XWiki’s REST API.

According to XWiki’s REST API documentation, one can use two ways of authentication:

  • cookies. But Nextcloud does not have a way to access XWiki’s cookies in the general case. It probably has access to XWiki’s cookies if XWiki and Nextcloud are on the same domain, or if XWiki is on the main domain and Nextcloud on a subdomain, but I bet it’s not usual, or at least we cannot assume it is the case, and sending XWiki cookies from Nextcloud’s Javascript code to the Nextcloud server wouldn’t feel right even if it was possible.
  • basic authentication. That requires users to give their passwords to the Nextcloud instance, and to store these passwords in plain text in Nextcloud’s database. This is not right neither.

Is there a way to use a generated token instead? With read-only / search-only permission?

Admin access / token

Instead of a user token, Nextcloud could have some (read only) admin access to the XWiki instance, through a token or some other mechanism, and run queries “as a given user” (for instance, by matching email addresses - that’s not perfect, and using some kind of mapping / centralized authentication like LDAP would be cleaner, safer and more robust but I guess that would be a start - in a given organization, you probably use the same email address everywhere)

Nextcloud could then query XWiki with this token. For this to work:

  • XWiki needs to provide a way to authenticate with an admin token
  • One should be able to run the query from the REST API as a given user instead of admin, so users se results that match what they have access to - is that possible or conceivable?

The advantage is that users would not be required to generate a token themselves. The drawback is that it is a bit scary.

Have some Nextcloud-specific integration code in XWiki

That’s my best bet currently. We would have a XWiki service page that would answer Nextcloud requests. This service should be accessible to guests, but have a secret token defined in its objects that would be shared with Nextcloud. I see two obvious issues:

  • the REST API cannot be used, its features need to be replicated
  • the solution is specific to Nextcloud and would need to be duplicated for each integration we’d like to implement. Of course it could be made generic, but then, why not implement these solutions in the REST API directly? It would be great if foreign services could use the REST api without any specific integration code in XWiki.

This solution also raises a question: is there a way to run a HQL / SOLR query “as a given user”? That is, a query that would only return documents a given user can see?
Is this possible in velocity/groovy, or should a Java service be written?

Conclusion

There are actually several questions here. To summarize:

  • how to allow Nextcloud to access access XWiki (as a given user)?
  • is it possible to use some kind of token-based mechanism to access the XWiki REST API? If not, would a token-based authentication in the XWiki REST API and on other XWiki pages be considered?
  • is it possible to run a REST API Query “as a given user”?
  • is it possible to run a HQL/XWQL/SORL query “as a given user” in a velocity / groovy script in a XWiki page? Or in a Java service?

Do you see another way I haven’t thought of or weaknesses I didn’t notice in the solutions I presented?

Hello,

there’s many question there :slight_smile:

So right now the short answer is no: there’s no such mechanism. I can find this old ticket related to using token for authentication: Loading.... But I do recall a discussion around this topic some months ago so maybe there’s another ticket related.
In any case, such mechanism would be definitely interesting for XWiki.

Sure you can use authentication with REST and the rights of the user are taken into account for displaying the results. See: https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#HAuthentication

There’s many ways for running queries in scripts, see: Query API (XWiki.org)

Note that the queries a user without PR right is allowed to perform are limited to avoid working around the rights mechanism. See: Query API (XWiki.org)

Thanks for your reply.

there’s many question there

Yes xD Exploration mode…

My question was more: is it possible to have something like https://xwiki.example.org/xwiki/rest/[...]/?as_user=XWiki.XXX possible? For instance I am XWiki.Admin, but I want to see what XWiki.XXX would see. A bit like runas or sudo -u XXX ... or su XXX -c "..." on Unix-like systems.

I want to see what XWiki.XXX would see.

Well by doing so you’d impersonate XXX rights which would clearly be a security issue (e.g. you might be allowed to see pages you normally are not allowed to see). So no there’s no such mechanism and I doubt we’d ever want it.

I understand the concern, but that would be fine for the super admin, that has all the rights anyway, to have this ability, no? That would be essentially a drop of privileges for the super admin, not privilege elevation.