Hello,
I’m looking for ways to integrate Nextcloud with XWiki. One of the things I’d like to do is provide XWiki search results in Nextcloud.
In Nextcloud, this is done by writing a Search provider, server-side, in PHP. The user’s browser does not make the search query, the Nextcloud server does.
I need to figure out authentication. I see several possible approaches:
User token
One approach that could work is what Nextcloud GitLab integration does: as a user, you generate a user token in GitLab and put it in your Nextcloud user settings. For this to work, I’d need:
- something to generate a token in XWiki
- be able to use this token in XWiki’s REST API.
According to XWiki’s REST API documentation, one can use two ways of authentication:
- cookies. But Nextcloud does not have a way to access XWiki’s cookies in the general case. It probably has access to XWiki’s cookies if XWiki and Nextcloud are on the same domain, or if XWiki is on the main domain and Nextcloud on a subdomain, but I bet it’s not usual, or at least we cannot assume it is the case, and sending XWiki cookies from Nextcloud’s Javascript code to the Nextcloud server wouldn’t feel right even if it was possible.
- basic authentication. That requires users to give their passwords to the Nextcloud instance, and to store these passwords in plain text in Nextcloud’s database. This is not right neither.
Is there a way to use a generated token instead? With read-only / search-only permission?
Admin access / token
Instead of a user token, Nextcloud could have some (read only) admin access to the XWiki instance, through a token or some other mechanism, and run queries “as a given user” (for instance, by matching email addresses - that’s not perfect, and using some kind of mapping / centralized authentication like LDAP would be cleaner, safer and more robust but I guess that would be a start - in a given organization, you probably use the same email address everywhere)
Nextcloud could then query XWiki with this token. For this to work:
- XWiki needs to provide a way to authenticate with an admin token
- One should be able to run the query from the REST API as a given user instead of admin, so users se results that match what they have access to - is that possible or conceivable?
The advantage is that users would not be required to generate a token themselves. The drawback is that it is a bit scary.
Have some Nextcloud-specific integration code in XWiki
That’s my best bet currently. We would have a XWiki service page that would answer Nextcloud requests. This service should be accessible to guests, but have a secret token defined in its objects that would be shared with Nextcloud. I see two obvious issues:
- the REST API cannot be used, its features need to be replicated
- the solution is specific to Nextcloud and would need to be duplicated for each integration we’d like to implement. Of course it could be made generic, but then, why not implement these solutions in the REST API directly? It would be great if foreign services could use the REST api without any specific integration code in XWiki.
This solution also raises a question: is there a way to run a HQL / SOLR query “as a given user”? That is, a query that would only return documents a given user can see?
Is this possible in velocity/groovy, or should a Java service be written?
Conclusion
There are actually several questions here. To summarize:
- how to allow Nextcloud to access access XWiki (as a given user)?
- is it possible to use some kind of token-based mechanism to access the XWiki REST API? If not, would a token-based authentication in the XWiki REST API and on other XWiki pages be considered?
- is it possible to run a REST API Query “as a given user”?
- is it possible to run a HQL/XWQL/SORL query “as a given user” in a velocity / groovy script in a XWiki page? Or in a Java service?
Do you see another way I haven’t thought of or weaknesses I didn’t notice in the solutions I presented?
