Allow API access for Nextcloud

I tried to connect Nextcloud to Discourse here to get notifications from here in my personal Nextcloud server (that happens to run Fedora :slight_smile: ), however, after logging in and authorizing nextcloud, I get a 403 on the Discourse side. It appears that “allowed_user_api_auth_redirects” needs enabled to support this.

1 Like

Let me check.

1 Like

@vwbusguy Can you post this in non-image form (or a link to them)?

I can’t link to it in a meaningful way since it’s in the password-protected account settings in Nextcloud, but here’s the relevant text:

If you fail getting access to your Discourse account, this is probably because your Discourse instance is not authorized to give API keys to your Nextcloud instance.
Ask the Discourse admin to add this URI to the “allowed_user_api_auth_redirects” list in admin settings:

Currently, I can auth to this Discourse and click to allow API access, but then I get a WSOD when Discourse blocks redirect back to Nextcloud to finish the process.

Transferred8.90 KB (36.12 KB size)
Referrer Policystrict-origin-when-cross-origin

What are the security implications of doing this? Like, let’s imagine you’re The Bad Guy. What is the most malicious thing you could do if the setting were enabled?

I’m honestly not sure. I can scrape the API credentials from the authorization from the payloads anyway. It’s just not redirecting them back to Nextcloud. It might be possible that I could scrape them and manually try inserting them in the database backend somewhere. The security setting is more of an inconvenience than an actual blocking in that case, which makes it more difficult to setup a 3rd part integration but doesn’t seem like it would actually hinder a malicious actor who got this far without that setting being active. Seems more of a lock that only keeps honest people out type of setting.

1 Like

Sounds reasonable. Done here and on Discussion.

1 Like

Success! Many thanks!

1 Like