Authentication based in token (OAuth2)

[jesmrec]

Login will be done via OAuth2 protocol when server version supports it.

AC:

• Extend detection of authentication method to consider servers accepting more than one method at the same time (more than one challenge header can be received in responses). (Create new swift class to detect all authentications methods available )
• Embed oauth log-in process into WebView
• Recover / implement authentication workflow via "authorization code grant".
• Redirect to log-in view /~~ notification on top bar bar~~ when access token expires [ If after the retry the request still fails log in view will appear]
• Silently use refresh token to get an access token on expiration instead of redirecting to log-in view.
• NICE2HAVE: Allow user to select authentication method (OAuth2 or Basic Auth) [WONT available for now, if server supports OAuth2 this will be the auth method by default]

Development in following PRs

• OAuth2 flow & new login view modes (more details in PR):
  PR: OAuth2 support #919
  Library PR: OAuth2 support ios-library#159

• Refresh OAuth2 token (more details in PR):
  PR: OAuth2: Refresh access token and retry any kind of request #936
  Library PR: Refresh OAuth token and silently retry any request after expiration ios-library#162

• Move get OAuth2 access token into OC iOS library:
  PR: Move get access token to lib #946
  Library PR: Move get access token to lib library ios-library#163

---

Forget the description below and comments about it. It corresponds to the original request to support token-based authentication, that planned to use the ad-hoc token authentication in OC 9. In the end, mobile apps will not support it, since the current focus is OAuth 2.

Server version 9.1 will include this new feature that will make mobile apps adapt its login view to this new authentication mode.

The user generates a token in the web admin console (personal section). That token identifies unequivocally the account, so using only the token the user can login on his/her account. He could use the usual method user/password as well.

To do:

Actually, if the token is input in the password field the authentication works, but as username is displayed the string that the user input in the correspondent field, whatever he/she inputs. With the same token we can add so many instances of the same accounts as we wish.
Only one instance of each account, with the username/displayname of the user should be displayed.

Doubts:
- How to take the authentication method to be used: from a branding variable (as, for example, saml), or asking the server for that.
- Login view: what to do with username field. If the user input a token in password field, the username field is irrelevant, but must remain due to accounts in other servers that do not require tokens.
- Edit credentials: for a new generated token? tokens are overrided, a new one invalidates the previous in spite of the accounts added with those tokens keeps on being valid. Changing the account password invalidate all the generated tokens.

[davivel]

Refs: owncloud/client#4798 , owncloud/android#1724

[nasli]

Moved to backlog until defined scope with oAuth2

[butonic]

https://github.com/owncloud/oauth2 is avalable in 9.1, see owncloud/core#26742