Login dialog displayed after successful mtls auth in 21.0.0 RC1

[pboguslawski]

Steps to reproduce

Nextcloud Talk 21.0.0 RC1 with #4634 allows one to select client cert on initial connection screen; this may be simplified - just popup this window automatically (like nc android client app does) if server requests client cert in handshake.

After successful authentication with client certificate, talk application should be authorized without any other confirmations, permissions, tokens, passwords. Now talk app redirects to browser to have additional confirmation which should be not required because client cert auth is enough proof for application to be authenticated and authorized for access (similar as K-9 Mail or DAVx5 work with client certs).

When client cert are used, should work with reverse proxies and user_saml without messing with additional stuff like passwords, confirmations, tokens (just like in SSO environments).

Related: #3907
Related: nextcloud/android#12997
Related: #4634

Expected behaviour

Successful mTLS auth with reverse proxy and user_saml should be enough for android talk client to be authenticated.

Initial connection screen should automatically ask for client cert if asked by server in TLS handshake.

Actual behaviour

Successful mTLS auth with reverse proxy and user_saml starts additional confirmation process in browser.

Initial connection screen does not automatically ask for client cert if asked by server in TLS handshake. Manual client cert choosing is required.

Device brand and model

Any

Android version

15

Nextcloud Talk app version

21.0.0 RC1

Nextcloud server version

v30.0.5

Talk version

v20.1.3

Custom Signaling server configured

Yes (specify version in Additional Information)

Custom TURN server configured

None

Custom STUN server configured

None

Android logs

No response

Server log

Additional information

No response

[migulen]

@pboguslawski , IMHO I think that it's important to have the possibility to chose if the client certificate it's the only one authorization and validation control, or not. I will prefer that we could chose to enable this 2 barriers, or only one.

Could I be wrong.

[pboguslawski]

I will prefer that we could chose to enable this 2 barriers, or only one.

Extra barriers if required, should be optional. Now one cannot use just client certs.

Could I be wrong.

Redirecting to web pages (with extra client cert authentication which may and should look suspicious for users) just to confirm again what was already confirmed by choosing client cert is not optimal IHMO.

[migulen]

Extra barriers if required, should be optional. Now one cannot use just client certs.

For me it's ok, if exists the possibility to enable the 2nd barrier.

Nothing to argue about having the possibility to only use client certs if it's your wish. I will support you on asking for this.

Redirecting to web pages (with extra client cert authentication which may and should look suspicious for users) just to confirm again what was already confirmed by choosing client cert is not optimal IHMO.

I think that are some scenarios where could be good to have this way of "doing". Not everybody has the same resources and needings. ;-)

[mahibi]

we will align with the android files team.
For the long term the idea is to use common code for the nextcloud android apps (e.g. for all login and authentication), however this may take a while.