The truth behind privacyIDEA and ownCloud two factor authentication

I understand there is a bit of confusion about two factor authentication with privacyIDEA for ownCloud. Comments in ownCloud blogpost and in the privacyIDEA Youtube channel indicate this.

To do openess and transparancy the honour I would like to elaborate on what has happened.

The empire strikes back

The subdirectory authmodules in the privacyIDEA github repository contained a module for ownCloud. In ownCloud speak an “app”. This tried to support ownCloud 8. It failed with ownCloud 9. This was due to the fact, that ownCloud <= 9 had no concept or API for attaching two factor authentication system. It even had no concept of passing authentication to another module. It only allowed to change the complete user module. I.e. authentication, user existance and authorization was not separated like you would be used to e.g. from PAM. And this is why providing a module for two factor authentication for ownCloud 8 and 9 was the biggest pain in the ass I ever experienced.

Now several simple users came around and popped up on the mailing list or at github. I call them simple, because they were not able to look behind the scenes, analyze problems, look at a line of code or even add a line of code. I experienced several occasions when such users complained about, that the old privacyIDEA “app” for 8 and 9 was not working as they expected.

Finally I got really sick of those users with this simple cosuming attitude. I got sick of claiming having a two factor solution for an application, which did not provide a decently designed and documented authentication interface. And this is why I happily deleted the old ownCloud plugin from the privacyIDEA github repository.

A new hope

Finally, ownCloud 9.1 was said to come with a new authentication API – which unfortunately again was designed without asking someone, who knows some things about two factors — like me! Big mistake! Nevertheless – I decided to give it a second chance. Thanks to the help of Christoph Wurst and Thomas Müller I was able to implement a new privacyIDEA ownCloud app for ownCloud 9.1.

As I am still very disappointed in any kind of “community” regarding the old ownCloud app (for privacyIDEA itself it is a complete other picture!!!), the privacyIDEA ownCloud App for 9.1 is not publically available, yet. I don’t want to hear any comsumers complaining about things they don’t understand or are not willing to dive into! But this is no problem. ownCloud users with a handful of accounts can happily use the TOTP app which probably willl run very well for them.

These words might sound hard to some of you. But you may appreciate that they are the real truth of mine!

The return of the Jedi

Power users or companies with many users have different requirements. They will also do two factor authentication a the firewall, at portals, terminal servers or the VPN. In this case it makes no sense to manage TOTP tokens within ownCloud. Because these tokens can not be used for the VPN. Other tokens would again have to be managed for the VPN somewhere else… And for the terminal servers…

Enterprise environments require to manage the tokens of the users at one central place. All users, for all applications. In this case privacyIDEA and the privacyIDEA ownCloud app make absolute sense. Customers should contact NetKnights GmbH, because this is the place where they will receive the privacyIDEA ownCloud App!

Kind regards





Leave a comment