From 3816a114e10ee266de4575911542c163b58099dd Mon Sep 17 00:00:00 2001 From: Dmitry Mayorov Date: Fri, 19 Jul 2019 23:22:40 +0200 Subject: [PATCH] document limitations --- .../pages/configuration/server/security/oauth2.adoc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc index 0b1c7374e4..c90eb489be 100644 --- a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc +++ b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc @@ -1,5 +1,7 @@ = OAuth2 :toc: right +:shibboleth-app-url: https://marketplace.owncloud.com/apps/user_shibboleth +:oauth2-user-auth-url: https://oauth.net/articles/authentication/ == What is it? @@ -176,7 +178,14 @@ To enable token-only based app or client logins in `config/config.php` set `toke == Limitations -- Since the app handles no user passwords, only master key encryption works (similar to -https://marketplace.owncloud.com/apps/user_shibboleth[the Shibboleth app]). +- Since the app does not handle user passwords, only master key encryption works (similar to {shibboleth-app-url}[the Shibboleth app]). - Clients cannot migrate accounts from Basic Authorization to OAuth2, if they are currently using the `user_ldap` backend. +- It is not possible to explicitly end user sessions when using OAuth2. Have a read through {oauth2-user-auth-url}[User Authentication with OAuth 2.0] to find out more. + +== Further Reading + +* https://oauth.net/articles/authentication/[User Authentication with OAuth 2.0] +* http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html[The problem with OAuth for Authentication.] +* https://security.stackexchange.com/questions/81756/session-authentication-vs-token-authentication[Session Authentication vs Token Authentication] +* https://tools.ietf.org/html/rfc7009[OAuth 2.0 Token Revocation]