[Request] Jottacloud 2FA

Hi, I am a very satisfied user of Duplicati 2 since November last year and have since uploaded a couple dozen TB to jottacloud.

I use the regular jottacloud apps (Desktop/Mobile) as well and have some unencrypted, sensitive documents there. For this reason, I would really like to use 2FA on jottacloud.com

I understand this would require Duplicati to not only store my jotta credentials, but an authorization token instead, that contains the session data after entering valid 2FA credetials.

Is there any way you could implement this? jotta is my only “main” service I am currently using without proper 2FA in place.

Thank you

Since the Duplicati backend is based on a non-official reverse engineered API, it might not be that easy to do. We are, though, already looking into upgrading the backend to a new API that Jottacloud has for uploading files (which should speed up the backup process). It could be that we find something that enables us to implement 2FA in that process, but no promises…

3 Likes

Thank you for the quick reply. This is more than I could have hoped, knowing about the unofficial nature of the current api-connection.

Looking forward to whatever you guys are able to implement.

While trying to answer #4232, I discovered Changes to Jottacloud authentication. OpenID Connect mentions “Multi-factor authentication” among its potential future benefits, but I wondered if there are also compatibility impacts from this on third party software like JaFS (whose Jottacloud background info helped) and Duplicati.

Because @albertony seems central to both of those packages (thanks!), let me see if I can get an opinion.

I have seen that, but not had the chance to look into what effect it has on my code. Regular username/password authentication still seem to work (assuming #3929 was caused by something else…), but I fear that it will not last and we must handle OpenID (not only for the added feature of 2FA/MFA support). If anyone feel like helping find out how this stuff works, it would be appreciated…

1 Like

I will not be able to contribute much, except for this tip:
Try and talk to jottacloud directly. They have so far been very helpful, when asked questions.

OpenID seems the most stable way to go.

Jottacloud support has recently been implemented in rclone. That will be interesting to try out, and to follow its development!

The initial version seems to follow the same principles as the implementation in Duplicati, and since there is mentioning of it being partly based on the work on JaFS, which was also the foundation for the Duplicati backend, that is not surprising. But there is also a pull request where support for the new API and OAuth is being implemented (using information from ttyridal if anyone is interested in some more details). That is something we can use as a reference for improvement in the Duplicati backend as well. Unfortunately there is no 2FA support (I think) i rclone’s implementation either, and as discussed in the pull request it is a bit risky since they have generated an API key that are being embedded in the implementation, and it could easily be revoked at any point. Maybe we should support both the existing and the new API/authentication, with a configuration option to decide, as long as the existing still work…

1 Like

is there any way I could help here? jotta could deprecate the old auth method any day…

If “API key” refers to “client_secret” in information from ttyridal, Duplicati would presumably not embed it in source, but manually enter it into the Duplicati OAuth Handler. See How we get along with OAuth for more. Seemingly this difference is enough for Amazon, unlike the Amazon Drive bans rclone storage client case.

Still, it seems worth somebody testing the rclone Duplicati backend with Jottacloud, while awaiting new API. Possibly their code will finish and “just work” if Jottacloud kills the old API before Duplicati’s code is done…

i tried building rclone from the pull request but am unable to (maybe just incapable myself).

thanks for your replies though, it seems that the Duplicati OAuth Handler would be very capable of also working with jottacloud. is there a ticket/issue we can contribute to?

The (many) Duplicati Issues don’t seem to have this one (you can search for yourself if you like), though I did find the Jottacloud backend #2355 pull request from @albertony which I’d guess is what you’re running now.

The oauth-handler Issues is quite empty in general though there have been a few pull requests made before.

Maybe the several involved parties could discuss who might wind up doing what parts of a joint development?

There’s probably some UI and other work, but the good news is there are examples of new backend additions.

Rclone v1.46 has been released, and it includes the mentioned Jottacloud changes - and actually they managed to get 2FA support as well:

  • Resume and deduplication support (Oliver Heyme)
  • Use token auth for all API requests Don’t store password anymore (Sebastian BĂĽnger)
  • Add support for 2-factor authentification (Sebastian BĂĽnger)

I don’t think it would be too hard to port the changes into Duplicati. The question is how to handle this client_secret/client_secret thing, and also do you mean to say that Duplicati’s OAuth handler needs some changes first?

Anyway, I think it is worth spending some time testing out the implementation in Rclone first, either using rclone directly or via the rclone backend of Duplicati.

By the way, Jottacloud answered a question on their forum regarding using the API:

We are currently investigating the road to offering some public API’s. We will probably not offer the current API’s as public, but we will definitely offer a set of API’s for external developers so they can create a meaningful app integration with Jottacloud. At this point I can’t really give you a timeframe for this, but Jottacloud will work to adopt an open API strategy.

I’m not enough of an expert to firmly say what changes would be needed. If Jottacloud is standard OAuth2, then the Duplicati OAuth Handler might just need some values plugged in to set up that additional provider.

Though I haven’t done it myself, I assume the 2FA user experience would be some added web dialog with the storage provider. Duplicati stays clear of the initial authentication, simply collecting the returned tokens.

The Duplicati client itself might need to offer the user the choice of the old username/password way or the new OAuth way (assuming Jotta will continue to support both – I’m not sure and am not following closely).