From 975d3bd00542fef98f2554df71c0d0ed26d8d5c3 Mon Sep 17 00:00:00 2001
From: Rotzbua <Rotzbua@users.noreply.github.com>
Date: Mon, 28 Oct 2019 17:42:34 +0100
Subject: [PATCH] Add security considerations about oauth2 #1683

Signed-off-by: Rotzbua <Rotzbua@users.noreply.github.com>
---
 admin_manual/configuration_server/oauth2.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/admin_manual/configuration_server/oauth2.rst b/admin_manual/configuration_server/oauth2.rst
index 36c676c26..d88b2abe5 100644
--- a/admin_manual/configuration_server/oauth2.rst
+++ b/admin_manual/configuration_server/oauth2.rst
@@ -34,3 +34,10 @@ Nextcloud server you will have to send the proper authorization header.
 Authorization: Bearer <TOKEN>
 
 Note that apache by default strips this. Make sure you have ``mod_headers``, ``mod_rewrite`` and ``mod_env`` enabled.
+
+Security considerations
+-----------------------
+
+Nextcloud ``OAuth2`` implementation currently does not support scoped access. This means that every token has full access to the complete account including read and write permission to the stored files. It is essential to store the ``OAuth2`` tokens in a safe way! 
+
+Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.