For many years Plasma comes with its own system online accounts system, known as KAccounts. The idea is simple: In Systemsettings you log into a given online service once, and then several applications can use that login, instead of loggin in inside each application separately.

The number of services available and applications making use of them changed a bit over recent years. As of right now the following services are supported:

• Nextcloud: This is used by Dolphin to add a shortcut for file access via webdav to the Network section, as well as the Purpose framework to allow uploading files to Nextcloud.
• Owncloud: Used for the same things as Nextcloud.
• Google: Used by Purpose for uploading to YouTube. In theory also used by kio-gdrive for browsing Google Drive, but access to this is currently blocked by Google.
• OpenDesktop: Used for reviewing store.kde.org content in Discover

This isn’t all that much. Notably absent here is KDE PIM, which could greatly benefit from integrating with the Nextcloud and Google accounts. This is something many users have asked for over time. Plus, there’s more services that are used across applications and could benefit from a systemwide online accounts system, like Mastodon or Matrix.

Overall the situation with online accounts support in KDE is unsatisfactory, and it’s not for a lack of trying. Over the last few years there have been several smaller improvements to the system. However there have been no changes to the overall architecture. At this point I am convinced that the architecture is what’s holding us back, and we need to do something about that.

The current system is based on the Accounts SSO framework. It consists of several libraries and processes, split across about a dozen different repositories. This makes for a rather complex system for what is effectively reading and writing to a sqlite database and some OAuth handling. It also receives very little development activity, to the point where it was hard to get the required patches for Qt6 support in. Using an external accounts system as based for KAccounts only makes it harder to iterate on our system, while providing no meaningful interoperability with other parties.

The system also isn’t designed for a sandboxed world. Apps have direct access to the accounts database and keychain, so there is no ability to restrict which apps can use which accounts. While per-application access control wasn’t really feasible for traditional Linux packaging, with sandboxed formats like Flatpak we can and want to restrict apps to only be able to access select accounts.

Having pondered the problem for a while I came to the conclusion that we need a fresh start for our online accounts story, a new system that fullfils the following goals:

• It’s actually used by relevant KDE and third-party software
• Easy to hack on and extend
• Easy to be integrated into consumer software, with minimal dependencies
• Can be extended with third-party providers
• Account data is stored reasonably securely, with per-application access control (for sandboxed applications at least)

Based on these goals I have developed a prototype for how such a system could look like.

At its core there is a daemon process that manages the accounts, and exposes them via a DBus interface. Applications uses this DBus interface to list availble accounts as well as their parameters and credentials. Only accounts the app has been granted access to are visible that way. Application authentication works in a way that’s inspired by how xdg-desktop-portal works.

An application can trigger a request for accessing a new account. The dameon will then handle the whole login flow and, if successful, will return a handle to the new account. Alternatively the user can log into a given service in the systemsettings module and give access to relevant apps though that.

Currently the following services/apps are supported:

• Nextcloud: Used by Purpose and KDE PIM
• Mastodon: Used by Tokodon
• Google: Used by KDE PIM and Purpose

You can find the code at https://invent.kde.org/nicolasfella/konlineaccounts.

It is still very much a prototype, which is by no means ready for production, but it shows the basic concept. If you have input on this please get in touch, for example by filing an issue.