[2.10.0] Can not connect to oCIS

[dragotin]

With the client version 2.10.0 rc2 and also 2.11.0-git it is not possible to connect a new account to oCIS. The same setup works with client version 2.9.2.

The client opens the browser with this URL:

http://127.0.0.1:35619/?code=QuOxd7Kn10pIf9oEPsY5S0rXXXn-hgrC&scope=profile%20openid%20offline_access%20email&session_state=4bXXXXb7373c63a1e95a07bc7949e0afd5d80d0ea637c761dde60546e5b5baf3.yvhihIZJcp02lGGL0IX1PB-oVi3VsHUO9ltxpVYUkp8%3D&state=QBxRZrrE8SSSUPbie5VImhCR-Y4agUbCY8_n-NFRJcQ%3D

and after allowing access the browser reports

The OIDC redirect url seems empty.

[dragotin]

Maybe patches around #9196 had some side effects?

[michaelstingl]

Can be reproduced with those instances:

• ocis.ocis-traefik.latest.owncloud.works
• ocis.ocis-traefik.released.owncloud.works
• ocis.ocis-keycloak.latest.owncloud.works
• ocis.ocis-keycloak.released.owncloud.works

user: einstein
pw: relativity

Can't be reproduced with the oC10 OAuth 2.0 app:

• demo.owncloud.com

[fmoc]

https://ocis.ocis-traefik.latest.owncloud.works/signin/v1/identifier
?client_id=<censored>
&code_challenge=<censored>
&code_challenge_method=S256
&flow=oidc
&prompt=select_account+consent
&redirect_uri=http%3A%2F%2F127.0.0.1%3A36629
&response_type=code
&scope=openid+offline_access+email+profile
&state=<censored>

This is what the URL opened in the browser looks like on both the master and 2.10 branch (similar results for a local oCIS instance and the other ones listed by @michaelstingl). I'm not entirely sure at this point why there are so many more arguments in my test than in your URL, I do not have too much experience with the OIDC implementation in oC (yet).

I see two possible causes: either the redirect after a successful authorization on the server is not working (i.e., the redirect URL generated by the server from the information we send to it initially is incorrect), or some state in the client goes missing in the meantime. I'll git bisect the client, I suppose the issue is on our side.

[fmoc]

@dragotin's guessed right that 4ba3702 (mentioned in #9196) broke the behavior, the commit before works as expected. Will have a look tomorrow.

[michaelstingl]

'm not entirely sure at this point why there are so many more arguments in my test than in your URL

The URL @dragotin posted, is a different one. It's the one where the browser redirects to the webserver in the client running/listening on 127.0.0.1:35619.

(Source: https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram)

[fmoc]

Noticed that in the meantime. I found another issue in the workflow, where the relevant error message gets lost in the process:

"\tError: Missing field access_token\n\tError: Missing field refresh_token\n\tError: Missing field token_type\n"

Due to the lack of comments within the code, I am not sure whether it is by design that this error message is superseded by the less helpful redirect_uri mismatch, or whether it's considered a feature not to expose details of the validation (but hiding does not really make sense).

I cannot yet explain why the error occurs, though. #9275 only changes some state-keeping logic. I need to check whether those need to be transmitted at all and are simply missing in the URL returned by the server for some reason. I don't think so, given the redirect URL in the working commit.

[TheOneRing]

Noticed that in the meantime. I found another issue in the workflow, where the relevant error message gets lost in the process:

"\tError: Missing field access_token\n\tError: Missing field refresh_token\n\tError: Missing field token_type\n"

Due to the lack of comments within the code, I am not sure whether it is by design that this error message is superseded by the less helpful redirect_uri mismatch, or whether it's considered a feature not to expose details of the validation (but hiding does not really make sense).

Lets have a short call.

[michaelstingl]

error message is superseded by the less helpful redirect_uri mismatch

this is the error message from the IdP:

01-03 15:37:36:846 [ info sync.httplogger ]:	"7c9d6d7d-706d-4b90-b652-2f9c0de3016e: 
Request: POST https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/token 
Header: { Authorization: Basic [redacted], Content-Type: application/x-www-form-urlencoded; charset=UTF-8, User-Agent: Mozilla/5.0 (Macintosh) mirall/2.10.0rc2 (build 6347) (testpilotcloud, osx-21.2.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 7c9d6d7d-706d-4b90-b652-2f9c0de3016e, Original-Request-ID: 7c9d6d7d-706d-4b90-b652-2f9c0de3016e, Content-Length: 444, } 
Data: [client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&client_secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh&scope=openid%20offline_access%20email%20profile&grant_type=authorization_code&code=MFKOGdli1O63BIv2GfOYwI-OoW9Sqysp&redirect_uri=http://127.0.0.1:0&code_verifier=KjTvJoEqf31I30mUb4rxPmOjlWXZ7O5XIfgj73LrcktLKF-d7zq5HVqp9-aZlo1B6aUjnEAZFBkGVJoEVq80_ohSRFSBTsMNU9s-PGy-_xp6lBcqA47BxVvOvBTe1cNe]"


01-03 15:37:36:933 [ info sync.httplogger ]:	"7c9d6d7d-706d-4b90-b652-2f9c0de3016e: 
Response: POST 400 https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/token 
Header: { Cache-Control: no-store, Content-Length: 79, Content-Security-Policy: frame-ancestors 'none', Content-Type: application/json; encoding=utf-8, Date: Mon, 03 Jan 2022 14:37:36 GMT, Expires: Thu, 01 Jan 1970 00:00:00 GMT, Last-Modified: Mon, 03 Jan 2022 14:37:36 GMT, Pragma: no-cache, Vary: Origin, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-Idp-Version: 4537d0ed, } 
Data: [{\n  \"error\": \"invalid_grant\",\n  \"error_description\": \"redirect_uri mismatch\"\n}\n]"

I noticed it because it's a different error message with the Keycloak:

01-03 15:39:00:578 [ info sync.httplogger ]:	"e9ddf02c-aa45-451f-ac96-fb1a0bc8661e: 
Request: POST https://keycloak.ocis-keycloak.latest.owncloud.works/auth/realms/oCIS/protocol/openid-connect/token 
Header: { Authorization: Basic [redacted], Content-Type: application/x-www-form-urlencoded; charset=UTF-8, User-Agent: Mozilla/5.0 (Macintosh) mirall/2.10.0rc2 (build 6347) (testpilotcloud, osx-21.2.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: e9ddf02c-aa45-451f-ac96-fb1a0bc8661e, Original-Request-ID: e9ddf02c-aa45-451f-ac96-fb1a0bc8661e, Content-Length: 462, } 
Data: [client_id=afb74479-9031-48d2-941b-b5b9d98ee7cf&client_secret=E9S3Jtsl3Ng0F6yQEJLKJAfGSM4uYA9n&scope=openid%20offline_access%20email%20profile&grant_type=authorization_code&code=ecff6640-c58a-4017-b1b3-5c2f0528b9c7.6e7ea168-b7bb-4e04-8afa-a250923983aa.afb74479-9031-48d2-941b-b5b9d98ee7cf&redirect_uri=http://127.0.0.1:0&code_verifier=iIq1VH1myGljbWAbHwDp4zNLVl0-EyMymnxteWup-i_trtTfqNMYe8OhWhom5V3DgmJ3B26s8dTpL4Rd_ZXRoYkFBKRcBeo4ImdNCGQ8UqfLcgEy__hHIhSfBhIjAeiF]"


01-03 15:39:00:632 [ info sync.httplogger ]:	"e9ddf02c-aa45-451f-ac96-fb1a0bc8661e: 
Response: POST 400 https://keycloak.ocis-keycloak.latest.owncloud.works/auth/realms/oCIS/protocol/openid-connect/token 
Header: { Cache-Control: no-store, Content-Length: 70, Content-Type: application/json, Date: Mon, 03 Jan 2022 14:39:00 GMT, Pragma: no-cache, Referrer-Policy: no-referrer, Strict-Transport-Security: max-age=31536000; includeSubDomains, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Xss-Protection: 1; mode=block, } 
Data: [{\"error\":\"invalid_grant\",\"error_description\":\"Incorrect redirect_uri\"}]"

[fmoc]

Closed by #9328.

[gabi18]

Can successfully login on ocis.ocis-traefik.latest.owncloud.works with ownCloud-2.10.0-rc3.

But uploading a file fails -> red error message "Host requires authentication", 'Not synced' shows:

20220105_1059_owncloud.log.0.gz
20220105_1142_owncloud.log.0.gz
20220105_1142_owncloud.log.1.gz
20220105_1142_owncloud.log.2.gz
20220105_1143_owncloud.log.0.gz

Download from server is successful.

[fmoc]

@gabi18 please open a new issue.

[TheOneRing]

The issue is already known #9330

[TheOneRing]

Ok I'm wrong different error I guess

[gabi18]

Yes, I think it's different than #9330, there is still a problem with authentication. Is a new issue required or reopen this?