client icon indicating copy to clipboard operation
client copied to clipboard

Published 20 hours ago verified publisher icon owncloud

[OIDC] fallback to static client id when OIDC DCR fails

Open michaelstingl opened this issue 3 years ago • 5 comments

Pre-submission Checks

  • [X] I checked for similar issues, but could not find any. I also checked the closed issues. I could not contribute additional information to any existing issue.
  • [X] I will take the time to fill in all the required fields. I know that the bug report may be dismissed otherwise due to lack of information.

Feature description

Insights from @micbar

I see no possible way to deactivate "Dynamic Client registration" (DCR) on Keycloak. So it seems we always have the registration endpoint available. Keycloak has policies, which clients, origins and redirect urls it accepts. So it is very likely that the registration request can fail.

Proposed solution

The client should be graceful when the registration attempt fails and try to connect with the public client ID

Alternative solutions you considered

No response

Additional context

iOS implementation:

  • https://github.com/owncloud/ios-app/issues/1006
  • https://github.com/owncloud/ios-app/pull/1068

Android issue:

  • https://github.com/owncloud/android/issues/3755

@TheOneRing

michaelstingl avatar Sep 08 '22 19:09 michaelstingl

Looking at the code, this should already be the case...

TheOneRing avatar Sep 13 '22 11:09 TheOneRing

I implemented two unit tests for dynamic registration and the fallback appears to be working.

TheOneRing avatar Sep 13 '22 13:09 TheOneRing

awesome. What happens when the userinfo request after the registration fails?

micbar avatar Sep 13 '22 13:09 micbar

In that case we the authentication fails as we can't compare the server provided user with the requested user. This check is required to prevent mixing up the sync of einstein with those from katherine

TheOneRing avatar Sep 13 '22 13:09 TheOneRing

@TheOneRing seems DCR fails with the 1st token refresh: https://cloud.owncloud.com/index.php/f/5901500 (5 minute with Keycloak)

michaelstingl avatar Oct 06 '22 09:10 michaelstingl

Can you retest with a current client? Was https://github.com/owncloud/client/commit/e939d8b20cfed3b826bfdcd08383634c9f75395d already part of your build?

TheOneRing avatar Oct 19 '22 10:10 TheOneRing

Can you retest with a current client? Was e939d8b already part of your build?

I'll re-test…

michaelstingl avatar Oct 19 '22 10:10 michaelstingl

Can you retest with a current client? Was e939d8b already part of your build?

I'll re-test…

Can't test because of:

  • https://github.com/owncloud/ocis/issues/4818
  • https://github.com/owncloud/ocis/issues/4858

michaelstingl avatar Oct 19 '22 14:10 michaelstingl

Please test

TheOneRing avatar Nov 03 '22 15:11 TheOneRing

Testing requires keycloak default setup.

TheOneRing avatar Nov 18 '22 12:11 TheOneRing

Hey, I was able to test this successfully in my setup with Keycloak and OCIS (no DCR enabled) using the v3.0.0-rc3 Desktop Client.

lsnow99 avatar Nov 30 '22 02:11 lsnow99

Assumed to be fixed

TheOneRing avatar Dec 08 '22 11:12 TheOneRing