[QA] admin or guest user cannot connect a desktop or mobile client

[jnweiger]

Seen with openidconnect 2.2.0-rc.6 and desktop client 2.11.1, server 10.11.0

• setup kopano IDP, so that it does not include the admin account.
• admin can login fine through the cassic web UI using username and password
• connect a desktop client using the admin account.
• the client immediately opens a web browser with the IDP login page. Admin cannot enter their password with owncloud. BAD.

Not a regression. Not directly related to https://github.com/owncloud/openidconnect/pull/253 (but the test was motivated from there).

Expected behaviour

• admin or other local (guest) users still can use desktop clients after openidconnect is enabled.
• not sure where this could be implemented in the connection wizard, though :see_no_evil:

[DeepDiver1975]

not an openidconnect issue - more on client side .....

but depends on how owncloud/openidconnect#253 continues

[d7oc]

As workaround you could hide the /.well-known/openid-configuration from the client when a certain criteria for the admin matches. E.g. an Admin always coming from a certain IP address.

[TheOneRing]

So what are the expectations? That the client performs basic auth until the accounts are properly setup? I fail to see the problem?

[d7oc]

Just my 2 cents:

I see two possible solutions here:

1. The server communicates the role to the client so the client can decide based on the role if OIDC is used or not
2. The client has a button to skip a detected OIDC setup and switch back to standard auth.

[TheOneRing]

Why wouldn't you add the user to the idp?

[jnweiger]

Why wouldn't you add the user to the idp?

A strict security policy could mandate that local admin acocunts must (or must not) exist. Not our choice.

For a normal use case like connecting a client, admin login via IDP certainly makes sense, (if allowed). For administrative tasks, we may want the admin to reach the settings pages of owncloud, even when IDP or LDAP are down.

[TheOneRing]

Then if an admin account must not be on the idp, and is not meant as a user account. Why should anyone use that account with a client to sync data?

[michaelstingl]

As an alternative, set up a new endpoint for admins to connect (admin.cloud.example.com), and there you can announce different login.

[jnweiger]

Android 2.21.2 handles it nicer: After entering the server URL, there is first a connection check, and then an extra button to click, before the IDP browser opens.

User can enter Settings (at the bottom right) - so we could add 'skip oAUTH, fall back to basic auth' there.

A separate basic-auth endpoint sounds like an easy solution from an engineering perspective, but probably hard to document. E.g. the guest invite mail must be changed to point to the right endpoint then.

[jnweiger]

So what are the expectations? That the client performs basic auth until the accounts are properly setup? I fail to see the problem?

Expectation is feature parity with the classic web UI. Clients don't allow to choose IDP vs Basic. "proper setup" in the IDP probably never happens for guest users.

[michaelstingl]

No priority today or tomorrow. Can be discussed in one of the next PB1.

[DeepDiver1975]

moving to desktop

[github-actions[bot]]

This issue was marked stale because it has been open for 30 days with no activity. Remove the stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

The issue was marked as stale for 7 days and closed automatically.