oAuth2: Show error message or logout when there was a problem with the server token interaction

[jvillafanez]

Expected behaviour

Desktop client syncs normally

Actual behaviour

Desktop client tries indefinitely to obtain an oAuth token

Steps to reproduce

1. Install OC 10.1.0, oAuth 0.4.0 and desktop client 2.5.4 (build 515)
2. Using the desktop client, log with a user via oAuth. Let the desktop client sync normally
3. Close the desktop client (the desktop client isn't running any longer. Assume the user has shutdown the computer)
4. Disable the user in the ownCloud server
5. Start again the desktop client

Server configuration

Operating system: ubuntu 16.04 (docker)

Web server: apache 2.4.29

Database: mysql

PHP version: 7.1

ownCloud version: 10.1.0

Storage backend (external storage): no external storage, local primary storage

Client configuration

Client version: 2.5.4 (build 515)

Operating system: ubuntu 18.04

OS language:

Qt version used by client package (Linux only, see also Settings dialog):

Client package (From ownCloud or distro) (Linux only): owncloud

Installation path of client:

Logs

Please use Gist (https://gist.github.com/) or a similar code paster for longer
logs.

Template for output < 10 lines

1. Client logfile: Output of owncloud --logwindow or owncloud --logfile log.txt
   (On Windows using cmd.exe, you might need to first cd into the ownCloud directory)
   (See also http://doc.owncloud.org/desktop/2.2/troubleshooting.html#client-logfile )

05-29 17:48:30:399 [ info sync.networkjob ]:	OCC::SimpleNetworkJob created for "http://10.0.2.8" + "" ""
05-29 17:48:30:436 [ info gui.account.manager ]:	Saving account "http://10.0.2.8:7080"
05-29 17:48:30:437 [ info gui.account.manager ]:	Saving  0  unknown certs.
05-29 17:48:30:437 [ info gui.account.manager ]:	Saving cookies. "/home/juan/.config/ownCloud/cookies0.db"
05-29 17:48:30:441 [ info gui.account.manager ]:	Saved account settings, status: QSettings::NoError
05-29 17:48:30:441 [ info sync.networkjob ]:	Restarting "PROPFIND" QUrl("http://10.0.2.8:7080/remote.php/webdav/")
05-29 17:48:30:441 [ info sync.accessmanager ]:	6 "PROPFIND" "http://10.0.2.8:7080/remote.php/webdav/" has X-Request-ID "0bb10239-8e38-4166-9ee9-6db63ac451eb"
05-29 17:48:30:441 [ info gui.account.state ]:	Fetched credentials for "http://10.0.2.8:7080" attempting to connect
05-29 17:48:30:441 [ warning gui.account.state ]:	ConnectionValidator already running, ignoring "user1@10.0.2.8:7080"
05-29 17:48:30:483 [ warning sync.credentials.http ]:	Stop request: Authentication failed for  "http://10.0.2.8:7080/remote.php/webdav/"
05-29 17:48:30:483 [ info sync.credentials.http ]:	Refreshing token
05-29 17:48:30:483 [ info sync.accessmanager ]:	4 "" "http://10.0.2.8:7080/index.php/apps/oauth2/api/v1/token" has X-Request-ID "6b008996-99e7-4d37-a75a-19e3a8572a06"
05-29 17:48:30:483 [ info sync.networkjob ]:	OCC::SimpleNetworkJob created for "http://10.0.2.8" + "" ""
05-29 17:48:30:530 [ info gui.account.manager ]:	Saving account "http://10.0.2.8:7080"
05-29 17:48:30:530 [ info gui.account.manager ]:	Saving  0  unknown certs.
05-29 17:48:30:530 [ info gui.account.manager ]:	Saving cookies. "/home/juan/.config/ownCloud/cookies0.db"
05-29 17:48:30:534 [ info gui.account.manager ]:	Saved account settings, status: QSettings::NoError
05-29 17:48:30:534 [ info sync.networkjob ]:	Restarting "PROPFIND" QUrl("http://10.0.2.8:7080/remote.php/webdav/")
05-29 17:48:30:534 [ info sync.accessmanager ]:	6 "PROPFIND" "http://10.0.2.8:7080/remote.php/webdav/" has X-Request-ID "cd1876ca-161c-41b2-9efb-16273fa1434b"
05-29 17:48:30:534 [ info gui.account.state ]:	Fetched credentials for "http://10.0.2.8:7080" attempting to connect
05-29 17:48:30:534 [ warning gui.account.state ]:	ConnectionValidator already running, ignoring "user1@10.0.2.8:7080"
05-29 17:48:30:579 [ warning sync.credentials.http ]:	Stop request: Authentication failed for  "http://10.0.2.8:7080/remote.php/webdav/"
05-29 17:48:30:579 [ info sync.credentials.http ]:	Refreshing token
05-29 17:48:30:580 [ info sync.accessmanager ]:	4 "" "http://10.0.2.8:7080/index.php/apps/oauth2/api/v1/token" has X-Request-ID "bdf5f705-3ca1-4a35-b6b0-eb2e9a88722e"

2. Web server error log:

3. Server logfile: ownCloud log (data/owncloud.log):

owncloud_1  | {"reqId":"11402731-ad0d-48e7-af0a-8f01025ca9e5","level":1,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"oauth2","method":"POST","url":"\/index.php\/apps\/oauth2\/api\/v1\/token","message":"A refresh token has been used by the client \"Desktop Client\" to request an access token."}
owncloud_1  | {"reqId":"606ae4e3-0142-4e68-b0f8-5fde35df603b","level":0,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::generateToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"generating token 73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d8655436625874089b4152359aca0ccb04a00f160e01cc81e1fc7d1263cfe564b, uid user1, loginName user1, pwd empty, name Mozilla\/5.0 (Linux) mirall\/2.5.4 (build 515), type temporary"}
owncloud_1  | {"reqId":"606ae4e3-0142-4e68-b0f8-5fde35df603b","level":3,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\User\\Session::createSessionToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"There are code paths that trigger the generation of an auth token for the same session twice. We log this to trace the code paths. Please send all log lines belonging to this request id."}
owncloud_1  | {"reqId":"606ae4e3-0142-4e68-b0f8-5fde35df603b","level":3,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\User\\Session::createSessionToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"Exception: {\"Exception\":\"Doctrine\\\\DBAL\\\\Exception\\\\UniqueConstraintViolationException\",\"Message\":\"An exception occurred while executing 'INSERT INTO `oc_authtoken`(`uid`,`login_name`,`name`,`token`,`type`,`last_activity`,`last_check`) VALUES(?,?,?,?,?,?,?)' with params [\\\"user1\\\", \\\"user1\\\", \\\"Mozilla\\\\\\\/5.0 (Linux) mirall\\\\\\\/2.5.4 (build 515)\\\", \\\"73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d8655436625874089b4152359aca0ccb04a00f160e01cc81e1fc7d1263cfe564b\\\", 0, 1559144081, 1559144081]:\\n\\nSQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d' for key 'authtoken_token_index'\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/DBALException.php(128): Doctrine\\\\DBAL\\\\Driver\\\\AbstractMySQLDriver->convertException('An exception oc...', Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOException))\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Statement.php(177): Doctrine\\\\DBAL\\\\DBALException::driverExceptionDuringQuery(Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOMySql\\\\Driver), Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOException), 'INSERT INTO `oc...', Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/Db\\\/Mapper.php(241): Doctrine\\\\DBAL\\\\Statement->execute()\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/Db\\\/Mapper.php(119): OCP\\\\AppFramework\\\\Db\\\\Mapper->execute('INSERT INTO `*P...', Array)\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Authentication\\\/Token\\\/DefaultTokenProvider.php(101): OCP\\\\AppFramework\\\\Db\\\\Mapper->insert(Object(OC\\\\Authentication\\\\Token\\\\DefaultToken))\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Session.php(726): OC\\\\Authentication\\\\Token\\\\DefaultTokenProvider->generateToken(*** sensitive parameters replaced ***)\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Session.php(965): OC\\\\User\\\\Session->createSessionToken(Object(OC\\\\AppFramework\\\\Http\\\\Request), 'user1', 'user1', NULL)\\n#7 \\\/var\\\/www\\\/owncloud\\\/apps\\\/oauth2\\\/lib\\\/Sabre\\\/OAuth2.php(120): OC\\\\User\\\\Session->tryAuthModuleLogin(Object(OC\\\\AppFramework\\\\Http\\\\Request))\\n#8 \\\/var\\\/www\\\/owncloud\\\/apps\\\/oauth2\\\/lib\\\/Sabre\\\/AbstractBearer.php(99): OCA\\\\OAuth2\\\\Sabre\\\\OAuth2->validateBearerToken('KExMb5ZLFY4bjob...')\\n#9 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(201): OCA\\\\OAuth2\\\\Sabre\\\\AbstractBearer->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#10 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(150): Sabre\\\\DAV\\\\Auth\\\\Plugin->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#11 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#12 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#13 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#14 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#15 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(65): Sabre\\\\DAV\\\\Server->exec()\\n#16 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#17 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Driver\\\/AbstractMySQLDriver.php\",\"Line\":66}"}
owncloud_1  | {"reqId":"606ae4e3-0142-4e68-b0f8-5fde35df603b","level":0,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"webdav","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"Exception: HTTP\/1.1 401 No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\NotAuthenticated\",\"Message\":\"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(65): Sabre\\\\DAV\\\\Server->exec()\\n#5 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#6 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php\",\"Line\":168}"}
owncloud_1  | {"reqId":"c45468f3-7101-4e49-92da-d664a8586934","level":1,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"oauth2","method":"POST","url":"\/index.php\/apps\/oauth2\/api\/v1\/token","message":"A refresh token has been used by the client \"Desktop Client\" to request an access token."}
owncloud_1  | {"reqId":"ef0061ba-ce94-4406-acae-347f8fb9a178","level":0,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::generateToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"generating token 73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d8655436625874089b4152359aca0ccb04a00f160e01cc81e1fc7d1263cfe564b, uid user1, loginName user1, pwd empty, name Mozilla\/5.0 (Linux) mirall\/2.5.4 (build 515), type temporary"}
owncloud_1  | {"reqId":"ef0061ba-ce94-4406-acae-347f8fb9a178","level":3,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\User\\Session::createSessionToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"There are code paths that trigger the generation of an auth token for the same session twice. We log this to trace the code paths. Please send all log lines belonging to this request id."}
owncloud_1  | {"reqId":"ef0061ba-ce94-4406-acae-347f8fb9a178","level":3,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"OC\\User\\Session::createSessionToken","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"Exception: {\"Exception\":\"Doctrine\\\\DBAL\\\\Exception\\\\UniqueConstraintViolationException\",\"Message\":\"An exception occurred while executing 'INSERT INTO `oc_authtoken`(`uid`,`login_name`,`name`,`token`,`type`,`last_activity`,`last_check`) VALUES(?,?,?,?,?,?,?)' with params [\\\"user1\\\", \\\"user1\\\", \\\"Mozilla\\\\\\\/5.0 (Linux) mirall\\\\\\\/2.5.4 (build 515)\\\", \\\"73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d8655436625874089b4152359aca0ccb04a00f160e01cc81e1fc7d1263cfe564b\\\", 0, 1559144081, 1559144081]:\\n\\nSQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '73a7ddcba1212bfc44e08d9356427d4c22b9854fd9d7ff5d9c3f763d31fd9b7d' for key 'authtoken_token_index'\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/DBALException.php(128): Doctrine\\\\DBAL\\\\Driver\\\\AbstractMySQLDriver->convertException('An exception oc...', Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOException))\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Statement.php(177): Doctrine\\\\DBAL\\\\DBALException::driverExceptionDuringQuery(Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOMySql\\\\Driver), Object(Doctrine\\\\DBAL\\\\Driver\\\\PDOException), 'INSERT INTO `oc...', Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/Db\\\/Mapper.php(241): Doctrine\\\\DBAL\\\\Statement->execute()\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/Db\\\/Mapper.php(119): OCP\\\\AppFramework\\\\Db\\\\Mapper->execute('INSERT INTO `*P...', Array)\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Authentication\\\/Token\\\/DefaultTokenProvider.php(101): OCP\\\\AppFramework\\\\Db\\\\Mapper->insert(Object(OC\\\\Authentication\\\\Token\\\\DefaultToken))\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Session.php(726): OC\\\\Authentication\\\\Token\\\\DefaultTokenProvider->generateToken(*** sensitive parameters replaced ***)\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Session.php(965): OC\\\\User\\\\Session->createSessionToken(Object(OC\\\\AppFramework\\\\Http\\\\Request), 'user1', 'user1', NULL)\\n#7 \\\/var\\\/www\\\/owncloud\\\/apps\\\/oauth2\\\/lib\\\/Sabre\\\/OAuth2.php(120): OC\\\\User\\\\Session->tryAuthModuleLogin(Object(OC\\\\AppFramework\\\\Http\\\\Request))\\n#8 \\\/var\\\/www\\\/owncloud\\\/apps\\\/oauth2\\\/lib\\\/Sabre\\\/AbstractBearer.php(99): OCA\\\\OAuth2\\\\Sabre\\\\OAuth2->validateBearerToken('mlzifi9GREvCL4X...')\\n#9 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(201): OCA\\\\OAuth2\\\\Sabre\\\\AbstractBearer->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#10 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(150): Sabre\\\\DAV\\\\Auth\\\\Plugin->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#11 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#12 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#13 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#14 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#15 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(65): Sabre\\\\DAV\\\\Server->exec()\\n#16 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#17 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Driver\\\/AbstractMySQLDriver.php\",\"Line\":66}"}
owncloud_1  | {"reqId":"ef0061ba-ce94-4406-acae-347f8fb9a178","level":0,"time":"2019-05-29T15:34:41+00:00","remoteAddr":"10.0.2.9","user":"--","app":"webdav","method":"PROPFIND","url":"\/remote.php\/webdav\/","message":"Exception: HTTP\/1.1 401 No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect: {\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\NotAuthenticated\",\"Message\":\"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(466): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/var\\\/www\\\/owncloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(65): Sabre\\\\DAV\\\\Server->exec()\\n#5 \\\/var\\\/www\\\/owncloud\\\/remote.php(165): require_once('\\\/var\\\/www\\\/ownclo...')\\n#6 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php\",\"Line\":168}"}

[michaelstingl]

@DeepDiver1975 @ogoffart What is the recommended behavior for "disabled user" in OAuth 2.0? Any hints in the RFC? /cc @felix-schwarz @davigonz

[davigonz]

What is the recommended behavior for "disabled user" in OAuth 2.0? Any hints in the RFC? /cc @felix-schwarz @davigonz

The clients should show an authentication failed error in my opinion, I've performed the same steps in the Android app and behaves that way.

[ogoffart]

It appears from what i can see from the client log, that the token refreshing still work, but the new auth token is not working, letting the client believe that it has expire and need to ask for a new one.
I'd say that the refreshing should fail.

Also the message from the server log

Exception: HTTP\/1.1 401 No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, Bearer token was incorrect:

Looks like the bug where the server is stripping some header.

[felix-schwarz]

@michaelstingl Just checked and I couldn't find any hints at the recommended behaviour in the RFC.

The new iOS SDK will return an "authorization failed" error upon trying to connect, which will prompt the new app to bring up an alert

Authorization failed
The server declined access with the credentials stored for this connection.

[Ignore] [Edit]

Ignore will continue in Offline mode. Edit will bring up the editing panel for the connection where the user gets a chance to re-create their authentication data (similar to when originally setting up the connection).

[jvillafanez]

So the plan is that the server will return a 400 http code with an "unauthorized_client" error if the user is disabled. This is based on https://tools.ietf.org/html/rfc6749#section-4.1.2.1 and https://tools.ietf.org/html/rfc6749#section-5.2
I think that's the closest match for our case.

I'll add a "error_description: disabled user" mainly for debugging

[guruz]

Does it behave better with owncloud/oauth2#209 ?
Is there anything the client should change too? Do we need some back-off time period to avoid future issues like this?

[jvillafanez]

I think so. With the fix in the oAuth app, the desktop waits for the user to be authenticated via browser, so there shouldn't be any problem.

Client side, if it can't get a token for any reason I think the client should wait for user action. Maybe showing an error saying "I can't get a valid token, try reauthenticating" or something like that might be a good idea.

[jvillafanez]

Well, the problem is that the client gets a token, but it still gets a forbidden error when it tries to use it to access to webdav.

[ogoffart]

So in summary, what remains to be done in the client?

[HanaGemela]

Client: 2.6.0 (build 12703)
macOS 10.15
Server 10.3.0 stable
oAuth2 0.4.2RC3

Client says 'obtaining authorization ...' even though the authorization already failed. Not sure what is the expected result. Maybe this is OK?

[michaelstingl]

Client says 'obtaining authorization ...' even though the authorization already failed. Not sure what is the expected result. Maybe this is OK?

I think the client can't know the real status, so the waiting state is probably the best we can do. @jvillafanez recommendations?

[ogoffart]

Somehow, the server would need to connect to the localhost (redirect_uri) notifying the error. I do not think there is a oauth2 workflow for that, so that's not really possible without extending the protocol.
I guess it's best to leave it as is

[jvillafanez]

Most of the flow is handled by the browser... so yes, we'd need to send something from the server to the redirect_uri... sounds too complex with very little reward.

An alternative in the client could be to set a timeout of 1 minute, so if the user hasn't authorized the app at that point the client could assume that the user hasn't authorized: it could change the message and ignore any request to the redirect_uri until the user clicks again in the link (requesting or refreshing a new token).
I don't know how much work it could be to implement that, but if it's just for changing the message, it seems too much.

[michaelstingl]

An alternative in the client could be to set a timeout of 1 minute, so if the user hasn't authorized the app at that point the client could assume that the user hasn't authorized: it could change the message and ignore any request to the redirect_uri until the user clicks again in the link (requesting or refreshing a new token).

@HanaGemela @ogoffart What do you think? Indicate there's an error?

[HanaGemela]

@michaelstingl I'm kind of OK with current behaviour. It is not ideal but it tells you to go to the browser and the browser shows a proper error message