Guest user is not able to log in using oauth2 and iOS app

[davitol]

Testing oauth2 tarball 0.4.0 from https://github.com/owncloud/oauth2/releases/tag/v0.4.0RC1 and ownCloud 10.1

Steps to reproduce

1. Enable oauth2 app
2. create a guest user
3. Using oC iOS app, try to log in with guest user

Expected behaviour

The guest user is able to log in

Actual behaviour

Guest user cannot log in and the following log is spotted in owncloud.log

{"reqId":"06db4ce9-babc-4ba4-add0-b4afb97a93d9","level":2,"time":"2019-02-13T09:11:19+00:00","remoteAddr":"85.57.168.79","user":"--","app":"core","method":"GET","url":"\/owncloud\/status.php","message":"Trusted domain error. \"85.57.168.79\" tried to access using \"195.XXX.XX.XXX\" as host."}
{"reqId":"dyYxNR2qnGjT1uvLu7Cl","level":2,"time":"2019-02-13T09:11:22+00:00","remoteAddr":"85.57.168.79","user":"[email protected]","app":"core","method":"POST","url":"\/owncloud\/index.php\/apps\/oauth2\/api\/v1\/token","message":"Login failed: 'mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1' (Remote IP: '85.57.168.79')"}

[DeepDiver1975]

What happens after you press the authorize button? THX

[michaelstingl]

Regression? Or always broken?

Same in the new iOs app?

[davitol]

What happens after you press the authorize button? THX

This screen is shown:

And the log written in the OP is spotted.

Regression? Or always broken?

Regression. It works fine with oAuth2 0.3.0

[davitol]

@DeepDiver1975 @michaelstingl Retested uninstalling oauth2 0.4.0 and installing oauth2 0.3.0 and keeps failing. But oauth2 0.3.0 went fine with other oC 10.1 server were i tested. So Now i'm looking for the differences between both servers. I will post again ASAP.

[davitol]

• Works in my 2nd server.

The main differences I see between them are:

❌ https and https://mydomain/owncloud

✅ http and http://IP:port

Trying to debug more

(cc @jesmrec )

[DeepDiver1975]

x https and https://mydomain/owncloud

certificate issue again?

[davitol]

certificate issue again?

Lock is green and showing Secure Connection

[jesmrec]

Kind of weird behaviour in server side. Checking @davitol's environment with current iOS app, i see this:

1. OAuth2 flow starts correctly with URL and auth method correctly detected
2. WebView is raised up
3. Credentials typed, correct authorization code request
4. Final request to authorization token endpoint is correct:

POST https://xxxx/owncloud/index.php/apps/oauth2/api/v1/token -> 200

fetching:

{ "access_token": "3hBp5Nq3iIH6ZArLu0oEvVRI0XgA1n5ebXL5HK2oSMU9C4Q7LOXleF90IHByIhG4", "expires_in": 3600, "message_url": "https://xxxx/owncloud/index.php/apps/oauth2/authorization-successful", "refresh_token": "njgLvCbXZmKvsiGXzZVVvvjdM1ISfg53ZWrUFxgcHT3BTIlEPESQvkWt0lWhU6MU", "token_type": "Bearer", "user_id": "[email protected]" }

5. Following requests are all refused with 401, even with correct auth headers:

Authorization: Bearer 3hBp5Nq3iIH6ZArLu0oEvVRI0XgA1n5ebXL5HK2oSMU9C4Q7LOXleF90IHByIhG4

Only one difference:

Request to ocs was refused with body:

{ "message": "Current user is not logged in" }

Request to webDAV:

<?xml version='1.0' encoding='utf-8'?> <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns"> <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception> <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured</s:message> </d:error>

(not sure if it is useful, but here it is)

ping me if you need additional checks from client side.

[davitol]

Same in the new iOs app?

iOS new App has other bug related to subfolder in the server URL (not related to oauth) but cannot let me check this environment. (@jesmrec will open the ticket in the new-iOS repo)

[DeepDiver1975]

Same with the old oauth app?

[davitol]

Same with the old oauth app?

yes, same behavior. So it is not related to this oauth app release. But IMHO we can keep this ticket opened for tracking whats wrong with that configuration