Performing the OAuth authorisation flow leads to logout in the browser #10584
Comments
|
Also, (slightly related, at least for my use case...) if you could reopen #7344 (comment) that would be great. I added steps at the end of the discussion. Thanks. |
This comment has been minimized.
This comment has been minimized.
|
I can confirm @Dagefoerde's observation - just stumbled on this and it's puzzling me quite a bit. I'm glad I'm not the only one irritated by this behavior. 😆 Digging into the Code, I found that this line in $this->tokenProvider->invalidateToken($sessionId);It was introduced in #7698 to fix #7697 ... @rullzer @MorrisJobke : Maybe you could comment on this? I see the point mentioned in #7697 that ending up with two "fresh" sessions is undesirable, especially when going through the flow in order to get fresh credentials for a Client App. However, I think killing a pre-existing Browser session by the OAuth 2.0 flow is probably an unintended side-effect of #7698 ? At least to me (and @Dagefoerde ), this is very much unexpected. Would it be a possibility to move the line mentioned into the |
|
@stjosh yes it was added there because we did not consider the OAuth flow at that point. |
|
@stjosh actually what you propose makes perfect sense and should be trivial to backport as well. Let me prepare a PR. |
Fixes #10584 We deleted the main token when using the login flow else mutliple tokens would show up for a single user. However in the case of OAuth this is perfectly fine as the authentication happens really in your browser: 1. You are already logged in, no need to log you out 2. You are not logged in yet, but since you log in into the exact same browser the expected behavior is to stay logged in. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes #10584 We deleted the main token when using the login flow else mutliple tokens would show up for a single user. However in the case of OAuth this is perfectly fine as the authentication happens really in your browser: 1. You are already logged in, no need to log you out 2. You are not logged in yet, but since you log in into the exact same browser the expected behavior is to stay logged in. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes nextcloud#10584 We deleted the main token when using the login flow else mutliple tokens would show up for a single user. However in the case of OAuth this is perfectly fine as the authentication happens really in your browser: 1. You are already logged in, no need to log you out 2. You are not logged in yet, but since you log in into the exact same browser the expected behavior is to stay logged in. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
Very cool, thanks a lot @rullzer |
Steps to reproduce
Expected behaviour
The requesting client is authorised correctly AND the original session is still usable. The user should not need to log in again.
Actual behaviour
Browser is logged out: Either original session expired or the session ID is removed from/replaced in the browser so that original session cannot be accessed anymore.
Server configuration
Operating system: Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)
Web server: Apache/2.4.18
Database: PostgreSQL 9.5
PHP version: 7.0.30-0ubuntu0.16.04.1
Nextcloud version: 13.0.5.2 (1a082ab)
Updated from an older Nextcloud/ownCloud or fresh install: Upgraded from 13.0.4
Where did you install Nextcloud from: nextcloud.com
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Version 68.0.3440
Operating system: Ubuntu 18.04.1 LTS
The text was updated successfully, but these errors were encountered: