Oauth2 always request to authorized an already authorized application

jdcano-bpe commented 3 years ago

Hello everyone,

I was trying to check in the documentation about this topic, but I dont know if it is the right behavior or not, that is why I creating this issue.

So far, all is working fine with the OAUTH2 application, I can make and go through the full OAUTH2 flow but I have to Authorize all the time the same ClientID, which I dont know if is the right behavior. I think once a ClientID have been authorized to be used, it should not ask again for it.

Steps to reproduce

Make an Authorization Request
I get the Authorization Response
I accept and Authorize that ClientID for my user
I am redirected to the redirect_uri and I got the code
With the previous code, I can make the Access Token Request
I received successfully the Access Token Response with a valid token with whom I can access to my files.
The problem, is that every time I want to get a new code from the Authorization Response, I have to authorize the ClientID every time, even if in my settings I can see that clientID is authorized. Is that behavior normal? Why I have to authorize the same ClientID every time I want to generate a token?

Expected behaviour

Once a ClientID is authorized, I should NOT have to authorize it again

Actual behaviour

Every time a want to generate a new Access Token, I have to Authorize the same ClientID even if it is authorized in order to get the CODE to get the Access Token

Server configuration

Operating system: Docker Official Image 10.6.0 (Debian bullseye/sid)
Web server:
- List of Apache/Nginx modules loaded:
Database: mysql Ver 15.1 Distrib 10.4.17-MariaDB
PHP version: 7.4
ownCloud version: 10.6.0.5
Updated from an older ownCloud or fresh install: Updated from 10.5.0
Where did you install ownCloud from: Docker Hub
Signing status (ownCloud 9.0 and above): Owncloud 10.6.0.5

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed

No errors have been found.

The content of config/config.php:

$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/owncloud/custom',
      'url' => '/custom',
      'writable' => true,
    ),
  ),
  'trusted_domains' =>
  array (
    0 => 'localhost',
  ),
  'datadirectory' => '/var/lib/owncloud/files',
  'dbtype' => 'mysql',
  'dbhost' => 'mariadb:3306',
  'dbname' => 'owncloud',
  'dbuser' => 'owncloud',
  'dbpassword' => 'owncloud',
  'dbtableprefix' => 'oc_',
  'log_type' => 'owncloud',
  'supportedDatabases' =>
  array (
    0 => 'sqlite',
    1 => 'mysql',
    2 => 'pgsql',
  ),
  'upgrade.disable-web' => true,
  'default_language' => 'en',
  'overwrite.cli.url' => 'https://owncloud-owncloud-dev.apps.example.com/',
  'htaccess.RewriteBase' => '/',
  'logfile' => '/dev/stdout',
  'loglevel' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis',
    'port' => '6379',
  ),
  'passwordsalt' => '*********************************************',
  'secret' => '*****************************************************',
  'version' => '10.6.0.5',
  'mysql.utf8mb4' => true,
  'logtimezone' => 'UTC',
  'installed' => true,
  'instanceid' => 'afsdfaf32423',
  'mail_domain' => 'pbs-santander.com',
  'mail_from_address' => 'owncloud-dev',
  'mail_smtpmode' => 'smtp',
  'proxy' => 'http://proxy.example.com/',
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpport' => '25',
  'maintenance' => false,
);

The config report: config_report_20210122.txt
List of activated apps:
- Admin Config Report 0.2.0
- Deleted files 0.9.1
- Federation 0.1.0
- Provisioning API 0.5.0
- Share Files 0.14.0
- Update notification 0.2.1
- Versions 1.3.0
- Activity 2.6.0
- Collaborative tags 0.3.0
- Comments 0.3.0
- First run wizard 1.2.0
- Impersonate 0.5.0
- Mail Template Editor 0.4.0
- Market 0.6.0
- Media Viewer 1.0.4
- Notifications 0.5.2
- OAuth2 0.4.4
- PDF Viewer 0.11.2
- Text Editor 2.3.0
Are you using encryption: NO
Are you using an external user-backend, if yes which one: NO.

Client configuration

NOT USING CLIENT

Logs

::1 - - [22/Jan/2021:10:53:29 +0000] "GET /status.php HTTP/1.1" 200 1089 "-" "curl/7.68.0"
--
  | ::1 - - [22/Jan/2021:10:53:30 +0000] "GET /status.php HTTP/1.1" 200 1075 "-" "curl/7.68.0"
  | X.X.X.X- - [22/Jan/2021:10:53:38 +0000] "GET /index.php/apps/oauth2/authorize?response_type=code&client_id=********************************************&redirect_uri=http://localhost&user=admin  HTTP/1.1" 200 2698 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X- - [22/Jan/2021:10:53:38 +0000] "GET /core/vendor/select2/select2.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 3724 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:38 +0000] "GET /core/css/styles.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 6715 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:38 +0000] "GET /core/css/inputs.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 2496 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:38 +0000] "GET /core/css/header.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 2851 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/icons.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 2015 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/fonts.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 771 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/vendor/jquery-ui/themes/base/jquery-ui.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 6455 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/firstrunwizard/css/colorbox.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1264 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/firstrunwizard/css/firstrunwizard.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 819 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/fixes.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 754 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/multiselect.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1419 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | ::1 - - [22/Jan/2021:10:53:39 +0000] "GET /status.php HTTP/1.1" 200 1075 "-" "curl/7.68.0"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/tooltip.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1184 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/files_pdfviewer/css/style.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 594 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/share.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 2278 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/files_versions/css/versions.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 977 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/notifications/css/styles.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1323 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/jquery.ocdialog.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1495 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /apps/oauth2/css/authorization.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 472 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/apps.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 4038 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/global.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 967 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/mobile.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1587 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/css/jquery-ui-fixes.css?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 1287 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /core/js/oc.js?v=916e73258a03dd858724f065d40854c2 HTTP/1.1" 200 5744 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | X.X.X.X - - [22/Jan/2021:10:53:39 +0000] "GET /ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1" 200 791 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | ::1 - - [22/Jan/2021:10:53:40 +0000] "GET /status.php HTTP/1.1" 200 1085 "-" "curl/7.68.0"
  | X.X.X.X - - [22/Jan/2021:10:53:44 +0000] "POST /index.php/apps/oauth2/authorize?response_type=code&client_id=******************************************************&redirect_uri=http://localhost&user=admin  HTTP/1.1" 303 739 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | ::1 - - [22/Jan/2021:10:53:49 +0000] "GET /status.php HTTP/1.1" 200 1073 "-" "curl/7.68.0"
  | X.X.X.X - - [22/Jan/2021:10:53:49 +0000] "GET /ocs/v2.php/apps/notifications/api/v1/notifications?format=json HTTP/1.1" 200 791 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36"
  | ::1 - - [22/Jan/2021:10:53:50 +0000] "GET /status.php HTTP/1.1" 200 1081 "-" "curl/7.68.0"

Thanks a lot in advance.

michaelstingl commented 3 years ago

Seen this? https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

jdcano-bpe commented 3 years ago

Hello @michaelstingl

Thanks for your answer. Yes, I followed that diagram and all is working fine and I can get an Access Token without any problem.

What I would like to know is if it is possible to not have to authorize an Application / ClientID that has been Authorized in a previous request. And if it is not possible, then it does not have much more sense to have in the personal space of the user an OAUTH2 section saying that a specific Application has been authorized (like in the first image attached) if you have to authorize it again every time you want to get a new Access Token.

Thanks a lot again.

michaelstingl commented 3 years ago

I still don't get what you mean with "authorize it again"? Click the [Authorize] button again? This should only happen once.

it does not have much more sense to have in the personal space of the user an OAUTH2 section saying that a specific Application has been authorized (like in the first image attached)

Independent from your issue, I also think this has limited value to display for the user.

jdcano-bpe commented 3 years ago

I still don't get what you mean with "authorize it again"? Click the [Authorize] button again? This should only happen once.

That is not happening only once for me.

In my case, I have to authorize every time I make a request, even if I can get a Code and Access Token in a previous request. I tried with multiple Applications (existing one and adding a new one) but it always ask me to Authorize again.

Thanks again.

DeepDiver1975 commented 3 years ago

As long as the refresh token is used to obtain a new access token this screen will not be used. But as soon as a fresh access token + refreshtoken pair is requested this page will pop up again. (for implicit flow where no refresh token exists - if wil popup everytime the access token expires)

while this can be anoying this is the only way to allow a user after logout to switch the user. it is an implementation limitation of the current solution

it is advised to use a full features open id connect provider and the owncloud open id connect app.

owncloud / oauth2