[QA] autoprovisioning from keycloak causes internal server error during very first login when ther eis no picture

jnweiger commented 1 year ago

Seen with openidconnect Version: 2.1.1 and server 10.11.0

The keycloak realm has user kcarol with these entries: grafik

owncloud has this oidc.config.php

$CONFIG = [
  'openid-connect' => [
    'provider-url' => 'https://keycloak-XXXXXXXXXXXXXXXXXXXXX/realms/owncloud.works',
    'client-id' => 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY',
    'client-secret' => 'XXXXXXXXXXXXXXXXXXXXXXXx',
    'loginButtonName' => 'Keycloak OIDC',
    'auto-provision' => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // the mode to search for user in ownCloud - either userid or email
      'mode' => 'email',
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines the claim which holds the display name of the user
      'display-name-claim' => 'name',   // family_name, given_name, email, preferred_username
      // defines the claim which holds the picture of the user - must be a URL
      'picture-claim' => 'picture',
      // defines a list of groups to which the newly created user will be added automatically
      'groups' => ['keycloak'],         // nonexistant owncloud-groups are silently ignored.
      'update' => [
        // update user account info with current information provided by the OpenID Connect provider upon each log in.
        'enabled' => true,              // FIXME: changed display-name-claim from 'given_name' to 'name', logout login kalice, nothing changes.
      ],
    ],
  ],
];

when user kcarol tries to log in at owncloud via the 'Kopano OIDC' button:

the keycloak login dialog appears,
the user is transfered back to owncloud, and an error appears

Expected behaviour:

The undefined picture is silently ignored, (just as we ignore e.g. nonexistant groups.)

The server log has:

{"reqId":"Y5tU6aYw6Co@Thp91F1jPgAAAAo","level":1,"time":"2022-12-15T17:10:02+00:00","remoteAddr":"46.114.208.167","user":"--","app":"no app in context","method":"GET","url":"\/index.php\/apps\/openidconnect\/redirect?state=eab0944528f2242cc1dc22b62c50c1fe&session_state=01e6c617-ab5e-47b7-978c-197fbc749808&code=36361ba0-91d2-4b16-83c4-e97164d6e59e.01e6c617-ab5e-47b7-978c-197fbc749808.972ff3ed-f06e-4211-b381-5bb7181585ac","message":"Creating new account with UID carol@example.com and backend OC\\User\\Database"}
{"reqId":"Y5tU6aYw6Co@Thp91F1jPgAAAAo","level":3,"time":"2022-12-15T17:10:02+00:00","remoteAddr":"46.114.208.167","user":"--","app":"PHP","method":"GET","url":"\/index.php\/apps\/openidconnect\/redirect?state=eab0944528f2242cc1dc22b62c50c1fe&session_state=01e6c617-ab5e-47b7-978c-197fbc749808&code=36361ba0-91d2-4b16-83c4-e97164d6e59e.01e6c617-ab5e-47b7-978c-197fbc749808.972ff3ed-f06e-4211-b381-5bb7181585ac","message":"Undefined property: stdClass::$picture at \/var\/www\/owncloud\/apps\/openidconnect\/lib\/Service\/AutoProvisioningService.php#132"}
{"reqId":"Y5tU6aYw6Co@Thp91F1jPgAAAAo","level":3,"time":"2022-12-15T17:10:02+00:00","remoteAddr":"46.114.208.167","user":"--","app":"index","method":"GET","url":"\/index.php\/apps\/openidconnect\/redirect?state=eab0944528f2242cc1dc22b62c50c1fe&session_state=01e6c617-ab5e-47b7-978c-197fbc749808&code=36361ba0-91d2-4b16-83c4-e97164d6e59e.01e6c617-ab5e-47b7-978c-197fbc749808.972ff3ed-f06e-4211-b381-5bb7181585ac","message":"Exception: {\"Exception\":\"TypeError\",\"Message\":\"Argument 1 passed to OCA\\\\OpenIdConnect\\\\Service\\\\AutoProvisioningService::downloadPicture() must be of the type string, null given, called in \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/AutoProvisioningService.php on line 134\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/AutoProvisioningService.php(134): OCA\\\\OpenIdConnect\\\\Service\\\\AutoProvisioningService->downloadPicture()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/UserLookupService.php(79): OCA\\\\OpenIdConnect\\\\Service\\\\AutoProvisioningService->createUser()\\n#2 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Controller\\\/LoginFlowController.php(143): OCA\\\\OpenIdConnect\\\\Service\\\\UserLookupService->lookupUser()\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(170): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(89): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController()\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch()\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main()\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(344): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke()\\n#8 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(914): OC\\\\Route\\\\Router->match()\\n#9 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#10 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/AutoProvisioningService.php\",\"Line\":162}"}
{"reqId":"8U8qtzDqnZYKieMBmWnT","level":1,"time":"2022-12-15T17:10:02+00:00","remoteAddr":"","user":"--","app":"cron","method":"--","url":"--","message":"Invalidating tokens older than 2022-12-15T16:50:02+00:00"}

jnweiger commented 1 year ago

No such error occurs with user kdave, who has a manually added picture attribute in keycloak grafik

DeepDiver1975 commented 1 year ago

\/var\/www\/owncloud\/apps\/openidconnect\/lib\/Service\/AutoProvisioningService.php#132

https://github.com/owncloud/openidconnect/blob/06ed95de8dcf6dc95d9abd581157a7683f9b788d/lib/Service/AutoProvisioningService.php#L132

does not match

owncloud\\/apps\\/openidconnect\\/lib\\/Service\\/AutoProvisioningService.php on line 134

https://github.com/owncloud/openidconnect/blob/06ed95de8dcf6dc95d9abd581157a7683f9b788d/lib/Service/AutoProvisioningService.php#L134

same - does not fit

DeepDiver1975 commented 1 year ago

fixed in 2.2.0

jnweiger commented 1 year ago

Confirmed fixed in 2.2.0-rc.6

owncloud / openidconnect

[QA] autoprovisioning from keycloak causes internal server error during very first login when ther eis no picture #273