[QA] 'mode' parameter unclear, does not work as documented

[jnweiger]

Seen with openidconnect 2.2.0-rc.6, core 10.11.0 and keycloak idp

$CONFIG = [
  'openid-connect' => [
    'provider-url'    => 'https://XXXXXXXXXXXXXXXXXXXXXX/realms/owncloud.works',
    'client-id'       => 'YYYYYYYYYYYYYYYYYYYYYYY',
    'client-secret'   => 'ZZZZZZZZZZZZZZZZZZZZZ',
    'loginButtonName' => 'Keycloak OIDC',
    // 'mode' => 'email',  // causes a not-unique-error.
    'auto-provision'  => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // mode: This is the attribute in the owncloud accounts table to search for users. The default value is email. The alternative value is: userid.
      'mode' => 'email',
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines the claim which holds the display name of the user
      'display-name-claim' => 'name',   // family_name, given_name, email, preferred_username
      'update' => [
        // update user account info with current information provided by the OpenID Connect provider upon each log in.
        'enabled' => true,
      ],
    ],
  ],
];

• With this config, users can log in. Note that the mode attribute was used inside the auto-proivsion section.
• When adding mode => email outside of the auto-provision section, an error occurs during login:

• The documentation has examples, showing the mode attribute only outside of auto-provision
  • https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/kopano-setup.html
  • https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/ms-azure-setup.html
  • https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/onelogin-setup.html
• The documentation claims that mode => email is the default.
  • https://doc.owncloud.com/server/next/admin_manual/configuration/server/config_apps_sample_php_parameters.html#app-openid-connect-oidc

Expected behaviour:

• Adding the mode attribute, where the docs mention it, and with its default value should not change anything.
• (bonus: @mmattel Given the growing popularity, documentaiton should have an example for keycloak too)

[DeepDiver1975]

• When adding mode => email outside of the auto-provision section, an error occurs during login:

Works as designed - you are having multiple users with the same email address in DB.

[DeepDiver1975]

Having different values for mode in auto-provision and outside is kind of non-sense. This needs to be changed - mode is only reasonable in the root config and applies to auto-provision automatically....

[jnweiger]

Are you saying, that email is not really the default then? I never used mode = userid, so I expect that the implicit default of 'email' behaves identical than an explicit setting of 'email'.

[DeepDiver1975]

I expect that the implicit default of 'email' behaves identical than an explicit setting of 'email'.

it has the same behavior.

• setup a fresh instance with openid and use default mode
• create two users with the same email address
• try to login -> see error as above

[DeepDiver1975]

having a second look at the current code base: there is no mode within auto-provision ....

rest works as designed -> close