[QA] user information not always updated when update enabled = true

[jnweiger]

Seen with openidconnect 2.2.0-rc.6, core 10.11.0 and keycloak idp

$CONFIG = [
  'openid-connect' => [
    'provider-url'    => 'https://XXXXXXXXXXXXXXXXXXXXXX/realms/owncloud.works',
    'client-id'       => 'YYYYYYYYYYYYYYYYYYYYYYY',
    'client-secret'   => 'ZZZZZZZZZZZZZZZZZZZZZ',
    'loginButtonName' => 'Keycloak OIDC',
  'auto-provision'  => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // mode: This is the attribute in the owncloud accounts table to search for users. The default value is email. The alternative value is: userid.
      'mode' => 'email',
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines the claim which holds the display name of the user
      'display-name-claim' => 'name',   // family_name, given_name, email, preferred_username
      'update' => [
        // update user account info with current information provided by the OpenID Connect provider upon each log in.
        'enabled' => true,
      ],
    ],
  ],
];

• Log in a user via IPD, notice fullname, email, and picture
• logout the user, change the name attribute in keycloak, log in. the changes appear. OK.
• changing the email in keycloak has a different effect: a new user is created in owncloud. Okayish (as we have mode = email)
• changing the 'display-name-claim' attribute in owncloud, has no effect, when the user logs out and in again. BAD
• changing the URL of the picture attrubute in keycloak, has no effect, when the user logs out and in again. BAD

Expected behaviour:

• when the 'display-name-claim' gets changed, we should also update the display name to reflect the new value.
• when the URL of the avatar changes, the new image should get loaded. (Deleting the image in owncloud, does not help.)

[DeepDiver1975]

• when the URL of the avatar changes, the new image should get loaded. (Deleting the image in owncloud, does not help.)

not yet implemented .... only email and displayname can be changed

• when the 'display-name-claim' gets changed, we should also update the display name to reflect the new value.

should work - needs analysis

[DeepDiver1975]

should work - needs analysis

just tested -> works

[DeepDiver1975]

Problem with updating the avatar is to find out if the avatar as changed. Downloading the avatar on each login is quite expensive. And depending on the service which is hosting the picture we might need to implement different mechanisms: e.g. on Github the avatar url to a user is always the same - we would need to store the etag and compare the value with the previously stored etag.

I vote for document limitations and close this issue .....

[DeepDiver1975]

@mmattel please add to docs: auto provisioning will only set the profile picture upon account creation due to explained above technical limitations for the time being. THX