Invalid Request to OpenID Connect provider

[hostirosti]

The request body of the authorization call sent to the google oauth2 api is invalid. And appears invalid to the OpenConnect spec as well.

It is setting display to 'ownCloud' which is an invalid value with Google OpenID Connect. Allowed values are: page, popup, touch, and wap

The value is set here:

client/src/libsync/creds/oauth.cpp

Line 447 in 0b67e0c

{ QStringLiteral("display"), Theme::instance()->appNameGUI() } });

[TheOneRing]

Huh your right.

[hostirosti]

Thank you for the quick fix :)

[jnweiger]

Tested with server 10.6, openidconnect-2.0.0rc1 with kopano konnect.

A 'display' parameter is not found in the logs during normal login. However, by provoking a permission denied, the parameter is there.

• connect client, initial sync starts.
• account -> logout; account -> login
• at the kopano page, choose a different user, and log him in.
• a "Wrong user" error is shown, and the client log exposes the protocol contents:

testpilotcloud-client 2.7.5 RC2:

01-28 15:25:38:109 [ warning sync.credentials.oauth ]:  We expected the user "aaliyah_beer" but the server answered with user "aaliyah_abernathy"
01-28 15:25:38:109 [ debug sync.credentials.oauth ]     [ OCC::httpReplyAndClose ]:     "HTTP/1.1 403 Forbidden\r\nContent-Type: text/html; charset=utf-8\r\nConnection: close\r\nContent-Length: 774\r\n\r\n<h1>Wrong user</h1><p>You logged-in with user <em>aaliyah_abernathy</em>, but must login with user <em>aaliyah_beer</em>.<br>Please log out of ownCloud Testpilot Edition in another tab, then <a href='https://konnect.XXXXXXXXXXXXXXXXXXXXXX.works/signin/v1/identifier/_/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://localhost:36011&code_challenge=GTpdparZc1j9zKvflZ3v1TJ1EFq90hthMuCfq672cFE&code_challenge_method=S256&scope=openid%20offline_access%20email%20profile&prompt=select_account%20consent&state=XXXXXXXXXXXXXXXXXXXXXPbFRLvcYpb6CTlvQ%3D&display=ownCloud%20Testpilot%20Edition&login_hint=aaliyah_beer&user=aaliyah_beer'>click here</a> and log in as user aaliyah_beer</p>"

testpilotcloud-client 2.7.5 RC4:

01-28 15:28:06:980 [ warning sync.credentials.oauth ]:  We expected the user "aaliyah_beer" but the server answered with user "aaliyah_abernathy"
01-28 15:28:06:980 [ debug sync.credentials.oauth ]     [ OCC::httpReplyAndClose ]:     "HTTP/1.1 403 Forbidden\r\nContent-Type: text/html; charset=utf-8\r\nConnection: close\r\nContent-Length: 735\r\n\r\n<h1>Wrong user</h1><p>You logged-in with user <em>aaliyah_abernathy</em>, but must login with user <em>aaliyah_beer</em>.<br>Please log out of ownCloud Testpilot Edition in another tab, then <a href='https://konnect.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.works/signin/v1/identifier/_/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://localhost:32951&code_challenge=XXXXXXXXXXXXXXXXXXXXXXuSxX4&code_challenge_method=S256&scope=openid%20offline_access%20email%20profile&prompt=select_account%20consent&state=lhZD6sVYu2uT6k5iRU4YcsxcBNCOtT79d9cEJ-LzJ_s%3D&login_hint=aaliyah_beer&user=aaliyah_beer'>click here</a> and log in as user aaliyah_beer</p>"

Confirmed fixed.
The 'display' parameter is no longer there, so complaints about invalid values are no longer possible.