Client: [OAuth2] When opening the browser for authentication, the account wizard displays no content and allows forward navigation

Created on 2 Jun 2017 · 8Comments · Source: owncloud/client

Relates to: https://github.com/owncloud/client/issues/5811

Steps to reproduce

Use the URL of a server with OAuth app active in the account wizard.
Clicking on the tray icon brings back the wizard with no content but the navigation buttons

If next > is selected, wizard will take you to next page where it fails to connect but create the local sync folder.
If Skip folders configuration is selected next without authenticating in the browser, a _userless_ account will be created (i.e. @<server.tld> on the account tab, etc.)

Expected behavior

[x] Display a spinner or some other component to inform the user that an action is required (maybe also a button to relaunch the browser in case it was closed by mistake)
[ ] Still offer the "Application Password" option as a fallback from OAuth.

[x] Change the behavior of the buttons:
- Cancel: will close the wizard and discard the account creation (e.g. if the user forgot the password and wants to stop the action for good)
- Back will allow to go back to wizard's first page to change the URL in case of mistake.

cc/ @ogoffart

Design & UX ReadyToTest bug p1-urgent p2-high

Source

SamuAlfageme

Most helpful comment

I can't imagine a use case, where Application Password is required instead of OAuth2. Fallback for what? I would propose to drop this. @SamuAlfageme ?

Do you know if this will be server configurable to force OAuth and block Application Password?

@Emil-G This is not the right repository for the server-side implementation. Needs to be addressed in https://github.com/owncloud/oauth2 or can be discussed on https://central.owncloud.org/ .

michaelstingl on 9 Jun 2017

👍2

All 8 comments

I'm thinking this should be higher priority, maybe even mandatory for 2.4.0
What do you think @pmaier1 @ogoffart @tomneedham @lukebier @joneug ?

guruz on 7 Jun 2017

👍2

I agree!

joneug on 7 Jun 2017

"Still offer the "Application Password" option as a fallback from OAuth." - Do you know if this will be server configurable to force OAuth and block Application Password?

Emil-G on 9 Jun 2017

I can't imagine a use case, where Application Password is required instead of OAuth2. Fallback for what? I would propose to drop this. @SamuAlfageme ?

Do you know if this will be server configurable to force OAuth and block Application Password?

@Emil-G This is not the right repository for the server-side implementation. Needs to be addressed in https://github.com/owncloud/oauth2 or can be discussed on https://central.owncloud.org/ .

michaelstingl on 9 Jun 2017

👍2

Status with @ogoffart's tweaks: https://github.com/owncloud/client/pull/5825:

As for the

Still offer the "Application Password" option as a fallback from OAuth.

I can't imagine a use case, where Application Password is required instead of OAuth2. Fallback for what?

You're right. I agree we could drop the application password support for the client and restrict it's use to authenticate with WebDAV clients (see this 2FA use-case example) or other software that does not implement all auth methods we currently support.

However, If and only if the server announces and supports basic auth. as well, we could temporarily offer support for it as fallback for the OAuth application malfunctioning to avoid the user being locked out of his account. As said, as a temporary solution until the OAuth workflow is reliable enough to wrap all authentication flows, when it'd not only be prioritized, but the only method if the server supports it.

SamuAlfageme on 12 Jun 2017

Some more error handling requested by @SamuAlfageme : https://github.com/owncloud/client/pull/5668#issuecomment-307722242

guruz on 12 Jun 2017

yes, this issue might confuse users and this is important since we need it for SAML scenarios: p1