[FEATURE] OIDC Dynamic Client Registration

[abelgardep]

Implements #3054
Needs owncloud/android-library#367

---

QA

Test plan: https://github.com/owncloud/QA/blob/master/Mobile/Android/Release_2.17/Dynamic%20Client%20Registration.md

Bugs & improvements:

• (1) Register endpoint not called, with OIDC + oC10 [FEATURE] OIDC Dynamic Client Registration #3073 (comment) [WONT FIX HERE]

[jesmrec]

(1) [WONT FIX HERE]

1. Set a server with OIDC + oC10 and DCR
2. Enter the URL and credentials

Current:

Credentials are accepted but finally, the process finishes with no success. Checking the request flow, i realised that the register endpoint is not requested, so the final token request is done with the default client_id instead of the dynamic one.

Expected:

Authentication correct

Google Pixel 2, Android11
Emulator Nexus 5X Android8
commit 12d336a6

NOTE: server to test: https://oc-10-6-0.oidc-2-0-0rc1-20210128.jw-qa.owncloud.works

[abelgardep]

About (1)

I have checked the problem and this is what's happening. Taking into account that you are using some kind of proxy.

1. Once you introduce this URL: oc-10-6-0.oidc-2-0-0rc1-20210128.jw-qa.owncloud.works/ you are asked to accept the untrusted certificate. Then you accept and you can move forward.
2. Then we perform a discovery request, and we receive this registration endpoint: https://konnect.oidc-2-0-0rc1-20210128.jw-qa.owncloud.works/konnect/v1/register
3. We try to ask the registration endpoint, but it is not trusted, so a certificate exception is triggered, and the client is not registered.
4. Since client registration failed, we use the hardcoded client id, and we perform the token request to https://konnect.oidc-2-0-0rc1-20210128.jw-qa.owncloud.works/signin/v1/identifier/_/authorize but it fails again because the certificate is not trusted.

So, conclusion:
Checking it with trusted certificates, it won't fail and you are able to log in properly.
If you trust the initial server, and the other endpoints in the discovery request are in the same trusted server (for example ocis.owncloud.works), then you are able to log in.

Important: Reproducible in master when trying to exchange tokens

[jesmrec]

thanks for the explanation @abelgardep. That means that (1) is not a problem of DCR itself, and also not a problem in this branch, so it will be addressed and prioritized in a separate issue.

[jesmrec]

About this issue, several regards.

• As OIDC Dynamic Client Registration expiry hinders OIDC token refresh openidconnect#142, client_id expires and does not renew. This leads to a non-authorized status after the first token renewal since the client_id has expired. Known issue to be fixed in the idP side.

• If the idP is hosted under a non-secured machine or certificate, user will not be warned to accept the cert (as the initial URL does) and finally, the default client_id and secret_id will be used, pointing to error because the expected ones are the dynamic ones. This is a collateral-effect, that will be managed in Unable to login when an external iDP has self-signed certs #3109. (Report (1) above )

• This known problem: [BUG] Re-sign snackbar appears (sometimes) after token renewal #3107 was detected and reproduced while testing this feature.

• The main feature is checking the discovery endpoint, and in case register is included, get the client_id and secret_id from them. This is correctly achieved

Taking these issues in account, we can move this forward