Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Shibboleth accounts to use OAuth2 if server supports it #6198

Closed
SamuAlfageme opened this issue Nov 28, 2017 · 8 comments
Closed

Upgrade Shibboleth accounts to use OAuth2 if server supports it #6198

SamuAlfageme opened this issue Nov 28, 2017 · 8 comments
Assignees
@SamuAlfageme
Labels
Enhancement ReadyToTest QA, please validate the fix/enhancement
Milestone
2.4.0

Comments

@SamuAlfageme
Copy link
Contributor

SamuAlfageme commented Nov 28, 2017
edited
Loading

Following the discussion in #6135 (comment)

Now I'm wondering whether we should be able to upgrade shibboleth accounts to use oauth? Currently we allow switching between basic and oauth depending on what the server supports, but shib accounts will always use shibboleth.

and

Since one of the long term plans after supporting OAuth2 in the client is to drop the QtWebkit dependency (and therefore shibboleth accounts), I'd say this would happen sooner or later, so might as well be in the near future.

Plan could be:

  1. Release a version (2.5?) that does support both methods and upgrades Shib. to OAuth in case server supports it.
  2. Next version (2.6?) would only support OAuth and Basic auth, dropping support for QtWebkit and handling Shibboleth servers via OAuth wrapper: https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

cc/ @michaelstingl @pmaier1 as interested parts
@SamuAlfageme SamuAlfageme mentioned this issue Nov 28, 2017
Closed
@guruz
Copy link
Contributor

guruz commented Nov 28, 2017

Yep, I think 2) this is the plan we discussed in May 2017 in NBG :)
For 1) I don't know technically how this could work, but maybe @ogoffart does.

@michaelstingl
Copy link
Contributor

2.6-ish sounds like a good plan…

@ogoffart
Copy link
Contributor

Currently (2.4) the client already supports both shiboleth and oauth, however, if the server supports shiboleth, shiboleth takes precedence. Note that the fact that shiboleth is used is stored in the settings, and therefore if the server stops using shiboleth, the existing configuration would stop working.

So the migration could be:

  1. A Server is now supporting shibboleth
  2. The server start using both shibboleth and oauth. (is that even possible?), old client still use shibboleth.
  3. Future client are built without shibboleth support and are only using oauth
  4. When all clients have upgraded to a version not using shiboleth, the server can stop supportng shibboleth.

Ideally, would not store the authentication mechanism in the config, and just dynamically find out. But that's an intrusive change in the authentication code which may break shibboleth, and i'm not so keen of doing that. But it can be done.

@ckamm
Copy link
Contributor

ckamm commented Nov 29, 2017

@ogoffart Minor correction: @SamuAlfageme convinced me that OAuth2 > Shib > Basic for 2.4. See DetermineAuthJob::checkBothDone.

So we will prefer to set up new accounts to use OAuth2, but as you say: existing Shibboleth accounts won't be changed currently.

@ckamm ckamm added this to the 2.5.0 milestone Nov 29, 2017
@SamuAlfageme SamuAlfageme mentioned this issue Nov 30, 2017
Closed
8 tasks
ogoffart added a commit that referenced this issue Dec 1, 2017
@ogoffart
Shibboleth: Upgrade to OAuth2 When the server supports it
862ff5c 
If the server support both Shibboleth and OAuth2, upgrades to OAuth2

Issue #6198
@ogoffart ogoffart mentioned this issue Dec 1, 2017
Merged
@ogoffart
Copy link
Contributor

ogoffart commented Dec 1, 2017

See PR #6207 which will change the config if the server supports OAuth2

ogoffart added a commit that referenced this issue Dec 4, 2017
@ogoffart
Shibboleth: Upgrade to OAuth2 When the server supports it
ee98daf 
If the server support both Shibboleth and OAuth2, upgrades to OAuth2

Issue #6198
@guruz
Copy link
Contributor

guruz commented Dec 4, 2017

@ogoffart So this is all in 2.4 actually?

@guruz guruz modified the milestones: 2.5.0, 2.4.0 Dec 4, 2017
@guruz guruz added the ReadyToTest QA, please validate the fix/enhancement label Dec 4, 2017
@SamuAlfageme
Copy link
Contributor Author

I'll wait for owncloud-archive/documentation#3456 to have some instructions on how to properly set up a shib-wrapped-in-oauth environment to test this out.

@guruz guruz closed this as completed Feb 8, 2018
@guruz
Copy link
Contributor

guruz commented Feb 8, 2018

Closing for now, if this still matters it needs to be 2.4.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SamuAlfageme SamuAlfageme

Labels
Enhancement ReadyToTest QA, please validate the fix/enhancement
Projects
None yet
Milestone
2.4.0
Development

No branches or pull requests
6 participants
@michaelstingl @ckamm @ogoffart @guruz @SamuAlfageme @pmaier1