Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] 2.1.1 Testplan #210

Closed
jnweiger opened this issue Feb 25, 2022 · 4 comments
Closed

[QA] 2.1.1 Testplan #210

jnweiger opened this issue Feb 25, 2022 · 4 comments

Comments

@jnweiger
Copy link
Contributor

jnweiger commented Feb 25, 2022
edited
Loading

Setup

Setup details (click to view)

Automated setup script: https://github.com/owncloud/QA/tools/hetzner-deploy/deploy_openidconnect_test.sh

Template: https://github.com/owncloud/QA/blob/master/Server/Test_Plan_openidconnect.md

References:

Testplan

Test Case Description Expected Result Comments
Installation
Fresh install occ app:enable openidconnect app gets enabled ✔️
Fresh install disable/enable via admin web gui app gets disabled/enabled ✔️
Update from 1.0.0 disable, unpack new tar, enable via admin web gui app gets enabled ✔️ occ upgrade is needed. #135
User flow
Correct OIDC URL Set a correct OIDC URL Connection set to the URL ✔️ as per INIT.bashrc
Enter correct iDP credentials 1. Set a correct OIDC URL
2. Enter correct credentials		 Authorization is requested ✔️
Authorization Authorize permissions and session iDP finishes web browser and redirects to the client ✔️
Cancel login process 1. Set a correct OIDC URL
2. In iDP, cancel login process
 Back to client ✔️ Error in OpenIdConnect:Error: access_denied Description: consent denied - Does not work with Azure -> #214
Logout 1. Complete login process in a OIDC server
2. Logout in the idP		 Session logged out. Needed credentials again to enter the account ✔️ Stranded at kopano-url. Azure does a proper redirect to the owncloud login page.
Request flow
Check openid-configuration request Enter an URL of OIDC server The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received ✔️
register endpoint available In case the server supports Dynamic Client Registration, register endpoint is requested Client id and secret id (not mandatory) is retrieved 🚧
idP flow Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing		 🚧 /signin/v1/chooseaccount
/signin/v1/identifier
/signin/v1/consent
http://localhost:44155/
idP flow with dynamic client registration Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing using client id and secret id granted by register endpoint
Redirection Authorize session in idP Web browser redirects correctly to the client and with session opened ✔️
Token Renewal Wait till session time is exceed token endoint is requested with refresh token to get a new token. This must be transparent for the client ⛔ : 01-22 09:10:46:385 [ info sync.httplogger ]: ... "expires_in": 600\n}\n]"
01-22 09:21:03:624 [ info sync.credentials.http ]: Refreshing token
01-22 09:21:03:759 [ info sync.httplogger ]: ... Request: POST ... /konnect/v1/token -> owncloud/client#9490
ClientId/SecretiD renewal Wait till clientId/SecretId granted by register endpoint, expire New ClientId/SecretId must be granted to request new tokens 🚧 renewal seen after 10 minutes. See log example below #132 (comment)
Migration
Basic -> OIDC 1. Login in basic auth server
2. Enable maintenance mode and upgrade to OIDC
3. add 'token_auth_enforced' => true to config.php
4. Disable maintenance mode		 Client shows and error and user must re-authenticate against new OIDC 🚧 Server replied "599" after 30 sec.; see also #136
OAuth2 -> OIDC 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC
3. Disable maintenance mode		 Token not valid anymore, and user must re-authenticate against new OIDC 🚧 Unclear expectations: #66 (comment)
OAuth2 -> OIDC + OAuth2 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled
3. Disable maintenance mode		 Token is valid anymore. Must re-authenticate to start using OIDC 🚧

Android

After releasing 2.16, authentication library will be replaced for a custom implementation. Tests here will be done with such implementation as well

Actually, Android does not support Dynamic Client Registration yet.

Openidconnect: 2.x.x
Device: Google Pixel 2
Android version: 11

Test Case Description Expected Result Comments
User flow
Correct OIDC URL Set a correct OIDC URL Connection set to the URL 2.16: 🚧
New: 🚧
Enter correct iDP credentials 1. Set a correct OIDC URL
2. Enter correct credentials		 Authorization is requested 2.16: 🚧
New: 🚧
Authorization Authorize permissions and session iDP finishes web browser and redirects to the client 2.16: 🚧
New: 🚧
Cancel login process 1. Set a correct OIDC URL
2. In iDP, cancel login process
 Back to client 2.16: 🚧
New: 🚧
Logout 1. Complete login process in a OIDC server
2. Logout in the idP		 Session logged out. Needed credentials again to enter the account NA
Request flow
Check openid-configuration request Enter an URL of OIDC server The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received 2.16: 🚧
New: 🚧
register endpoint available In case the server supports Dynamic Client Registration, register endpoint is requested Client id and secret id (not mandatory) is retrieved NA Android does not support yet
idP flow Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing		 2.16: 🚧
New: 🚧
idP flow with dynamic client registration Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing using client id and secret id granted by register endpoint		 NA Android does not support yet
Redirection Authorize session in idP Web browser redirects correctly to the client and with session opened 2.16: 🚧
New: 🚧
Renewal Wait till session time is exceed token endoint is requested with refresh token to get a new token. This must be transparent for the client 2.16: 🚧
New: 🚧
ClientId/SecretId renewal Wait till clientId/SecretId granted by register endpoint, expire New ClientId/SecretId must be granted to request new tokens NA Android does not support yet
Migration
Basic -> OIDC 1. Login in basic auth server
2. Enable maintenance mode and upgrade to OIDC
3. Disable maintenance mode
4. Force re-login		 User must re-authenticate against new OIDC 2.16 🚧
New: 🚧
OAuth2 -> OIDC 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC
3. Disable maintenance mode		 Token not valid anymore, and user must re-authenticate against new OIDC 2.16 🚧
New 🚧
OAuth2 -> OIDC + OAuth2 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled
3. Disable maintenance mode		 Token is not valid anymore. Must re-authenticate to start using OIDC 2.16 🚧
New: 🚧

Smoke test: 2.16 🚧 New 🚧

iOS

Openidconnect: 2.x.x
Device: iPhoneXR
iOS version: 14.2

Tested with the current stable 11.4.5 and the new one 11.5, including Dynamic Client Registration

Test Case Description Expected Result Comments
User flow
Correct OIDC URL Set a correct OIDC URL Connection set to the URL 11.4: 🚧
11.5 🚧
Enter correct iDP credentials 1. Set a correct OIDC URL
2. Enter correct credentials		 Authorization is requested 11.4: 🚧
11.5 🚧
Authorization Authorize permissions and session iDP finishes web browser and redirects to the client 11.4: 🚧
11.5 🚧
Cancel login process 1. Set a correct OIDC URL
2. In iDP, cancel login process
 Back to client 11.4: 🚧
11.5 🚧
Logout 1. Complete login process in a OIDC server
2. Logout in the idP		 Session logged out. Needed credentials again to enter the account NA
Request flow
Check openid-configuration request Enter an URL of OIDC server The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received 11.4: 🚧
11.5 🚧
register endpoint available In case the server supports Dynamic Client Registration, register endpoint is requested Client id and secret id (not mandatory) is retrieved 11.4: NA
11.5 🚧
idP flow Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing		 11.4: 🚧
11.5 🚧
idP flow with dynamic client registration Enter credentials in iDP The logon endpoint is requested after entering credentials
The authorize endpoint is requested after authorizing using client id and secret id granted by register endpoint		 11.4: NA
11.5 🚧
Redirection Authorize session in idP Web browser redirects correctly to the client and with session opened 11.4: 🚧
11.5 🚧
Renewal Wait till session time is exceed token endpoint is requested with refresh token to get a new token. This must be transparent for the client 11.4:
11.5 🚧
ClientId/SecretId renewal Wait till clientId/SecretId granted by register endpoint, expire New ClientId/SecretId must be granted to request new tokens 11.4: NA
11.5 🚧
Migration
Basic -> OIDC 1. Login in basic auth server
2. Enable maintenance mode and upgrade to OIDC
3. Disable maintenance mode
4. Force re-login		 User must re-authenticate against new OIDC NA Not supported. Link
OAuth2 -> OIDC 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC
3. Disable maintenance mode		 Token not valid anymore, and user must re-authenticate against new OIDC 11.4 🚧
11.5 🚧
OAuth2 -> OIDC + OAuth2 1. Login in OAuth2 server
2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled
3. Disable maintenance mode		 Token is valid anymore. Must re-authenticate to start using OIDC 11.4: 🚧
11.5 🚧
@jnweiger jnweiger mentioned this issue Feb 25, 2022
Closed
42 tasks
@jnweiger
Copy link
Contributor Author

jnweiger commented Feb 28, 2022
edited
Loading

Changelog Testing

@jesmrec
Copy link

jesmrec commented Mar 9, 2022

From my side this is OK, basic authentication flows work fine in both Android and iOS.

As reminder, there are two features that are not available (at least) in mobile clients: token renewal and logout. These are not regressions, it's todo.

@jnweiger
Copy link
Contributor Author

jnweiger commented Mar 9, 2022

That completes the needed QA here. No blocker findings. Expect a release tomorrow.

@jnweiger
Copy link
Contributor Author

Release done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jnweiger @jesmrec