fix(oauth2): retain support for legacy ownCloud clients

[st3iny]

• Resolves: None

Summary

This brings back support for legacy ownCloud clients in Nextcloud. They will continue to work seamlessly even when the OAuth authentication mode (default) is used.

How to test?

1. Set up an ownCloud instance.
2. Connect an ownCloud desktop client to it.
3. Export all oauth2 tables oc_oauth2_access_tokens, oc_oauth2_refresh_tokens and oc_oauth2_clients to a Nextcloud instance.
4. Reset all oauth2 migrations on Nextcloud.
5. Trigger all oauth2 migrations and repair the instance: occ migrations:migrate oauth2 && occ maintenance:repair
6. Shut down the ownCloud desktop client.
7. Point the domain of ownCloud to the Nextcloud instance.
8. Start the ownCloud desktop client.

Case 1 (best): Refresh token is retained (default)

Observe that the client will continue to work seamlessly. No prompt to login again.

Case 2 (worst): Refresh token is lost

(This case can be forced manually by removing relevant access token from the oc_oauth2_access_tokens table. Alternatively, you can just log out and in again in the ownCloud desktop client manually.)

1. Follow the login flow to re-authenticate the ownCloud desktop client.

Observe that the the flow succeeds and the client is able to sync again.

TODO

• Extract $enableOcClientSupport into a system/app config (currently hard-coded)
• Think about importing legacy clients on instances which were already migrated (occ command makes sense) -> they were deleted by default during the migration
• Add hint to occ command that it is only required on servers that were migrated without the patch and the system config

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[ChristophWurst]

Makes sense! I did not test the full migration

[julien-nc]

LGTM.

Just to be sure i get it:
occ oauth2:import-legacy-oc-client CLIENT_ID CLIENT_SECRET creates a client. We know we can do this after the Owncloud repair step has been executed because it has deleted the clients that have oc://* as redirect uri. Right?

I guess my question is: Is it necessary to run the occ oauth2:import-legacy-oc-client in all scenarios or only in specific ones? In which case it would be good to add details in the command description.

[st3iny]

I guess my question is: Is it necessary to run the occ oauth2:import-legacy-oc-client in all scenarios or only in specific ones? In which case it would be good to add details in the command description.

Only if the server has been migrated before this patch was applied or if the system config was not enabled before the migration. In those scenarios, the client was deleted from the table during the migration and has to be added manually via the new occ command. Otherwise, if the config was set and the patch was applied before the migration, the client will be retained and the command is not required to be run.

Good point, I'll add this as a hint to the command's description.