Errors when attempting to exchange authorisation code for access token using OAuth2 flow

Server
1

Expected behaviour

I am working for ResearchSpace, supplying Electronic Lab Notebook software ‘RSpace’. A feature of RSpace is its ability to enable researchers to link to their data files on OwnCloud using OAuth2 plugin

RSpace is web-based system. Users access it from a browser. The authentication flow is standard OAuth2:

  • Users are logged into RSpace and click a button to connect to OwnCloud

  • Browser redirects to OwnCloud login page for user to grant access to RSpace to access Owncloud files

  • RSpace uses authorisation grant flow; the RSpace server exchanges authorisation code for access tokens which it stores and enables API calls to Owncloud to view and browse files. In the browser we are using https://github.com/owncloud/owncloud-sdk Javascript client to make requests to display Owncloud files in a simple tree view.

We have tested RSpace-Owncloud integration internally by setting up an OwnCloud instance running v10.4.1, using the Bitnami Owncloud Stack for AWS. As I understand this is a plain, ‘vanilla’ installation. It works out of the box and we can link to files in it from our RSpace application using the configuration and flow mentioned above.

Actual behaviour

However, when our customer attempts to connect to their own Owncloud installation, there is an error response when trying to exchange the authorisation code for an access token:

This is logged by RSpace (but the 411 originates from Owncloud)

Server returned HTTP response code: 411 for URL: https://customerowncloud.com/index.php/apps/oauth2/api/v1/token?grant_type=authorization_code&code=8d52dXBRN9VsiOOhrLOyIgyvoNNn3j3TMpk0p4yqnElKVHRZJpRnbvdyCkhERiYD&redirect_uri=https%3A%2F%2Frspace-owncloud-debug.researchspace.com%2Fowncloud%2Fredirect_uri]

411 is ‘Length-Required’ HTTP error - https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/411.

We can reproduce this using curl so it’s not some issue with our software:

curl -v -X POST 'https://customerowncloud.com/index.php/apps/oauth2/api/v1/token?grant_type=authorization_code&code=EMGjV5EoxlWRmL53NSjlZIh49tP1bLycz7rEfUZObIGPuVoY0xzgGfgCvVXJkvEY&redirect_uri=https%3A%2F%2Frspace-owncloud-debug.researchspace.com%2Fowncloud%2Fredirect_uri'

If we do set the content-length header explicitly we get ‘invalid request’ response from owncloud

Request 2 - with contentLength header

curl -v -X POST -H "Content-Length: 87" 'https://customerowncloud.com/index.php/apps/oauth2/api/v1/token?grant_type=authorization_code&code=EMGjV5EoxlWRmL53NSjlZIh49tP1bLycz7rEfUZObIGPuVoY0xzgGfgCvVXJkvEY&redirect_uri=https%3A%2F%2Frspace-owncloud-debug.researchspace.com%2Fowncloud%2Fredirect_uri%27'

....
> POST /index.php/apps/oauth2/api/v1/token?grant_type=authorization_code&code=EMGjV5EoxlWRmL53NSjlZIh49tP1bLycz7rEfUZObIGPuVoY0xzgGfgCvVXJkvEY&redirect_uri=https%3A%2F%2Frspace-owncloud-debug.researchspace.com%2Fowncloud%2Fredirect_uri HTTP/1.1


> Content-Length: 87


< HTTP/1.1 400 Bad request

< Date: Mon, 20 Jul 2020 16:30:46 GMT

< Server: Apache

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< X-Robots-Tag: none

< X-Frame-Options: SAMEORIGIN

< X-Download-Options: noopen

< X-Permitted-Cross-Domain-Policies: none

< Set-Cookie: oc9fcbeece51=0306d15e7bdf208e7b03d321e3c6a216; path=/; secure; HttpOnly

< Expires: Thu, 19 Nov 1981 08:52:00 GMT

< Cache-Control: no-cache, no-store, must-revalidate

< Pragma: no-cache

< Set-Cookie: oc_sessionPassphrase=khxZD5UaYGd5n6mJ8K0f8BZl%2FTpx%2BpsTz4NgE7S9KrJ%2FqiUmWMzQ5W7kUg9e%2FxKZMy9i7yJuHZbUBc8suLLD4EAiYGAF3NToHftPZYIx3TH0H0g25rTXLu1OB39Bpus3; path=/; secure; HttpOnly

< Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'

< Content-Length: 27

< X-Clacks-Overhead: GNU Terry Pratchett

< X-Hostname: owncloud-2.sync-n-......

< Connection: close

< Content-Type: application/json; charset=utf-8

<

* Closing connection 0

* TLSv1.3 (OUT), TLS Unknown, Unknown (21):

* TLSv1.3 (OUT), TLS alert, Client hello (1):

{"error":"invalid_request"}

our customer sysadmin sent us owncloud logs that show ‘undefined index’ error. Is this a bug? Is there some way that the URL should be crafted differently?

Many thanks for any tips or pointers on how to configure owncloud so that this works, so that I can pass onto the customer’s owncloud administrator, or if we as a client are using the OAUth2 flow incorrectly somehow.

/index.php/apps/oauth2/api/v1/token?grant_type=authorization_code&code=Flt55Vu89LxVyYL7sqEjHbeI1L2VDbg0AOcm4gdmNZSHHHtnY3ea8GtfRrhnAMjS&redirect_uri=https%3A%2F%2Frspace-owncloud-debug.researchspace.com%2Fowncloud%2Fredirect_uri] Undefined index: PHP_AUTH_PW at /var/www/owncloud/apps/oauth2/lib/Controller/OAuthApiController.php#114

Server configuration

Operating system:
Debian Stable (10.3)
Web server:
Apache 2.4.38
Database:
Server version: 5.6.41-84.1-56 Percona XtraDB Cluster (GPL), Release rel84.1, Revision 16f8eb4, WSREP version 28.28, wsrep_28.28
PHP version:
PHP 7.3.19-1~deb10u1 (cli) (built: Jul 5 2020 06:46:45) ( NTS )

ownCloud version: (see ownCloud admin page)
10.4.1.3
Updated from an older ownCloud or fresh install:
Upgraded (since 8.something or even older)
Where did you install ownCloud from:
unknown
Signing status (ownCloud 9.0 and above):
unknown

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

I can’t answer many other questions as I don’t have access to the owncloud server, I am only a developer of a client application for owncloud.

Client configuration

Browser: Safari and Firefox, or curl

Operating system:
MacOSX Catalina or Ubuntu LTS18