Tracking testing results for OAuth2 for 0.4.2RC3

[davitol]

OAuth2 app Test Plan

https://github.com/owncloud/QA/blob/master/Server/Test_Plan_OAuth2.md

This aims to be a client-agnostic testplan for the OAuth2 application, centered in the actions available in the webUI and/or occ commands and their impact on ownCloud's core behavior. To test the application from a client standpoint see:

• Desktop Sync client: OAuth2 Desktop Client's integration testplan QA#473
• Mobile client: OAuth2 QA#474

Testing functionality

Test Case	Expected Result	Result	Related Comment
CLI commands
Enable OAuth2 app via CLI using occ app:enable oauth2	- The apps gets enabled - Replies from the WebDAV endpoint includes a new WWW-Authenticate: Bearer... header	✅
Disable OAuth2 app via CLI using occ app:disable oauth2	- The apps gets disabled - Previously mentioned header goes away in further requests	✅
Registered Clients
Default clients	The default Registered clients are included among the "Settings > Admin > User Authentication" OAuth 2.0: Registered Clients	✅	See #38 for the default values
Register new Client	64-character-length client_id and client_secret are generated together with a (optional) Client Name and a (required) Redirection URL	✅	Cannot add OAuth 2.0 new clients using 0.4.1.RC1 version
Remove a Client	- Confirmation dialog is prompted before removal - All client sessions opened from those clients get removed	✅
Unregistered Clients
Authentication flow from an unregistered client	Unsuccessful Authorization Request	⚙️	Browser displays the "Request not valid" screen.
Authorized Applications
Login with a Registered Client	The Client Name is displayed amongst the "Personal > Security" OAuth 2.0 Authorized Applications	⚙️
Session Revocation (i.e. delete Authorized Application)	All the sessions opened in the clients are revoked and must be re-authorized	⚙️
User Account Handling
Password change	Open sessions are revoked and new credentials must be used in further login attempts	✅
Authorization Flow
Successful Authorization Request without any session open in the browser	Login form with an additional informative note about the application requesting access to ownCloud is displayed	⚙️
Successful Authorization Request with a valid session in the browser	The "Authorize" screen is displayed	⚙️
Successful Authorization Request in a browser with a different user logged in	The "Switch User" screen is displayed, allowing to modify the current session	⚙️	See use of the additional user parameter in: #67
Failed attempt in the authorization login form	The query parameters for the Authorization Request are preserved in next attempts	⚙️	See original issue in: owncloud/core#28129
Relevant Smoke Tests
Unauthenticated Actions: Public File Drop	Files get uploaded normally	✅	See #100

[davitol]

Changelog for 0.4.2.RC1

• Handle refresh token of a disabled user - #225 @davitol Test steps: Check tokens are not delete from oc_oauth2_refresh_tokens and oc_oauth2_access_tokens tables when the user is disabled
• Use a WHATWG URL spec compliant URL parser - see https://url.spec.wha… - #229 @davitol Test steps: https://github.com/owncloud/oauth2/pull/229/files#diff-fad0d456588098d41eab37bd92adfc9cR44
• Remove back button from error page, add logging and return proper err… - #220 @davitol Test steps: check the error page and the log is spotted. No back button on error page
• Check user status - #209 @HanaGemela

[davitol]

Issues found while QA

• Cannot add OAuth 2.0 new clients using 0.4.1.RC1 version Cannot add OAuth 2.0 new clients using 0.4.1.RC1 version #232 @davitol Fixed in RC2. Vendor folder was added.
• Don't fail if the client was already added Don't fail if the client was already added #234
• If authrorization fails, the page is reloading over and over again If authrorization fails, the page is reloading over and over again #233