Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

fix(auth): use two-step Murena OIDC flow

Romain Hunaultrequested to merge
4188os-murena-two-step-oidc into v3.7

Summary

This merge request implements a client-side workaround for the Keycloak 26 / offline session regression affecting Murena login from Account Manager.

The Murena OIDC flow is now split into two browser-based authorization code flows:

  1. first request openid profile email to create the online/browser session in /e/ Browser
  2. then request openid profile email offline_access to retrieve the final durable AuthState used by Account Manager

This keeps the existing AppAuth + Custom Tabs approach, but avoids asking offline_access in the first flow.

Implementation details

  • add a Murena-specific auth flow stage helper to track whether we are creating the online session or requesting offline access
  • initialize the Murena login flow in ONLINE_SESSION stage from EeloAuthenticatorFragment
  • propagate the Murena auth stage and username hint through the AppAuth redirect callback intent
  • allow passing an explicit scope when starting the OpenID authorization request
  • after the first Murena callback, immediately launch the second flow with offline_access
  • only proceed with account creation after the second flow completes successfully

Why

Keycloak 26.x no longer preserves the previous behavior where requesting offline_access also resulted in a reusable online/browser session. The goal of this patch is to preserve both outcomes client-side:

  • a browser session usable by /e/ Browser / Workspace
  • an offline-capable auth state for Account Manager

Validation

  • added unit tests for the Murena scope selection helper
  • full Gradle validation is currently blocked in this workspace because local.properties does not contain the required email.key property

new user

Before After

existing user

For this problem to be fixed for an existing users:

  • either they will have to login in the Browser
  • either they will have to logout/login again from Account Manager

Related

Related to https://gitlab.e.foundation/e/os/backlog/-/work_items/4188 Related to https://gitlab.e.foundation/e/infra/backlog/-/work_items/5391

Edited by Romain Hunault

Merge request reports