Shibboleth accounts don't need the credentials to log in after wiping its keychain entry

[SamuAlfageme]

Found while testing #5408

Steps to reproduce:

1. Login with a valid shibb account and sync your files
2. Remove keychain entry for the account
3. Restart the client, it asks for shibb credentials
4. Input a different but valid account
5. An error is displayed (see the one for the http://testshib.org down). Close it.
6. Click Log in in the account view
7. Account is logged back without entering the credentials again

I assume wiping the keychain entry is not enough to force log out and the client is using some session token to login back again, but then, why it asks for the credentials, if they're not needed?

---

Edit: Error in step 5 is indeed only displayed when both accounts were previously set and you input the credentials for the wrong one, otherwise you get the usual:

Made a screencast explaining this particular issue: https://webmshare.com/play/dEwbv

---

Also, I'm only seeing one entry in the keychain for all the shibboleth accounts. When a shibb account is removed, is this entry updated stripping the right _shibsession_?

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41048267-shibboleth-accounts-don-t-need-the-credentials-to-log-in-after-wiping-its-keychain-entry?utm_campaign=plugin&utm_content=tracker%2F216457&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F216457&utm_medium=issues&utm_source=github).

[guruz]

Which version?

[SamuAlfageme]

@guruz Version 2.3.0-nightly20170116 (build 3970)

[ckamm]

Putting into 2.3 since it's a surprising auth-related issue.

[ckamm]

Can reproduce:

1. For the same shib server, configure two account.
2. Log out of one, log in, enter credentials for the other, wrong one.
3. Close the error that pops up.
4. Click "Log in" again. Now the account is logged in with the wrong credentials, syncing to the wrong account.

This potentially messes up user data.

[ckamm]

The problem is that both shib accounts use the exact same keychain entry for their cookies.

[ckamm]

Pull request: #5486

[SamuAlfageme]

@ckamm yes, that was my final concern in the original issue:

Also, I'm only seeing one entry in the keychain for all the shibboleth accounts. When a shibb account is removed, is this entry updated stripping the right shibsession?

[SamuAlfageme]

Looking good 😎, have to run some more tests but the whole behavior seems fixed.

[guruz]

The code looks good, however I believe it would still clash if you sync the SAME CREDENTIALS with TWO OWNCLOUD CLIENT ACCOUNTS right?

[guruz]

Still fine IMHO.