Add oauth code flow support #4704
Conversation
|
@LukasReschke, thanks for your PR! By analyzing the history of the files in this pull request, we identified @ChristophWurst, @icewind1991 and @blizzz to be potential reviewers. |
| * @return TemplateResponse | ||
| */ | ||
| public function showAuthPickerPage() { | ||
| if($this->userSession->isLoggedIn()) { |
There was a problem hiding this comment.
What we should do instead here is that at least one of the following conditions is met:
- Verify that a valid client identifier is given
- Verify that the request contains a
OCS-APIRequest: trueHTTP header
If none of those are fulfilled show an error page.
| @@ -720,15 +720,15 @@ private function validateToken($token, $user = null) { | |||
| */ | |||
| public function tryTokenLogin(IRequest $request) { | |||
| $authHeader = $request->getHeader('Authorization'); | |||
| if (strpos($authHeader, 'token ') === false) { | |||
There was a problem hiding this comment.
Wasn't used before by any client and didn't even work via WebDAV so that change should be fine :)
cc @ChristophWurst fyi :)
| \OC_Util::setupFS($user); | ||
| $this->currentUser = $user; | ||
| $this->session->close(); | ||
| return [true, $this->principalPrefix . $user]; |
There was a problem hiding this comment.
This return is a huge mess and copied code from below. Basically if we just call tryTokenLogin then it would lead into the code path to parent::check and there it checks if a Basic Auth header is set. None is set and thus SabreDAV throws an exception. We should clean this up.
| $token, | ||
| $this->userSession->getUser()->getUID(), | ||
| $uid, | ||
| $loginName, | ||
| $password, | ||
| $this->getClientName(), |
There was a problem hiding this comment.
This should use the name of the OAuth application just like https://github.com/nextcloud/server/pull/4704/files#diff-652646310472be421d6b80289b907cb8R160 has.
schiessle
force-pushed
the
add-oauth-code-flow-support
branch
3 times, most recently
from
5f80b53 to
fb72698
Compare
Codecov Report
@@ Coverage Diff @@
## master #4704 +/- ##
============================================
+ Coverage 54.2% 54.23% +0.03%
- Complexity 22195 22228 +33
============================================
Files 1367 1378 +11
Lines 84876 85142 +266
Branches 1322 1322
============================================
+ Hits 46003 46179 +176
- Misses 38873 38963 +90
|
schiessle
force-pushed
the
add-oauth-code-flow-support
branch
3 times, most recently
from
a8fdf43 to
cd02164
Compare
|
@LukasReschke How to move this forward? |
|
Rebased upon master. Will continue tonight. THX a lot already, @schiessle 🚀 |
LukasReschke
force-pushed
the
add-oauth-code-flow-support
branch
from
cd02164 to
49a6eb1
Compare
schiessle
force-pushed
the
add-oauth-code-flow-support
branch
2 times, most recently
from
40886b0 to
44f4b2c
Compare
| @@ -58,8 +58,8 @@ protected function setUp() { | |||
|
|
|||
| private function resetDatabase() { | |||
| $qb = $this->dbConnection->getQueryBuilder(); | |||
| $qb->delete('authtoken')->execute(); | |||
| $qb->insert('authtoken')->values([ | |||
| $qb->delete('AuthToken')->execute(); | |||
There was a problem hiding this comment.
Renaming this breaks as databases tend to be case sensitive 😉
cc @schiessle – will revert the renaming.
|
|
||
| if(!$this->userSession->isLoggedIn()) { | ||
| $this->userSession->tryTokenLogin($this->request); | ||
| } |
There was a problem hiding this comment.
Ah no... tryTokenLogin might log the user in...
There was a problem hiding this comment.
Yep. 🙈 – We don't have a method where I can just pass the token and login and so as a short-term solution I thought of just abusing this behaviour 😉
| ], | ||
| [ | ||
| 'name' => 'Settings#deleteClient', | ||
| 'url' => '/clients/{id}/delete', |
There was a problem hiding this comment.
uhm... why not a DELETE to /clients/{id} ?
| $client->setSecret($this->secureRandom->generate(64, self::validChars)); | ||
| $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars)); | ||
| $this->clientMapper->insert($client); | ||
| return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security')); |
There was a problem hiding this comment.
Why this redirect magic and not just AJAX calls?
There was a problem hiding this comment.
Yeah. JS isn't mine and @schiessle most preferred activity. Let's adjust that in the future :)
| @@ -25,6 +25,9 @@ | |||
| use OC\Authentication\Exceptions\PasswordlessTokenException; | |||
| use OC\Authentication\Token\IProvider; | |||
| use OC\Authentication\Token\IToken; | |||
| use OCA\OAuth2\Db\AccessToken; | |||
| use OCA\OAuth2\Db\AccessTokenMapper; | |||
| use OCA\OAuth2\Db\ClientMapper; | |||
There was a problem hiding this comment.
I get why. But I'm really not a fan of this hard app dependency.
We should think how we can make this somewhat modular in the future. Just so we have a clear defined interface between the two.
There was a problem hiding this comment.
👍 – Yes. We need to think how to solve that better in the future.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
LukasReschke
force-pushed
the
add-oauth-code-flow-support
branch
from
f4ddd43 to
e34942f
Compare
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
LukasReschke
force-pushed
the
add-oauth-code-flow-support
branch
from
0e5dbf8 to
ba7b6bd
Compare
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
LukasReschke
added
3. to review
LukasReschke
changed the title
|
Will there be documentation for the endpoints? |
This adds the OAuth Code Flow support to our existing code base.
One example is the Moodle plugin from https://pssl16.github.io/.
TODOs:
I added an app "oauth2", however, our regular login flow in core depends on that app now. This should really be more structured.=> Ignore for now…Authorizationheader by default. Our.htaccessfixes that but this means that currently this only works when Apache is instructed to not strip the header. Might be good enough though. But if someone can investigate on this: awesome 🚀oauthStateto the session so that somebody isn't accidentally copying the URL to other users and thus disclosing it.Known Issues