extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-21 23:43:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

* Api/Auth/OpenIDConnect: allow to specify which JWT payload attribute to use and a regular expression to extract username from it

Browse Source
This commit is contained in:
ralf 2024-07-19 14:10:32 +02:00
parent d6c8584ae9
commit 1c0719cb7c
4 changed files with 63 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
api/src/Auth/Openidconnect.php
View File

@ -44,32 +44,51 @@ class Openidconnect implements BackendSSO
//error_log(__METHOD__."() session_status()=".session_status().", _SESSION=".json_encode($_SESSION)); //error_log(__METHOD__."() session_status()=".session_status().", _SESSION=".json_encode($_SESSION));
$this->client->authenticate(); $this->client->authenticate();
$account_lid = $this->client->getVerifiedClaims('sub'); // use configured payload attribute / claim, defaulting to "sub"
$attribute = ($GLOBALS['egw_info']['server']['oic_username_attribute'] ?? 'sub');
if ($attribute === 'custom' && !empty($GLOBALS['egw_info']['server']['oic_username_custom']))
{
$attribute = $GLOBALS['egw_info']['server']['oic_username_custom'];
}
$account_lid = $this->client->getVerifiedClaims($attribute);
// extract username with regular expression, if configured and matching
if (!empty($GLOBALS['egw_info']['server']['oic_username_preg']) && preg_match($GLOBALS['egw_info']['server']['oic_username_preg'], $account_lid))
{
$account_lid = preg_replace($GLOBALS['egw_info']['server']['oic_username_preg'], '$1', $account_lid);
}
$accounts = Api\Accounts::getInstance(); $accounts = Api\Accounts::getInstance();
if (!$accounts->name2id($account_lid, 'account_lid', 'u')) if (!$accounts->name2id($account_lid, 'account_lid', 'u'))
{ {
// fail if auto-creation of authenticated users is NOT configured // for attribute="email" check, if we have user with given email
if (empty($GLOBALS['egw_info']['server']['auto_create_acct'])) if ($attribute === 'email' && ($account_id = $accounts->name2id($account_lid, 'account_email', 'u')))
{ {
error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!"); $account_lid = Api\Accounts::id2name($account_id);
$_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
return null;
} }
try { else
$user_info = $this->client->requestUserInfo(); {
$GLOBALS['auto_create_acct'] = [ // fail if auto-creation of authenticated users is NOT configured
'firstname' => $user_info->given_name, if (empty($GLOBALS['egw_info']['server']['auto_create_acct']))
'lastname' => $user_info->family_name, {
'email' => $user_info->email, error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!");
// not (yet) used supported keys $_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
//'primary_group' => '', return null;
//'add_group' => '', }
//'account_id' => 0, try {
]; $user_info = $this->client->requestUserInfo();
} $GLOBALS['auto_create_acct'] = [
catch (OpenIDConnectClientException $e) { 'firstname' => $user_info->given_name,
// do NOT fail, if IdP does not support user-info 'lastname' => $user_info->family_name,
_egw_log_exception($e); 'email' => $user_info->email,
// not (yet) used supported keys
//'primary_group' => '',
//'add_group' => '',
//'account_id' => 0,
];
}
catch (OpenIDConnectClientException $e) {
// do NOT fail, if IdP does not support user-info
_egw_log_exception($e);
}
} }
} }
// return user session // return user session

3
setup/lang/egw_de.lang
View File

@ -218,6 +218,7 @@ current system-charset setup de Aktueller Systemzeichensatz
current system-charset is %1. setup de Aktueller Systemzeichensatz ist %1. current system-charset is %1. setup de Aktueller Systemzeichensatz ist %1.
current version setup de Gegenwärtige Version current version setup de Gegenwärtige Version
currently installed languages: %1 <br /> setup de Gegenwärtig installierte Sprachen: %1 <br> currently installed languages: %1 <br /> setup de Gegenwärtig installierte Sprachen: %1 <br>
custom attribute setup de Benutzerdefiniertes Attribute
custom handler: %1 setup de Eigener Sitzunghandler: %1 custom handler: %1 setup de Eigener Sitzunghandler: %1
custom oid setup de Benutzerdefinierte OID custom oid setup de Benutzerdefinierte OID
custom set via %1 setup de Benutzerdefiniert über "%1" gesetzt custom set via %1 setup de Benutzerdefiniert über "%1" gesetzt
@ -486,6 +487,7 @@ multi-language support setup setup de Mehr-Sprachen Unterstützung einrichten
name for service provider setup de Name des Service Provider / Dienstes name for service provider setup de Name des Service Provider / Dienstes
name of database setup de Name der Datenbank name of database setup de Name der Datenbank
name of db user egroupware uses to connect setup de Name des Datenbank-Benutzers den EGroupware verwendet name of db user egroupware uses to connect setup de Name des Datenbank-Benutzers den EGroupware verwendet
name of jwt payload attribute for username setup de Name des JWT Nutzdaten Attributes für den Benutzername
needs extra configuration on dc and webserver! setup de Benötigt extra Konfiguration auf Domain Controller und Webserver! needs extra configuration on dc and webserver! setup de Benötigt extra Konfiguration auf Domain Controller und Webserver!
never setup de Niemals never setup de Niemals
new setup de Neu new setup de Neu
@ -540,6 +542,7 @@ path to user and group files has to be outside of the webservers document-root!!
path to various directories: have to exist and be writeable by the webserver setup de Pfade zu verschiedenen Verzeichnissen: Diese müssen vorhanden sein und vom Webserver beschreibbar path to various directories: have to exist and be writeable by the webserver setup de Pfade zu verschiedenen Verzeichnissen: Diese müssen vorhanden sein und vom Webserver beschreibbar
pem certificate setup de PEM Zertifikat pem certificate setup de PEM Zertifikat
periodic import from ads or ldap into egroupware database setup de Periodischer Import von ADS oder LDAP in die EGroupware Datenbank periodic import from ads or ldap into egroupware database setup de Periodischer Import von ADS oder LDAP in die EGroupware Datenbank
perl regular expression to extract username setup de Perl Regulärer Ausdruck um Benutzernamen to extrahieren
persistent connections setup de Permanente Verbindungen persistent connections setup de Permanente Verbindungen
php client setup de PHP Client php client setup de PHP Client
php proxy setup de PHP Proxy php proxy setup de PHP Proxy

4
setup/lang/egw_en.lang
View File

@ -218,6 +218,7 @@ current system-charset setup en Current system charset
current system-charset is %1. setup en Current system charset is %1. current system-charset is %1. setup en Current system charset is %1.
current version setup en Current version current version setup en Current version
currently installed languages: %1 <br /> setup en Currently installed languages: %1<br> currently installed languages: %1 <br /> setup en Currently installed languages: %1<br>
custom attribute setup en custom attribute
custom handler: %1 setup en Custom handler: %1 custom handler: %1 setup en Custom handler: %1
custom oid setup en custom OID custom oid setup en custom OID
custom set via %1 setup en Custom set via %1 custom set via %1 setup en Custom set via %1
@ -486,6 +487,7 @@ multi-language support setup setup en Multi language support setup
name for service provider setup en Name for Service Provider name for service provider setup en Name for Service Provider
name of database setup en Name of database name of database setup en Name of database
name of db user egroupware uses to connect setup en Name of db user EGroupware uses to connect name of db user egroupware uses to connect setup en Name of db user EGroupware uses to connect
name of jwt payload attribute for username setup en Name of JWT payload attribute for username
needs extra configuration on dc and webserver! setup en Needs extra configuration on DC and webserver! needs extra configuration on dc and webserver! setup en Needs extra configuration on DC and webserver!
never setup en Never never setup en Never
new setup en New new setup en New
@ -519,6 +521,7 @@ one month setup en One month
one week setup en One week one week setup en One week
only add languages that are not in the database already setup en Only add languages that are not in the database already only add languages that are not in the database already setup en Only add languages that are not in the database already
only add new phrases setup en Only add new phrases only add new phrases setup en Only add new phrases
openidconnect login setup en OpenIDConnect Login
optional, if only authentication and anonymous search is enabled setup en optional, if only authentication AND anonymous search is enabled optional, if only authentication and anonymous search is enabled setup en optional, if only authentication AND anonymous search is enabled
or setup en or or setup en or
or %1continue to the header admin%2 setup en or %1Continue to the Header Admin%2 or %1continue to the header admin%2 setup en or %1Continue to the Header Admin%2
@ -540,6 +543,7 @@ path to user and group files has to be outside of the webservers document-root!!
path to various directories: have to exist and be writeable by the webserver setup en Path to various directories: have to exist and be writable by the web server path to various directories: have to exist and be writeable by the webserver setup en Path to various directories: have to exist and be writable by the web server
pem certificate setup en PEM certificate pem certificate setup en PEM certificate
periodic import from ads or ldap into egroupware database setup en Periodic import from ADS or LDAP into EGroupware database periodic import from ads or ldap into egroupware database setup en Periodic import from ADS or LDAP into EGroupware database
perl regular expression to extract username setup en Perl regular expression to extract username
persistent connections setup en Persistent connections persistent connections setup en Persistent connections
php client setup en PHP client php client setup en PHP client
php proxy setup en PHP proxy php proxy setup en PHP proxy

16
setup/templates/default/config.tpl
View File

@ -493,6 +493,22 @@
<td>{lang_Client_secret}:</td> <td>{lang_Client_secret}:</td>
<td><input type="password" name="newsettings[oic_client_secret]" value="{value_oic_client_secret}" size="40" /></td> <td><input type="password" name="newsettings[oic_client_secret]" value="{value_oic_client_secret}" size="40" /></td>
</tr> </tr>
<tr class="row_on">
<td>{lang_Name_of_JWT_payload_attribute_for_username}:</td>
<td>
<select name="newsettings[oic_username_attribute]">
<option value="sub"{selected_oic_username_sub}>sub ({lang_default})</option>
<option value="prefered_username"{selected_oic_username_prefered_username}>prefered_username</option>
<option value="email"{selected_oic_username_email}>email</option>
<option value="custom"{selected_oic_username_custom}>{lang_custom_attribute}</option>
</select>
<input name="newsettings[oic_username_custom]" value="{value_oic_username_custom}" size="40" placeholder="{lang_custom_attribute}"/>
</td>
</tr>
<tr class="row_off">
<td>{lang_Perl_regular_expression_to_extract_username}</td>
<td><input name="newsettings[oic_username_preg]" value="{value_oic_username_preg}" size="40" placeholder="/^(.*)$/"/></td>
</tr>
<tr class="row_off"> <tr class="row_off">
<td colspan="2">&nbsp;</td> <td colspan="2">&nbsp;</td>