From 21f8a936a027879595db8ab2d3954b3502912a23 Mon Sep 17 00:00:00 2001 From: ralf Date: Sat, 24 Dec 2022 12:12:57 -0600 Subject: [PATCH] WIP OAuth/OpenIDConnect authentication for mail / Office365 mail service Using now https://proxy.egroupware.org/oauth as redirect-url, redirecting to specific EGroupware instance specified in state query parameter --- api/src/Auth/OpenIDConnectClient.php | 38 ++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/api/src/Auth/OpenIDConnectClient.php b/api/src/Auth/OpenIDConnectClient.php index 8524724c82..dea7310e2e 100644 --- a/api/src/Auth/OpenIDConnectClient.php +++ b/api/src/Auth/OpenIDConnectClient.php @@ -22,15 +22,49 @@ if (!empty($GLOBALS['egw_info']['server']['cookie_samesite_attribute']) && $GLOB /** * Extended OpenIDConnect client allowing to authenticate via some kind of promise, see authenticateThen method. + * + * It also uses https://proxy.egroupware.org/oauth as redirect-url to be registered with providers, implemented by the following Nginx location block: + * + * location /oauth { + * if ($arg_state ~ ^(?[^&:%]+)(:|%3a)(?[^&:%]+)(:|%3a)) { + * return 302 https://$redirect_host/$redirect_path/api/oauth.php?$args; + * } + * return 301 https://github.com/EGroupware/egroupware/blob/master/api/src/Auth/OpenIDConnectClient.php; + * } + * + * This redirects requests to a host and path provided additional with the nonce query parameter: + * https://proxy.egroupware.org/oauth?state=test.egroupware.org:test:& --> https://test.egroupware.org/egroupware/api/oauth.php? + * + * @link https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider */ class OpenIDConnectClient extends \Jumbojett\OpenIDConnectClient { + const EGROUPWARE_OAUTH_PROXY = 'https://proxy.egroupware.org/oauth'; + public function __construct($provider_url = null, $client_id = null, $client_secret = null, $issuer = null) { parent::__construct($provider_url, $client_id, $client_secret, $issuer); - // set correct redirect URL, which is NOT the current URL, but always /api/oauth.php - $this->setRedirectURL(Api\Framework::getUrl(Api\Framework::link('/api/oauth.php'))); + // set https://proxy.egroupware.org/oauth as redirect URL, which redirects to host and path given in nonce parameter plus /api/oauth.php + $this->setRedirectURL(self::EGROUPWARE_OAUTH_PROXY); + } + + /** + * Stores nonce + * + * Reimplemented to add host and EGroupware path to the state, to allow proxy.egroupware.org to redirect to the correct host + * + * @param string $state + * @return string + */ + protected function setState($state) + { + // add host and EGroupware path to nonce + $state = Api\Header\Http::host().':'. + (explode('/', parse_url($GLOBALS['egw_info']['server']['webserver_url'] ?: '/', PHP_URL_PATH))[1] ?? ''). + ':'.$state; + + return parent::setState($state); } /**