* OpenIDConnect: allow to show as button on login page to use together with regular password login

also fix/hack not working social icons and SAML button on login page
2024-11-21 15:33:23 +01:00 · 2024-01-13 12:57:50 +02:00 · 2024-01-13 12:57:50 +02:00 · c6d14a5f6e
commit c6d14a5f6e
parent 684d509d03
8 changed files with 41 additions and 12 deletions
--- a/api/js/login.js
+++ b/api/js/login.js
@ -21,7 +21,8 @@ catch (exception){
 }

 // listen to egw-is-created object to make sure egw object is ready
-document.addEventListener('egw-is-created', function(){
+//document.addEventListener('egw-is-created', function(){
+window.setTimeout(() => {
 	egw_ready.then(function()
 	{
 		jQuery(document).ready(function()
@ -73,9 +74,9 @@ document.addEventListener('egw-is-created', function(){
 				}
 			});
 			// or optional SAML login with a button for a single IdP
-			jQuery('input[type="submit"][name="auth=saml"]').on('click', function(){
+			jQuery('input[type="submit"][name^="auth="]').on('click', function(){
 				this.form.method = 'get';
-				jQuery(this.form).append('<input type="hidden" name="auth" value="saml"/>');
+				jQuery(this.form).append('<input type="hidden" name="auth" value="'+this.name.split('=')[1]+'"/>');
 			});
 			// prefer [Login] button below over maybe existing SAML login button above
 			jQuery('input').on('keypress', function(e)
@ -104,4 +105,4 @@ document.addEventListener('egw-is-created', function(){
 				console.log('Service worker registration failed, error:', error);
 			});
 	}
-});
+}, 500);
--- a/api/setup/setup.inc.php
+++ b/api/setup/setup.inc.php
@ -71,7 +71,7 @@ $setup_info['api']['hooks']['vfs_rmdir'] = 'EGroupware\\Api\\Vfs\\Sharing::vfsUp

 // hook to update SimpleSAMLphp config
 $setup_info['api']['hooks']['setup_config'] = [\EGroupware\Api\Auth\Saml::class.'::setupConfig', \EGroupware\Api\Accounts\Import::class.'::setupConfig'];
-$setup_info['api']['hooks']['login_discovery'] = \EGroupware\Api\Auth\Saml::class.'::discovery';
+$setup_info['api']['hooks']['login_discovery'] = [\EGroupware\Api\Auth\Saml::class.'::discovery', \EGroupware\Api\Auth\Openidconnect::class.'::discovery'];

 // installation checks
 $setup_info['api']['check_install'] = array(
--- a/api/src/Auth.php
+++ b/api/src/Auth.php
@ -178,7 +178,7 @@ class Auth
 			Session::egw_setcookie(Session::EGW_SESSION_NAME, session_id());
 		}

-		$backend = self::backend($type ?? null, false);
+		$backend = self::backend($type ?? null, !empty($type));

 		return $backend instanceof  Auth\BackendSSO ? $backend->login() : null;
 	}
--- a/api/src/Auth/Openidconnect.php
+++ b/api/src/Auth/Openidconnect.php
@ -28,6 +28,9 @@ class Openidconnect implements BackendSSO
 		$this->client = new OpenIDConnectClient($GLOBALS['egw_info']['server']['oic_provider'],
 			$GLOBALS['egw_info']['server']['oic_client_id'],
 			$GLOBALS['egw_info']['server']['oic_client_secret']);
+
+		// add scopes we are processing ('openid' is added automatic)
+		$this->client->addScope(['email', 'profile']);
 	}

 	/**
@ -53,9 +56,9 @@ class Openidconnect implements BackendSSO
 				try {
 					$user_info = $this->client->requestUserInfo();
 					$GLOBALS['auto_create_acct'] = [
-						'firstname' => $user_info['given_name'],
-						'lastname' => $user_info['family_name'],
-						'email' => $user_info['email'],
+						'firstname' => $user_info->given_name,
+						'lastname' => $user_info->family_name,
+						'email' => $user_info->email,
 						// not (yet) used supported keys
 						//'primary_group' => '',
 						//'add_group' => '',
@ -77,6 +80,22 @@ class Openidconnect implements BackendSSO
 		}
 	}

+	/**
+	 * Display a IdP selection / discovery
+	 *
+	 * Will be displayed if IdP(s) are added in setup and a discovery label is specified.
+	 *
+	 * @return string|null html to display in login page or null to disable the selection
+	 */
+	static public function discovery()
+	{
+		if (empty($GLOBALS['egw_info']['server']['openidconnect_discovery']))
+		{
+			return null;
+		}
+		return Api\Html::input('auth=openidconnect', $GLOBALS['egw_info']['server']['openidconnect_discovery'], 'submit', 'formmethod="get"');
+	}
+
 	/**
 	 * Logout SSO system
 	 */
--- a/api/src/Framework/Login.php
+++ b/api/src/Framework/Login.php
@ -86,7 +86,10 @@ class Login
 		$discovery = '';
 		foreach(Api\Hooks::process('login_discovery', [], true) as $app => $data)
 		{
-			if (!empty($data)) $discovery .= $data;
+			foreach((array)$data as $d)
+			{
+				if (!empty($d)) $discovery .= $d;
+			}
 		}
 		if (!empty($discovery))
 		{
@ -437,4 +440,4 @@ class Login
 				return htmlspecialchars($code);
 		}
 	}
-}
+}
--- a/setup/lang/egw_de.lang
+++ b/setup/lang/egw_de.lang
@ -523,6 +523,7 @@ optional, if only authentication and anonymous search is enabled	setup	de	option
 or	setup	de	oder
 or %1continue to the header admin%2	setup	de	oder %1mit der Headerverwaltung weiter machen%2
 or http://webdav.domain.com (webdav)	setup	de	oder http://webdav.domain.com (für WebDAV)
+or leave empty and select openidconnect as authentication type above for single sign on	setup	de	oder leer lassen und für SingleSignOn oberhalb OpenIDConnect als Art der Authentifizierung auswählen
 or leave empty and select saml as authentication type above for single sign on	setup	de	oder leer lassen und für SingleSignOn oberhalb SAML als Art der Authentifizierung auswählen
 or we can attempt to create the database for you:	setup	de	Oder wir können versuchen die Datenbank für Sie anzulegen:
 or you can install a previous backup.	setup	de	Oder Sie können eine vorherige Datensicherung installieren.
--- a/setup/lang/egw_en.lang
+++ b/setup/lang/egw_en.lang
@ -523,6 +523,7 @@ optional, if only authentication and anonymous search is enabled	setup	en	option
 or	setup	en	or
 or %1continue to the header admin%2	setup	en	or %1Continue to the Header Admin%2
 or http://webdav.domain.com (webdav)	setup	en	or http://webdav.domain.com (WebDAV)
+or leave empty and select openidconnect as authentication type above for single sign on	setup	en	or leave empty and select OpenIDConnect as authentication type above for single sign on
 or leave empty and select saml as authentication type above for single sign on	setup	en	or leave empty and select SAML as authentication type above for single sign on
 or we can attempt to create the database for you:	setup	en	Or attempt to create the database:
 or you can install a previous backup.	setup	en	Or install a previous backup.
--- a/setup/templates/default/config.tpl
+++ b/setup/templates/default/config.tpl
@ -274,7 +274,7 @@

   <tr class="row_off">
    <td>{lang_Add_auto-created_users_to_this_group_('Default'_will_be_attempted_if_this_is_empty.)}:</td>
-    <td><input name="newsettings[default_group_lid]" value="{value_default_group_lid}" /></td>
+    <td><input name="newsettings[default_group_lid]" value="{value_default_group_lid}" placeholder="Default" /></td>
   </tr>

   <tr class="row_on">
@ -476,6 +476,10 @@
        {lang_EGroupware's_callback_URL_is_the_one_of_the_login_page}: <a href="{value_webserver_url}/login.php">{lang_Callback_URL}</a>
    </td>
   </tr>
+   <tr class="row_on">
+    <td>{lang_Label_to_display_as_option_on_login_page}:<br/>{lang_or_leave_empty_and_select_OpenIDConnect_as_authentication_type_above_for_single_sign_on}</td>
+    <td><input name="newsettings[openidconnect_discovery]" placeholder="{lang_OpenIDConnect_Login}" value="{value_openidconnect_discovery}" size="20" /></td>
+   </tr>
   <tr class="row_off">
     <td>{lang_URL_of_the_IdP_(without_path)}:</td>
     <td><input name="newsettings[oic_provider]" value="{value_oic_provider}" size="80" /></td>