From c6d14a5f6e1400b052e55d56ffc7d53648a0e48b Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Sat, 13 Jan 2024 12:57:50 +0200
Subject: [PATCH] * OpenIDConnect: allow to show as button on login page to use
 together with regular password login also fix/hack not working social icons
 and SAML button on login page

---
 api/js/login.js                    |  9 +++++----
 api/setup/setup.inc.php            |  2 +-
 api/src/Auth.php                   |  2 +-
 api/src/Auth/Openidconnect.php     | 25 ++++++++++++++++++++++---
 api/src/Framework/Login.php        |  7 +++++--
 setup/lang/egw_de.lang             |  1 +
 setup/lang/egw_en.lang             |  1 +
 setup/templates/default/config.tpl |  6 +++++-
 8 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/api/js/login.js b/api/js/login.js
index 13727da62a..ed42029160 100644
--- a/api/js/login.js
+++ b/api/js/login.js
@@ -21,7 +21,8 @@ catch (exception){
 }
 
 // listen to egw-is-created object to make sure egw object is ready
-document.addEventListener('egw-is-created', function(){
+//document.addEventListener('egw-is-created', function(){
+window.setTimeout(() => {
 	egw_ready.then(function()
 	{
 		jQuery(document).ready(function()
@@ -73,9 +74,9 @@ document.addEventListener('egw-is-created', function(){
 				}
 			});
 			// or optional SAML login with a button for a single IdP
-			jQuery('input[type="submit"][name="auth=saml"]').on('click', function(){
+			jQuery('input[type="submit"][name^="auth="]').on('click', function(){
 				this.form.method = 'get';
-				jQuery(this.form).append('<input type="hidden" name="auth" value="saml"/>');
+				jQuery(this.form).append('<input type="hidden" name="auth" value="'+this.name.split('=')[1]+'"/>');
 			});
 			// prefer [Login] button below over maybe existing SAML login button above
 			jQuery('input').on('keypress', function(e)
@@ -104,4 +105,4 @@ document.addEventListener('egw-is-created', function(){
 				console.log('Service worker registration failed, error:', error);
 			});
 	}
-});
+}, 500);
\ No newline at end of file
diff --git a/api/setup/setup.inc.php b/api/setup/setup.inc.php
index b4a5a07b92..a284aca7c2 100644
--- a/api/setup/setup.inc.php
+++ b/api/setup/setup.inc.php
@@ -71,7 +71,7 @@ $setup_info['api']['hooks']['vfs_rmdir'] = 'EGroupware\\Api\\Vfs\\Sharing::vfsUp
 
 // hook to update SimpleSAMLphp config
 $setup_info['api']['hooks']['setup_config'] = [\EGroupware\Api\Auth\Saml::class.'::setupConfig', \EGroupware\Api\Accounts\Import::class.'::setupConfig'];
-$setup_info['api']['hooks']['login_discovery'] = \EGroupware\Api\Auth\Saml::class.'::discovery';
+$setup_info['api']['hooks']['login_discovery'] = [\EGroupware\Api\Auth\Saml::class.'::discovery', \EGroupware\Api\Auth\Openidconnect::class.'::discovery'];
 
 // installation checks
 $setup_info['api']['check_install'] = array(
diff --git a/api/src/Auth.php b/api/src/Auth.php
index 00203e22ef..677620297f 100644
--- a/api/src/Auth.php
+++ b/api/src/Auth.php
@@ -178,7 +178,7 @@ class Auth
 			Session::egw_setcookie(Session::EGW_SESSION_NAME, session_id());
 		}
 
-		$backend = self::backend($type ?? null, false);
+		$backend = self::backend($type ?? null, !empty($type));
 
 		return $backend instanceof  Auth\BackendSSO ? $backend->login() : null;
 	}
diff --git a/api/src/Auth/Openidconnect.php b/api/src/Auth/Openidconnect.php
index 6ba41473d7..55ffb60fa7 100644
--- a/api/src/Auth/Openidconnect.php
+++ b/api/src/Auth/Openidconnect.php
@@ -28,6 +28,9 @@ class Openidconnect implements BackendSSO
 		$this->client = new OpenIDConnectClient($GLOBALS['egw_info']['server']['oic_provider'],
 			$GLOBALS['egw_info']['server']['oic_client_id'],
 			$GLOBALS['egw_info']['server']['oic_client_secret']);
+
+		// add scopes we are processing ('openid' is added automatic)
+		$this->client->addScope(['email', 'profile']);
 	}
 
 	/**
@@ -53,9 +56,9 @@ class Openidconnect implements BackendSSO
 				try {
 					$user_info = $this->client->requestUserInfo();
 					$GLOBALS['auto_create_acct'] = [
-						'firstname' => $user_info['given_name'],
-						'lastname' => $user_info['family_name'],
-						'email' => $user_info['email'],
+						'firstname' => $user_info->given_name,
+						'lastname' => $user_info->family_name,
+						'email' => $user_info->email,
 						// not (yet) used supported keys
 						//'primary_group' => '',
 						//'add_group' => '',
@@ -77,6 +80,22 @@ class Openidconnect implements BackendSSO
 		}
 	}
 
+	/**
+	 * Display a IdP selection / discovery
+	 *
+	 * Will be displayed if IdP(s) are added in setup and a discovery label is specified.
+	 *
+	 * @return string|null html to display in login page or null to disable the selection
+	 */
+	static public function discovery()
+	{
+		if (empty($GLOBALS['egw_info']['server']['openidconnect_discovery']))
+		{
+			return null;
+		}
+		return Api\Html::input('auth=openidconnect', $GLOBALS['egw_info']['server']['openidconnect_discovery'], 'submit', 'formmethod="get"');
+	}
+
 	/**
 	 * Logout SSO system
 	 */
diff --git a/api/src/Framework/Login.php b/api/src/Framework/Login.php
index efb69cbc99..d4c3c08dd0 100644
--- a/api/src/Framework/Login.php
+++ b/api/src/Framework/Login.php
@@ -86,7 +86,10 @@ class Login
 		$discovery = '';
 		foreach(Api\Hooks::process('login_discovery', [], true) as $app => $data)
 		{
-			if (!empty($data)) $discovery .= $data;
+			foreach((array)$data as $d)
+			{
+				if (!empty($d)) $discovery .= $d;
+			}
 		}
 		if (!empty($discovery))
 		{
@@ -437,4 +440,4 @@ class Login
 				return htmlspecialchars($code);
 		}
 	}
-}
+}
\ No newline at end of file
diff --git a/setup/lang/egw_de.lang b/setup/lang/egw_de.lang
index 48a9d58ed4..5de027ed9a 100644
--- a/setup/lang/egw_de.lang
+++ b/setup/lang/egw_de.lang
@@ -523,6 +523,7 @@ optional, if only authentication and anonymous search is enabled	setup	de	option
 or	setup	de	oder
 or %1continue to the header admin%2	setup	de	oder %1mit der Headerverwaltung weiter machen%2
 or http://webdav.domain.com (webdav)	setup	de	oder http://webdav.domain.com (für WebDAV)
+or leave empty and select openidconnect as authentication type above for single sign on	setup	de	oder leer lassen und für SingleSignOn oberhalb OpenIDConnect als Art der Authentifizierung auswählen
 or leave empty and select saml as authentication type above for single sign on	setup	de	oder leer lassen und für SingleSignOn oberhalb SAML als Art der Authentifizierung auswählen
 or we can attempt to create the database for you:	setup	de	Oder wir können versuchen die Datenbank für Sie anzulegen:
 or you can install a previous backup.	setup	de	Oder Sie können eine vorherige Datensicherung installieren.
diff --git a/setup/lang/egw_en.lang b/setup/lang/egw_en.lang
index 1e8822050c..c4c2bcc600 100644
--- a/setup/lang/egw_en.lang
+++ b/setup/lang/egw_en.lang
@@ -523,6 +523,7 @@ optional, if only authentication and anonymous search is enabled	setup	en	option
 or	setup	en	or
 or %1continue to the header admin%2	setup	en	or %1Continue to the Header Admin%2
 or http://webdav.domain.com (webdav)	setup	en	or http://webdav.domain.com (WebDAV)
+or leave empty and select openidconnect as authentication type above for single sign on	setup	en	or leave empty and select OpenIDConnect as authentication type above for single sign on
 or leave empty and select saml as authentication type above for single sign on	setup	en	or leave empty and select SAML as authentication type above for single sign on
 or we can attempt to create the database for you:	setup	en	Or attempt to create the database:
 or you can install a previous backup.	setup	en	Or install a previous backup.
diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl
index daf7cc40ea..3b709358ad 100644
--- a/setup/templates/default/config.tpl
+++ b/setup/templates/default/config.tpl
@@ -274,7 +274,7 @@
 
    <tr class="row_off">
     <td>{lang_Add_auto-created_users_to_this_group_('Default'_will_be_attempted_if_this_is_empty.)}:</td>
-    <td><input name="newsettings[default_group_lid]" value="{value_default_group_lid}" /></td>
+    <td><input name="newsettings[default_group_lid]" value="{value_default_group_lid}" placeholder="Default" /></td>
    </tr>
 
    <tr class="row_on">
@@ -476,6 +476,10 @@
         {lang_EGroupware's_callback_URL_is_the_one_of_the_login_page}: <a href="{value_webserver_url}/login.php">{lang_Callback_URL}</a>
     </td>
    </tr>
+   <tr class="row_on">
+    <td>{lang_Label_to_display_as_option_on_login_page}:<br/>{lang_or_leave_empty_and_select_OpenIDConnect_as_authentication_type_above_for_single_sign_on}</td>
+    <td><input name="newsettings[openidconnect_discovery]" placeholder="{lang_OpenIDConnect_Login}" value="{value_openidconnect_discovery}" size="20" /></td>
+   </tr>
    <tr class="row_off">
      <td>{lang_URL_of_the_IdP_(without_path)}:</td>
      <td><input name="newsettings[oic_provider]" value="{value_oic_provider}" size="80" /></td>