Skip to content

Commit 21eef41

Browse files
author
Markus Heberling
committed
extract idToken generation into own function
Signed-off-by: Markus Heberling <[email protected]>
1 parent fd3983b commit 21eef41

File tree

2 files changed

+55
-16
lines changed

2 files changed

+55
-16
lines changed

apps/oauth2/lib/Controller/OauthApiController.php

Lines changed: 40 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
use OCP\AppFramework\Http\JSONResponse;
3636
use OCP\AppFramework\Utility\ITimeFactory;
3737
use OCP\IRequest;
38+
use OCP\IURLGenerator;
3839
use OCP\IUserManager;
3940
use OCP\Security\ICrypto;
4041
use OCP\Security\ISecureRandom;
@@ -54,8 +55,10 @@ class OauthApiController extends Controller {
5455
private $time;
5556
/** @var Throttler */
5657
private $throttler;
57-
/** @var IUserManager */
58+
/** @var IUserManager */
5859
private $userManager;
60+
/** @var IURLGenerator */
61+
private $urlGenerator;
5962

6063
public function __construct(string $appName,
6164
IRequest $request,
@@ -66,7 +69,8 @@ public function __construct(string $appName,
6669
ISecureRandom $secureRandom,
6770
ITimeFactory $time,
6871
Throttler $throttler,
69-
IUserManager $userManager) {
72+
IUserManager $userManager,
73+
IURLGenerator $urlGenerator) {
7074
parent::__construct($appName, $request);
7175
$this->crypto = $crypto;
7276
$this->accessTokenMapper = $accessTokenMapper;
@@ -76,6 +80,7 @@ public function __construct(string $appName,
7680
$this->time = $time;
7781
$this->throttler = $throttler;
7882
$this->userManager = $userManager;
83+
$this->urlGenerator = $urlGenerator;
7984
}
8085

8186
/**
@@ -166,7 +171,28 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
166171
$this->accessTokenMapper->update($accessToken);
167172

168173
$this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]);
174+
$jwt = $this->getIdToken($client_id, $appToken, $client);
169175

176+
return new JSONResponse(
177+
[
178+
'access_token' => $newToken,
179+
'token_type' => 'Bearer',
180+
'expires_in' => 3600,
181+
'refresh_token' => $newCode,
182+
'user_id' => $appToken->getUID(),
183+
'id_token' => $jwt,
184+
]
185+
);
186+
}
187+
188+
/**
189+
* @param $client_id
190+
* @param \OC\Authentication\Token\IToken $appToken
191+
* @param \OCA\OAuth2\Db\Client $client
192+
* @return string
193+
*/
194+
private function getIdToken($client_id, \OC\Authentication\Token\IToken $appToken, \OCA\OAuth2\Db\Client $client)
195+
{
170196
// The id token needs to be correctly build as JWT. Taken from https://dev.to/robdwaller/how-to-create-a-json-web-token-using-php-3gml
171197

172198
// Create token header as a JSON string
@@ -177,16 +203,25 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
177203

178204
// Create token payload as a JSON string
179205
$payload = json_encode([
180-
// required for OIDC
181-
'iss' => \OC::$server->getURLGenerator()->getBaseUrl(),
206+
// required for OIDC, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken
207+
// Issuer Identifier for the Issuer of the response.
208+
'iss' => $this->urlGenerator->getBaseUrl(),
209+
// Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client
182210
'sub' => $appToken->getUID(),
211+
// Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.
183212
'aud' => $client_id,
213+
// Expiration time on or after which the ID Token MUST NOT be accepted for processing.
184214
'exp' => $appToken->getExpires(),
215+
// Time at which the JWT was issued.
185216
'iat' => $this->time->getTime(),
217+
// Time when the End-User authentication occurred.
186218
'auth_time' => $this->time->getTime(),
187219

188220
// optional, can be requested by claims, we don't support requesting claims as of now, so we just send them always
221+
// see https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
222+
// End-User's preferred e-mail address.
189223
'email' => $user->getEMailAddress(),
224+
// End-User's full name in displayable form including all name parts, possibly including titles and suffixes
190225
'name' => $user->getDisplayName(),
191226

192227
]);
@@ -205,16 +240,6 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
205240

206241
// Create JWT
207242
$jwt = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
208-
209-
return new JSONResponse(
210-
[
211-
'access_token' => $newToken,
212-
'token_type' => 'Bearer',
213-
'expires_in' => 3600,
214-
'refresh_token' => $newCode,
215-
'user_id' => $appToken->getUID(),
216-
'id_token' => $jwt,
217-
]
218-
);
243+
return $jwt;
219244
}
220245
}

apps/oauth2/tests/Controller/OauthApiControllerTest.php

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
use OCP\AppFramework\Http\JSONResponse;
3838
use OCP\AppFramework\Utility\ITimeFactory;
3939
use OCP\IRequest;
40+
use OCP\IURLGenerator;
4041
use OCP\IUser;
4142
use OCP\IUserManager;
4243
use OCP\Security\ICrypto;
@@ -62,6 +63,8 @@ class OauthApiControllerTest extends TestCase {
6263
private $throttler;
6364
/** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */
6465
private $userManager;
66+
/** @var IURLGenerator|\PHPUnit_Framework_MockObject_MockObject */
67+
private $urlGenerator;
6568
/** @var OauthApiController */
6669
private $oauthApiController;
6770

@@ -77,6 +80,7 @@ public function setUp() {
7780
$this->time = $this->createMock(ITimeFactory::class);
7881
$this->throttler = $this->createMock(Throttler::class);
7982
$this->userManager = $this->createMock(IUserManager::class);
83+
$this->urlGenerator = $this->createMock(IURLGenerator::class);
8084

8185
$this->oauthApiController = new OauthApiController(
8286
'oauth2',
@@ -88,7 +92,8 @@ public function setUp() {
8892
$this->secureRandom,
8993
$this->time,
9094
$this->throttler,
91-
$this->userManager
95+
$this->userManager,
96+
$this->urlGenerator
9297
);
9398
}
9499

@@ -287,6 +292,9 @@ public function testGetTokenValidAppToken() {
287292
})
288293
);
289294

295+
$this->urlGenerator->method('getBaseUrl')
296+
->willReturn('http://localhost');
297+
290298
$expected = new JSONResponse([
291299
'access_token' => 'random72',
292300
'token_type' => 'Bearer',
@@ -396,6 +404,9 @@ public function testGetTokenValidAppTokenBasicAuth() {
396404
})
397405
);
398406

407+
$this->urlGenerator->method('getBaseUrl')
408+
->willReturn('http://localhost');
409+
399410
$expected = new JSONResponse([
400411
'access_token' => 'random72',
401412
'token_type' => 'Bearer',
@@ -508,6 +519,9 @@ public function testGetTokenExpiredAppToken() {
508519
})
509520
);
510521

522+
$this->urlGenerator->method('getBaseUrl')
523+
->willReturn('http://localhost');
524+
511525
$expected = new JSONResponse([
512526
'access_token' => 'random72',
513527
'token_type' => 'Bearer',

0 commit comments

Comments
 (0)