Implement basic OIDC core server handling

Allow Nextcloud to be used as a OpenID Connect server. CLients can authenticate against it.

Signed-off-by: Markus Heberling <markus.heberling@hengsbeck.de>

Author: Markus Heberling

apps/oauth2/lib/Controller/OauthApiController.php

@@ -34,6 +34,7 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IRequest;
+use OCP\IUserManager;
 use OCP\Security\ICrypto;
 use OCP\Security\ISecureRandom;
 
@@ -52,6 +53,8 @@ class OauthApiController extends Controller {
 	private $time;
 	/** @var Throttler */
 	private $throttler;
+	/** @var IUserManager */
+	private $userManager;
 
 	/**
 	 * @param string $appName
@@ -63,6 +66,7 @@ class OauthApiController extends Controller {
 	 * @param ISecureRandom $secureRandom
 	 * @param ITimeFactory $time
 	 * @param Throttler $throttler
+	 * @param IUserManager $userManager
 	 */
 	public function __construct($appName,
 								IRequest $request,
@@ -72,7 +76,8 @@ public function __construct($appName,
 								TokenProvider $tokenProvider,
 								ISecureRandom $secureRandom,
 								ITimeFactory $time,
-								Throttler $throttler) {
+								Throttler $throttler,
+								IUserManager $userManager) {
 		parent::__construct($appName, $request);
 		$this->crypto = $crypto;
 		$this->accessTokenMapper = $accessTokenMapper;
@@ -81,6 +86,7 @@ public function __construct($appName,
 		$this->secureRandom = $secureRandom;
 		$this->time = $time;
 		$this->throttler = $throttler;
+		$this->userManager = $userManager;
 	}
 
 	/**
@@ -172,13 +178,53 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
 
 		$this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]);
 
+		// The id token needs to be correctly build as JWT. Taken from https://dev.to/robdwaller/how-to-create-a-json-web-token-using-php-3gml
+
+		// Create token header as a JSON string
+		$header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);
+
+		// We need the user to fill in name and email in the id_token
+		$user = $this->userManager->get($appToken->getUID());
+
+		// Create token payload as a JSON string
+		$payload = json_encode([
+			// required for OIDC
+			'iss' => \OC::$server->getURLGenerator()->getBaseUrl(),
+			'sub' => $appToken->getUID(),
+			'aud' => $client_id,
+			'exp' => $appToken->getExpires(),
+			'iat' => $this->time->getTime(),
+			'auth_time' => $this->time->getTime(),
+
+			// optional, can be requested by claims, we don't support requesting claims as of now, so we just send them always
+			'email' => $user->getEMailAddress(),
+			'name' => $user->getDisplayName(),
+
+		]);
+
+		// Encode Header to Base64Url String
+		$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));
+
+		// Encode Payload to Base64Url String
+		$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));
+
+		// Create Signature Hash
+		$signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $client->getSecret(), true);
+
+		// Encode Signature to Base64Url String
+		$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));
+
+		// Create JWT
+		$jwt = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
+
 		return new JSONResponse(
 			[
 				'access_token' => $newToken,
 				'token_type' => 'Bearer',
 				'expires_in' => 3600,
 				'refresh_token' => $newCode,
 				'user_id' => $appToken->getUID(),
+				'id_token' => $jwt,
 			]
 		);
 	}

apps/oauth2/tests/Controller/OauthApiControllerTest.php

@@ -37,6 +37,8 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IRequest;
+use OCP\IUser;
+use OCP\IUserManager;
 use OCP\Security\ICrypto;
 use OCP\Security\ISecureRandom;
 use Test\TestCase;
@@ -58,6 +60,8 @@ class OauthApiControllerTest extends TestCase {
 	private $time;
 	/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
 	private $throttler;
+	/** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */
+	private $userManager;
 	/** @var OauthApiController */
 	private $oauthApiController;
 
@@ -72,6 +76,7 @@ public function setUp() {
 		$this->secureRandom = $this->createMock(ISecureRandom::class);
 		$this->time = $this->createMock(ITimeFactory::class);
 		$this->throttler = $this->createMock(Throttler::class);
+		$this->userManager = $this->createMock(IUserManager::class);
 
 		$this->oauthApiController = new OauthApiController(
 			'oauth2',
@@ -82,7 +87,8 @@ public function setUp() {
 			$this->tokenProvider,
 			$this->secureRandom,
 			$this->time,
-			$this->throttler
+			$this->throttler,
+			$this->userManager
 		);
 	}
 
@@ -287,6 +293,16 @@ public function testGetTokenValidAppToken() {
 			'expires_in' => 3600,
 			'refresh_token' => 'random128',
 			'user_id' => 'userId',
+			'id_token' => $this->encodeJWT(json_encode([
+				'iss' => 'http://localhost',
+				'sub' => 'userId',
+				'aud' => 'clientId',
+				'exp' => 4600,
+				'iat' => 1000,
+				'auth_time' => 1000,
+				'email' => null,
+				'name' => null
+			]), 'clientSecret')
 		]);
 
 		$this->request->method('getRemoteAddress')
@@ -300,6 +316,13 @@ public function testGetTokenValidAppToken() {
 				['user' => 'userId']
 			);
 
+		$user = $this->createMock(IUser::class);;
+
+		$this->userManager->expects($this->once())
+			->method('get')
+			->with('userId')
+			->willReturn($user);
+
 		$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
 	}
 
@@ -379,6 +402,16 @@ public function testGetTokenValidAppTokenBasicAuth() {
 			'expires_in' => 3600,
 			'refresh_token' => 'random128',
 			'user_id' => 'userId',
+			'id_token' => $this->encodeJWT(json_encode([
+				'iss' => 'http://localhost',
+				'sub' => 'userId',
+				'aud' => 'clientId',
+				'exp' => 4600,
+				'iat' => 1000,
+				'auth_time' => 1000,
+				'email' => null,
+				'name' => null
+			]), 'clientSecret'),
 		]);
 
 		$this->request->server['PHP_AUTH_USER'] = 'clientId';
@@ -395,6 +428,13 @@ public function testGetTokenValidAppTokenBasicAuth() {
 				['user' => 'userId']
 			);
 
+		$user = $this->createMock(IUser::class);;
+
+		$this->userManager->expects($this->once())
+			->method('get')
+			->with('userId')
+			->willReturn($user);
+
 		$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
 	}
 
@@ -474,6 +514,16 @@ public function testGetTokenExpiredAppToken() {
 			'expires_in' => 3600,
 			'refresh_token' => 'random128',
 			'user_id' => 'userId',
+			'id_token' => $this->encodeJWT(json_encode([
+				'iss' => 'http://localhost',
+				'sub' => 'userId',
+				'aud' => 'clientId',
+				'exp' => 4600,
+				'iat' => 1000,
+				'auth_time' => 1000,
+				'email' => null,
+				'name' => null
+			]), 'clientSecret'),
 		]);
 
 		$this->request->method('getRemoteAddress')
@@ -487,6 +537,33 @@ public function testGetTokenExpiredAppToken() {
 				['user' => 'userId']
 			);
 
+		$user = $this->createMock(IUser::class);;
+
+		$this->userManager->expects($this->once())
+			->method('get')
+			->with('userId')
+			->willReturn($user);
+
 		$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
 	}
+
+	private function encodeJWT($payload, $secret) {
+		// Create token header as a JSON string
+		$header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);
+
+		// Encode Header to Base64Url String
+		$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));
+
+		// Encode Payload to Base64Url String
+		$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));
+
+		// Create Signature Hash
+		$signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secret, true);
+
+		// Encode Signature to Base64Url String
+		$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));
+
+		// Create JWT
+	   return $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
+	}
 }