Skip to content

Implement basic OIDC core server handling #12567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tisoft wants to merge 3 commits into from
Closed

Implement basic OIDC core server handling #12567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f9d3840
Implement basic OIDC core server handling
Nov 21, 2018
fd3983b
Merge remote-tracking branch 'upstream/master' into oidc
Feb 15, 2019
21eef41
extract idToken generation into own function
Feb 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 71 additions & 1 deletion apps/oauth2/lib/Controller/OauthApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IRequest;
use OCP\IURLGenerator;
use OCP\IUserManager;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;

Expand All @@ -53,6 +55,10 @@ class OauthApiController extends Controller {
private $time;
/** @var Throttler */
private $throttler;
/** @var IUserManager */
private $userManager;
/** @var IURLGenerator */
private $urlGenerator;

public function __construct(string $appName,
IRequest $request,
Expand All @@ -62,7 +68,9 @@ public function __construct(string $appName,
TokenProvider $tokenProvider,
ISecureRandom $secureRandom,
ITimeFactory $time,
Throttler $throttler) {
Throttler $throttler,
IUserManager $userManager,
IURLGenerator $urlGenerator) {
parent::__construct($appName, $request);
$this->crypto = $crypto;
$this->accessTokenMapper = $accessTokenMapper;
Expand All @@ -71,6 +79,8 @@ public function __construct(string $appName,
$this->secureRandom = $secureRandom;
$this->time = $time;
$this->throttler = $throttler;
$this->userManager = $userManager;
$this->urlGenerator = $urlGenerator;
}

/**
Expand Down Expand Up @@ -161,6 +171,7 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
$this->accessTokenMapper->update($accessToken);

$this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]);
$jwt = $this->getIdToken($client_id, $appToken, $client);

return new JSONResponse(
[
Expand All @@ -169,7 +180,66 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
'expires_in' => 3600,
'refresh_token' => $newCode,
'user_id' => $appToken->getUID(),
'id_token' => $jwt,
]
);
}

/**
* @param $client_id
* @param \OC\Authentication\Token\IToken $appToken
* @param \OCA\OAuth2\Db\Client $client
* @return string
*/
private function getIdToken($client_id, \OC\Authentication\Token\IToken $appToken, \OCA\OAuth2\Db\Client $client)
{
// The id token needs to be correctly build as JWT. Taken from https://dev.to/robdwaller/how-to-create-a-json-web-token-using-php-3gml

// Create token header as a JSON string
$header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);

// We need the user to fill in name and email in the id_token
$user = $this->userManager->get($appToken->getUID());

// Create token payload as a JSON string
$payload = json_encode([
// required for OIDC, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken
// Issuer Identifier for the Issuer of the response.
'iss' => $this->urlGenerator->getBaseUrl(),
// Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client
'sub' => $appToken->getUID(),
// Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.
'aud' => $client_id,
// Expiration time on or after which the ID Token MUST NOT be accepted for processing.
'exp' => $appToken->getExpires(),
// Time at which the JWT was issued.
'iat' => $this->time->getTime(),
// Time when the End-User authentication occurred.
'auth_time' => $this->time->getTime(),

// optional, can be requested by claims, we don't support requesting claims as of now, so we just send them always
// see https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
// End-User's preferred e-mail address.
'email' => $user->getEMailAddress(),
Copy link
Member

@rullzer rullzer Feb 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a problem if those are empty?

Copy link
Author

@tisoft tisoft Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it, they can be left empty.

// End-User's full name in displayable form including all name parts, possibly including titles and suffixes
'name' => $user->getDisplayName(),

]);

// Encode Header to Base64Url String
$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));

// Encode Payload to Base64Url String
$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));

// Create Signature Hash
$signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $client->getSecret(), true);
Copy link
Member

@rullzer rullzer Feb 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the signature is required it seems. But how can it every be validated?

Copy link
Author

@tisoft tisoft Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenID Connect client will do the same hash calculation on his side. Since the client knows the oauth client secret he can do that. That way the signature can be verified.


// Encode Signature to Base64Url String
$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));

// Create JWT
$jwt = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
return $jwt;
}
}
93 changes: 92 additions & 1 deletion apps/oauth2/tests/Controller/OauthApiControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IRequest;
use OCP\IURLGenerator;
use OCP\IUser;
use OCP\IUserManager;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;
use Test\TestCase;
Expand All @@ -58,6 +61,10 @@ class OauthApiControllerTest extends TestCase {
private $time;
/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
private $throttler;
/** @var IUserManager|\PHPUnit_Framework_MockObject_MockObject */
private $userManager;
/** @var IURLGenerator|\PHPUnit_Framework_MockObject_MockObject */
private $urlGenerator;
/** @var OauthApiController */
private $oauthApiController;

Expand All @@ -72,6 +79,8 @@ public function setUp() {
$this->secureRandom = $this->createMock(ISecureRandom::class);
$this->time = $this->createMock(ITimeFactory::class);
$this->throttler = $this->createMock(Throttler::class);
$this->userManager = $this->createMock(IUserManager::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);

$this->oauthApiController = new OauthApiController(
'oauth2',
Expand All @@ -82,7 +91,9 @@ public function setUp() {
$this->tokenProvider,
$this->secureRandom,
$this->time,
$this->throttler
$this->throttler,
$this->userManager,
$this->urlGenerator
);
}

Expand Down Expand Up @@ -281,12 +292,25 @@ public function testGetTokenValidAppToken() {
})
);

$this->urlGenerator->method('getBaseUrl')
->willReturn('http://localhost');

$expected = new JSONResponse([
'access_token' => 'random72',
'token_type' => 'Bearer',
'expires_in' => 3600,
'refresh_token' => 'random128',
'user_id' => 'userId',
'id_token' => $this->encodeJWT(json_encode([
'iss' => 'http://localhost',
'sub' => 'userId',
'aud' => 'clientId',
'exp' => 4600,
'iat' => 1000,
'auth_time' => 1000,
'email' => null,
'name' => null
]), 'clientSecret')
]);

$this->request->method('getRemoteAddress')
Expand All @@ -300,6 +324,13 @@ public function testGetTokenValidAppToken() {
['user' => 'userId']
);

$user = $this->createMock(IUser::class);;

$this->userManager->expects($this->once())
->method('get')
->with('userId')
->willReturn($user);

$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
}

Expand Down Expand Up @@ -373,12 +404,25 @@ public function testGetTokenValidAppTokenBasicAuth() {
})
);

$this->urlGenerator->method('getBaseUrl')
->willReturn('http://localhost');

$expected = new JSONResponse([
'access_token' => 'random72',
'token_type' => 'Bearer',
'expires_in' => 3600,
'refresh_token' => 'random128',
'user_id' => 'userId',
'id_token' => $this->encodeJWT(json_encode([
'iss' => 'http://localhost',
'sub' => 'userId',
'aud' => 'clientId',
'exp' => 4600,
'iat' => 1000,
'auth_time' => 1000,
'email' => null,
'name' => null
]), 'clientSecret'),
]);

$this->request->server['PHP_AUTH_USER'] = 'clientId';
Expand All @@ -395,6 +439,13 @@ public function testGetTokenValidAppTokenBasicAuth() {
['user' => 'userId']
);

$user = $this->createMock(IUser::class);;

$this->userManager->expects($this->once())
->method('get')
->with('userId')
->willReturn($user);

$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
}

Expand Down Expand Up @@ -468,12 +519,25 @@ public function testGetTokenExpiredAppToken() {
})
);

$this->urlGenerator->method('getBaseUrl')
->willReturn('http://localhost');

$expected = new JSONResponse([
'access_token' => 'random72',
'token_type' => 'Bearer',
'expires_in' => 3600,
'refresh_token' => 'random128',
'user_id' => 'userId',
'id_token' => $this->encodeJWT(json_encode([
'iss' => 'http://localhost',
'sub' => 'userId',
'aud' => 'clientId',
'exp' => 4600,
'iat' => 1000,
'auth_time' => 1000,
'email' => null,
'name' => null
]), 'clientSecret'),
]);

$this->request->method('getRemoteAddress')
Expand All @@ -487,6 +551,33 @@ public function testGetTokenExpiredAppToken() {
['user' => 'userId']
);

$user = $this->createMock(IUser::class);;

$this->userManager->expects($this->once())
->method('get')
->with('userId')
->willReturn($user);

$this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
}

private function encodeJWT($payload, $secret) {
// Create token header as a JSON string
$header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);

// Encode Header to Base64Url String
$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));

// Encode Payload to Base64Url String
$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));

// Create Signature Hash
$signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $secret, true);

// Encode Signature to Base64Url String
$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));

// Create JWT
return $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
}
}