Fix SAM3 claims request on login

Signed-off-by: Bernd.Rederlechner@t-systems.com <bernd.rederlechner@t-systems.com>
nextmcloud · Sep 23, 2021 · bc4e123 · bc4e123
1 parent 5123de9
commit bc4e123
Showing 1 changed file with 40 additions and 31 deletions.
diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -160,35 +160,43 @@ public function login(int $providerId, string $redirectUrl = null) {
 			'response_type' => 'code',
 			'scope' => $provider->getScope(),
 			'redirect_uri' => $this->urlGenerator->linkToRouteAbsolute(Application::APP_ID . '.login.code'),
+			// 'claims' => json_encode([
+			// 	// more details about requesting claims:
+			// 	// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
+			// 	'id_token' => [
+			// 		// ['essential' => true] means it's mandatory but it won't trigger an error if it's not there
+			// 		$uidAttribute => ['essential' => true],
+			// 		// null means we want it
+			// 		$emailAttribute => null,
+			// 		$displaynameAttribute => null,
+			// 		$quotaAttribute => null,
+			// 	],
+			// 	'userinfo' => [
+			// 		$uidAttribute => ['essential' => true],
+			// 		$emailAttribute => null,
+			// 		$displaynameAttribute => null,
+			// 		$quotaAttribute => null,
+			// 	],
+			// ]),
 			'claims' => json_encode([
-				// more details about requesting claims:
-				// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
 				'id_token' => [
-					// ['essential' => true] means it's mandatory but it won't trigger an error if it's not there
-					$uidAttribute => ['essential' => true],
-					// null means we want it
-					$emailAttribute => null,
-					$displaynameAttribute => null,
-					$quotaAttribute => null,
+					'urn:telekom.com:all' => null
 				],
 				'userinfo' => [
-					$uidAttribute => ['essential' => true],
-					$emailAttribute => null,
-					$displaynameAttribute => null,
-					$quotaAttribute => null,
+					'urn:telekom.com:all' => null
 				],
 			]),
 			'state' => $state,
 			'nonce' => $nonce,
 		];
 		// pass discovery query parameters also on to the authentication
-		$discoveryUrl = parse_url($provider->getDiscoveryEndpoint());
-		if (isset($discoveryUrl["query"])) {
-			$this->logger->debug('Add custom discovery query: ' . $discoveryUrl["query"]);
-			$discoveryQuery = [];
-			parse_str($discoveryUrl["query"], $discoveryQuery);
-			$data += $discoveryQuery;
-		}
+		// $discoveryUrl = parse_url($provider->getDiscoveryEndpoint());
+		// if (isset($discoveryUrl["query"])) {
+		// 	$this->logger->debug('Add custom discovery query: ' . $discoveryUrl["query"]);
+		// 	$discoveryQuery = [];
+		// 	parse_str($discoveryUrl["query"], $discoveryQuery);
+		// 	$data += $discoveryQuery;
+		// }
 
 		try {
 			$discovery = $this->discoveryService->obtainDiscovery($provider);
@@ -292,20 +300,21 @@ public function code($state = '', $code = '', $scope = '') {
 		$email = $payload->{$emailAttribute} ?? null;
 		$quota = $payload->{$quotaAttribute} ?? null;
 
+		// NextMagentaCloud: at the moment not a good idea for SAM3
 		// if something is missing from the token, get user info from /userinfo endpoint
 		// FIXME: only when attribute mapping is set or optional
-		if (is_null($userId) || is_null($userName) || is_null($email) || is_null($quota)) {
-			$options = [
-				'headers' => [
-					'Authorization' => 'Bearer ' . $data['access_token'],
-				],
-			];
-			$userInfoResult = json_decode($client->get($discovery['userinfo_endpoint'], $options)->getBody(), true);
-			$userId = $userId ?? $userInfoResult[$uidAttribute] ?? null;
-			$userName = $userName ?? $userInfoResult[$displaynameAttribute] ?? null;
-			$email = $email ?? $userInfoResult[$emailAttribute] ?? null;
-			$quota = $quota ?? $userInfoResult[$quotaAttribute] ?? null;
-		}
+		// if (is_null($userId) || is_null($userName) || is_null($email) || is_null($quota)) {
+		// 	$options = [
+		// 		'headers' => [
+		// 			'Authorization' => 'Bearer ' . $data['access_token'],
+		// 		],
+		// 	];
+		// 	$userInfoResult = json_decode($client->get($discovery['userinfo_endpoint'], $options)->getBody(), true);
+		// 	$userId = $userId ?? $userInfoResult[$uidAttribute] ?? null;
+		// 	$userName = $userName ?? $userInfoResult[$displaynameAttribute] ?? null;
+		// 	$email = $email ?? $userInfoResult[$emailAttribute] ?? null;
+		// 	$quota = $quota ?? $userInfoResult[$quotaAttribute] ?? null;
+		// }
 
 		$event = new AttributeMappedEvent(ProviderService::SETTING_MAPPING_UID, $payload, $userId);
 		$this->eventDispatcher->dispatchTyped($event);