Oauth: Implement support for prompt_values_supported in .well-known/o…

…penid-configuration
owncloud · Jul 4, 2024 · 6a45f9f · 6a45f9f
1 parent d7fec7b
commit 6a45f9f
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 3 deletions.
diff --git a/changelog/unreleased/11729 b/changelog/unreleased/11729
@@ -0,0 +1,5 @@
+Enhancement: Support for prompt_values_supported in openid-configuration
+
+We implemnted support for idp's to specify the supported prompt values.
+
+https://github.com/owncloud/client/pull/11729
diff --git a/src/libsync/creds/oauth.cpp b/src/libsync/creds/oauth.cpp
@@ -44,7 +44,20 @@ Q_LOGGING_CATEGORY(lcOauth, "sync.credentials.oauth", QtInfoMsg)
 
 namespace {
 
-static const QString wellKnownPathC = QStringLiteral("/.well-known/openid-configuration");
+const QString wellKnownPathC = QStringLiteral("/.well-known/openid-configuration");
+
+const auto defaultOauthPromtValue()
+{
+    static const auto promptValue = [] {
+        OAuth::PromptValuesSupportedFlags out = OAuth::PromptValuesSupported::none;
+        // convert the legacy openIdConnectPrompt() to QFlags
+        for (const auto &x : Theme::instance()->openIdConnectPrompt().split(QLatin1Char(' '))) {
+            out |= Utility::stringToEnum<OAuth::PromptValuesSupported>(x);
+        }
+        return out;
+    }();
+    return promptValue;
+}
 
 QString renderHttpTemplate(const QString &title, const QString &content)
 {
@@ -239,6 +252,7 @@ OAuth::OAuth(const QUrl &serverUrl, const QString &davUser, QNetworkAccessManage
     , _clientId(Theme::instance()->oauthClientId())
     , _clientSecret(Theme::instance()->oauthClientSecret())
     , _redirectUrl(Theme::instance()->oauthLocalhost())
+    , _supportedPromtValues(defaultOauthPromtValue())
 {
 }
 
@@ -450,7 +464,7 @@ QUrl OAuth::authorisationLink() const
         {QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort()))},
         {QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge)}, {QStringLiteral("code_challenge_method"), QStringLiteral("S256")},
         {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))},
-        {QStringLiteral("prompt"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectPrompt()))},
+        {QStringLiteral("prompt"), QString::fromUtf8(QUrl::toPercentEncoding(toString(_supportedPromtValues)))},
         {QStringLiteral("state"), QString::fromUtf8(_state)}};
 
     if (!_davUser.isEmpty()) {
@@ -548,6 +562,16 @@ void OAuth::fetchWellKnown()
                 } else {
                     OC_ASSERT_X(false, qPrintable(QStringLiteral("Unsupported token_endpoint_auth_methods_supported: %1").arg(QDebug::toString(authMethods))));
                 }
+                const auto promtValuesSupported = data.value(QStringLiteral("prompt_values_supported")).toArray();
+                if (!promtValuesSupported.isEmpty()) {
+                    _supportedPromtValues = PromptValuesSupported::none;
+                    for (const auto &x : promtValuesSupported) {
+                        const auto flag = Utility::stringToEnum<PromptValuesSupported>(x.toString());
+                        // only use flags present in Theme::instance()->openIdConnectPrompt()
+                        if (flag & defaultOauthPromtValue())
+                            _supportedPromtValues |= flag;
+                    }
+                }
 
                 qCDebug(lcOauth) << "parsing .well-known reply successful, auth endpoint" << _authEndpoint
                                  << "and token endpoint" << _tokenEndpoint
@@ -725,4 +749,15 @@ void AccountBasedOAuth::refreshAuthentication(const QString &refreshToken)
     });
 }
 
+QString OCC::toString(OAuth::PromptValuesSupportedFlags s)
+{
+    QStringList out;
+    for (auto k : {OAuth::PromptValuesSupported::consent, OAuth::PromptValuesSupported::select_account})
+        if (s & k) {
+            out += Utility::enumToString(k);
+        }
+    return out.join(QLatin1Char(' '));
+}
+
+
 #include "oauth.moc"
diff --git a/src/libsync/creds/oauth.h b/src/libsync/creds/oauth.h
@@ -55,9 +55,13 @@ class OWNCLOUDSYNC_EXPORT OAuth : public QObject
 public:
     enum Result { NotSupported, LoggedIn, Error, ErrorInsecureUrl };
     Q_ENUM(Result)
-    enum class TokenEndpointAuthMethods { client_secret_basic, client_secret_post };
+    enum class TokenEndpointAuthMethods : char { client_secret_basic, client_secret_post };
     Q_ENUM(TokenEndpointAuthMethods)
 
+    enum class PromptValuesSupported : char { none = 0, consent = 1 << 0, select_account = 1 << 1 };
+    Q_ENUM(PromptValuesSupported)
+    Q_DECLARE_FLAGS(PromptValuesSupportedFlags, PromptValuesSupported)
+
     OAuth(const QUrl &serverUrl, const QString &davUser, QNetworkAccessManager *networkAccessManager, const QVariantMap &dynamicRegistrationData, QObject *parent);
     ~OAuth() override;
 
@@ -117,6 +121,7 @@ class OWNCLOUDSYNC_EXPORT OAuth : public QObject
     QByteArray _state;
 
     TokenEndpointAuthMethods _endpointAuthMethod = TokenEndpointAuthMethods::client_secret_basic;
+    PromptValuesSupportedFlags _supportedPromtValues = {PromptValuesSupported::consent, PromptValuesSupported::select_account};
 };
 
 /**
@@ -146,4 +151,6 @@ class OWNCLOUDSYNC_EXPORT AccountBasedOAuth : public OAuth
     AccountPtr _account;
 };
 
+QString OWNCLOUDSYNC_EXPORT toString(OAuth::PromptValuesSupportedFlags s);
+Q_DECLARE_OPERATORS_FOR_FLAGS(OAuth::PromptValuesSupportedFlags)
 } // namespce OCC