From 92a5f3afe66fc84a7fe5326cddfb04698849947d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Tue, 29 Aug 2023 14:32:57 +0200
Subject: [PATCH 1/2] support AD FS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 changelog/unreleased/access-token-issuer.md |  5 +++++
 ocis-pkg/oidc/client.go                     | 10 +++++++++-
 ocis-pkg/oidc/metadata.go                   |  5 ++++-
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 changelog/unreleased/access-token-issuer.md

diff --git a/changelog/unreleased/access-token-issuer.md b/changelog/unreleased/access-token-issuer.md
new file mode 100644
index 00000000000..3519938adef
--- /dev/null
+++ b/changelog/unreleased/access-token-issuer.md
@@ -0,0 +1,5 @@
+Enhancement: Support spec violating AD FS access token issuer
+
+AD FS `/adfs/.well-known/openid-configuration` has an optional `access_token_issuer` which, in violation of the OpenID Connect spec, takes precedence over `issuer`.
+
+https://github.com/owncloud/ocis/pull/7138
diff --git a/ocis-pkg/oidc/client.go b/ocis-pkg/oidc/client.go
index f3bacb40e80..bb964a443ca 100644
--- a/ocis-pkg/oidc/client.go
+++ b/ocis-pkg/oidc/client.go
@@ -308,7 +308,15 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (RegClaimsWithSID, jwt.M
 		return claims, mapClaims, err
 	}
 
-	if !claims.VerifyIssuer(c.issuer, true) {
+	validIssuer := false
+	if c.provider.AccessTokenIssuer != "" {
+		// AD FS .well-known/openid-configuration has an optional `access_token_issuer` which takes precedence over `issuer`
+		// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
+		validIssuer = claims.VerifyIssuer(c.provider.AccessTokenIssuer, true)
+	} else {
+		validIssuer = claims.VerifyIssuer(c.issuer, true)
+	}
+	if !validIssuer {
 		vErr := jwt.ValidationError{}
 		vErr.Inner = jwt.ErrTokenInvalidIssuer
 		vErr.Errors |= jwt.ValidationErrorIssuer
diff --git a/ocis-pkg/oidc/metadata.go b/ocis-pkg/oidc/metadata.go
index c10db68b6e8..2f952e226f4 100644
--- a/ocis-pkg/oidc/metadata.go
+++ b/ocis-pkg/oidc/metadata.go
@@ -21,7 +21,10 @@ type ProviderMetadata struct {
 	//grant_types_supported
 	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
 	Issuer                           string   `json:"issuer,omitempty"`
-	JwksURI                          string   `json:"jwks_uri,omitempty"`
+	// AccessTokenIssuer is only used by AD FS and needs to be used when validating the iss of its access tokens
+	// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
+	AccessTokenIssuer string `json:"access_token_issuer,omitempty"`
+	JwksURI           string `json:"jwks_uri,omitempty"`
 	//registration_endpoint
 	//request_object_signing_alg_values_supported
 	//request_parameter_supported

From a4b634cb67a42dd64528b32b55ea5483c40b5c8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@owncloud.com>
Date: Tue, 29 Aug 2023 17:04:17 +0200
Subject: [PATCH 2/2] drop unnecessary else

Co-authored-by: kobergj <jkoberg@owncloud.com>
---
 ocis-pkg/oidc/client.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/ocis-pkg/oidc/client.go b/ocis-pkg/oidc/client.go
index bb964a443ca..5e16d272467 100644
--- a/ocis-pkg/oidc/client.go
+++ b/ocis-pkg/oidc/client.go
@@ -308,15 +308,14 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (RegClaimsWithSID, jwt.M
 		return claims, mapClaims, err
 	}
 
-	validIssuer := false
+	issuer := c.issuer
 	if c.provider.AccessTokenIssuer != "" {
 		// AD FS .well-known/openid-configuration has an optional `access_token_issuer` which takes precedence over `issuer`
 		// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
-		validIssuer = claims.VerifyIssuer(c.provider.AccessTokenIssuer, true)
-	} else {
-		validIssuer = claims.VerifyIssuer(c.issuer, true)
+		issuer = c.provider.AccessTokenIssuer
 	}
-	if !validIssuer {
+
+	if !claims.VerifyIssuer(issuer, true) {
 		vErr := jwt.ValidationError{}
 		vErr.Inner = jwt.ErrTokenInvalidIssuer
 		vErr.Errors |= jwt.ValidationErrorIssuer