Add JSON Web Token link placeholder

[kffl]

This PR adds a {jwt} link placeholder that generates a JSON Web Token containing user's id, email and display name in its payload. This functionality was previously discussed in: #127, #146 and #202

Example JWT payload:

{
  "email": "mail@example.com",
  "uid": "admin",
  "displayName": "John Doe",
  "iat": 1657539973
}

The JWT payload contains the issuedAt (iat) field with a unix timestamp of token creation, so that the web app running inside the iframe can decide on the token's time-to-live by itself (for how long after being issued to trust it).

The tokens are signed with the HS256 algorithm, secret of which should be defined in external_jwt_secret config param.

[MichaelBarth]

Thank you very much for this work! I hope, the developers are now going to integrate this feature! A short description how to decode the jwt bould be helpful. What do you think about an API-call to decode? .../external/API/decodeJWT/Password

Sincerely
Michael

[kffl]

Hi @MichaelBarth,

Thanks for your feedback! I'm planning on adding information regarding JWT placeholder usage in this app's page on nextcloud/documentation once these changes are merged.

I'm not sure about adding a separate API endpoint for decoding, as it seems to implement a pattern that JSON Web Tokens were designed to avoid. Two key benefits of JWTs are that:

1. The issuer doesn't have to keep track of issued tokens, it just has to sign them and can easily validate them in the future without storing them anywhere. This property makes makes building horizontally-scalable, stateless systems easier.
2. External systems, when presented with a signed JWT don't have to call the issuer to determine its validity (nor to decode it), since they can validate the token themselves so long as they know the issuer's public key (in case of RS256 tokens) or the JWT secret (in case of HS256 tokens - a kind of token that is implemented in this PR).

[MichaelBarth]

I fear that this improvement will not be adopted by the developers for some reason (too insecure, there is oauth2 after all). Joas Schilling should have seen your pull request long ago.

[nickvergessen]

It's still on my to review list. Just very busy lately and still recovering from after-vacation notification list

[MichaelBarth]

Please, please, please!

[nickvergessen]

In order to reduce the complexity and to not have to maintain cryptographic code, I used a dependency and implemented it like Talk does it in #310

It comes with a docs/jwt-sample.php which shows how the info can be accessed.

Can you please test and verify that #310 solves your usecase? A testing package that hopefully works from 23-25 is attached there. But might be it's not enough to just allow the versions in which case 25 needs to be used for testing.