Skip to content

Commit

Permalink
Implement basic OIDC core server handling
Browse files Browse the repository at this point in the history 
Allow Nextcloud to be used as a OpenID Connect server. CLients can authenticate against it.

Signed-off-by: Markus Heberling <markus.heberling@hengsbeck.de>
  • Loading branch information
Markus Heberling committed Nov 21, 2018
1 parent b7767a5 commit cfe9a89
Showing 1 changed file with 40 additions and 0 deletions.
40 changes: 40 additions & 0 deletions apps/oauth2/lib/Controller/OauthApiController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,13 +172,53 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client

$this->throttler->resetDelay($this->request->getRemoteAddress(), 'login', ['user' => $appToken->getUID()]);

// The id token needs to be correctly build as JWT. Taken from https://dev.to/robdwaller/how-to-create-a-json-web-token-using-php-3gml

// Create token header as a JSON string
$header = json_encode(['typ' => 'JWT', 'alg' => 'HS256']);

// We need the user to fill in name and email in the id_token
$user = \OC::$server->getUserManager()->get($appToken->getUID());

// Create token payload as a JSON string
$payload = json_encode([
// required for OIDC
'iss' => \OC::$server->getURLGenerator()->getBaseUrl(),
'sub' => $appToken->getUID(),
'aud' => $client_id,
'exp' => $appToken->getExpires(),
'iat' => $this->time->getTime(),
'auth_time' => $this->time->getTime(),

// optional, can be requested by claims, we don't support requesting claims as of now, so we just send them always
'email' => $user->getEMailAddress(),
'name' => $user->getDisplayName(),

]);

// Encode Header to Base64Url String
$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));

// Encode Payload to Base64Url String
$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));

// Create Signature Hash
$signature = hash_hmac('sha256', $base64UrlHeader . "." . $base64UrlPayload, $client->getSecret(), true);

// Encode Signature to Base64Url String
$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));

// Create JWT
$jwt = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;

return new JSONResponse(
[
'access_token' => $newToken,
'token_type' => 'Bearer',
'expires_in' => 3600,
'refresh_token' => $newCode,
'user_id' => $appToken->getUID(),
'id_token' => $jwt,
]
);
}
Expand Down

0 comments on commit cfe9a89

Please sign in to comment.