mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-02-18 03:18:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

support AD FS (#7140)

Browse Source 
* support AD FS

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* drop unnecessary else

Co-authored-by: kobergj <jkoberg@owncloud.com>

---------

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: kobergj <jkoberg@owncloud.com>
This commit is contained in:
Jörn Friedrich Dreyer
2023-09-01 15:25:06 +02:00
committed by GitHub
parent 7e1e48cb47
commit f1d09af547
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
changelog/unreleased/access-token-issuer.md Normal file
View File

@@ -0,0 +1,5 @@
Enhancement: Support spec violating AD FS access token issuer
AD FS `/adfs/.well-known/openid-configuration` has an optional `access_token_issuer` which, in violation of the OpenID Connect spec, takes precedence over `issuer`.
https://github.com/owncloud/ocis/pull/7138

9
ocis-pkg/oidc/client.go
View File

@@ -308,7 +308,14 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (RegClaimsWithSID, jwt.M
return claims, mapClaims, err
}
if !claims.VerifyIssuer(c.issuer, true) {
issuer := c.issuer
if c.provider.AccessTokenIssuer != "" {
// AD FS .well-known/openid-configuration has an optional `access_token_issuer` which takes precedence over `issuer`
// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
issuer = c.provider.AccessTokenIssuer
}
if !claims.VerifyIssuer(issuer, true) {
vErr := jwt.ValidationError{}
vErr.Inner = jwt.ErrTokenInvalidIssuer
vErr.Errors |= jwt.ValidationErrorIssuer

5
ocis-pkg/oidc/metadata.go
View File

@@ -21,7 +21,10 @@ type ProviderMetadata struct {
//grant_types_supported
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
Issuer string `json:"issuer,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
// AccessTokenIssuer is only used by AD FS and needs to be used when validating the iss of its access tokens
// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
AccessTokenIssuer string `json:"access_token_issuer,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
//registration_endpoint
//request_object_signing_alg_values_supported
//request_parameter_supported