Skip to content

Commit

Permalink
Merge pull request #89 from owncloud/new-insecure-param
Browse files Browse the repository at this point in the history
use dedicated 'insecure' param
  • Loading branch information
butonic authored Jul 27, 2020
2 parents f7476bc + faea507 commit 013e0ba
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 13 deletions.
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ For development purpose APCu is reasonable as well.
Please follow the [documentation on how to set up caching](https://doc.owncloud.org/server/admin_manual/configuration/server/caching_configuration.html#supported-caching-backends).

### Setup config.php
The OpenId integration is established by entering the parameters below to the
The OpenId integration is established by entering the parameters below to the
ownCloud configuration file.
_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId
_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId
Provider setup.
_loginButtonName_ can be chosen freely depending on the installation.

Expand Down Expand Up @@ -55,12 +55,12 @@ $CONFIG = [
### Setup within the OpenId Provider
When registering ownCloud as OpenId Client use ```https://cloud.example.net/index.php/apps/openidconnect/redirect``` as redirect url .

In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
is supported please enter ```https://cloud.example.net/index.php/apps/openidconnect/logout``` as logout url within the client registration of the OpenId Provider.
We require ```frontchannel_logout_session_required``` to be true.

### Setup service discovery
In order to allow other clients to use OpenID Connect when talking to ownCloud please setup
In order to allow other clients to use OpenID Connect when talking to ownCloud please setup
a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config

This is an .htaccess example
Expand Down Expand Up @@ -104,14 +104,16 @@ To set it up locally do the following:
'loginButtonName' => 'node-oidc-provider',
'mode' => 'userid',
'search-attribute' => 'sub',
'use-token-introspection-endpoint' => true
'use-token-introspection-endpoint' => true,
// do not verify tls host or peer
'insecure' => true
],
];
```
8. Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary
to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.
9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.
9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.
Keep in mind that by default, oidc app will search for the `email` attribute - which is hardcoded to `[email protected]` [ref](https://github.com/panva/node-oidc-provider/blob/master/example/support/account.js#L32)
If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:
```
Expand Down
3 changes: 2 additions & 1 deletion lib/Client.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ public function __construct(IConfig $config,
$scopes = $openIdConfig['scopes'] ?? ['openid', 'profile', 'email'];
$this->addScope($scopes);

if ($this->config->getSystemValue('debug', false)) {
$insecure = $openIdConfig['insecure'] ?? false;
if ($insecure) {
$this->setVerifyHost(false);
$this->setVerifyPeer(false);
}
Expand Down
33 changes: 28 additions & 5 deletions tests/unit/ClientTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -75,21 +75,44 @@ public function testGetWellKnown(): void {

public function testCtor(): void {
$providerUrl = 'https://example.net';
$debug = true;

$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($debug, $providerUrl) {
$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
if ($key === 'openid-connect') {
return [
'provider-url' => $providerUrl,
'client-id' => 'client-id',
'client-secret' => 'secret',
'scopes' => ['openid', 'profile'],
'provider-params' => ['bar'],
'auth-params' => ['foo']
'auth-params' => ['foo'],
];
}
if ($key === 'debug') {
return $debug;
throw new \InvalidArgumentException("Unexpected key: $key");
});
$this->client = $this->getMockBuilder(Client::class)
->setConstructorArgs([$this->config, $this->urlGenerator, $this->session])
->setMethods(['fetchURL'])
->getMock();

self::assertEquals($providerUrl, $this->client->getProviderURL());
self::assertEquals(true, $this->client->getVerifyHost());
self::assertEquals(true, $this->client->getVerifyPeer());
}

public function testCtorInsecure(): void {
$providerUrl = 'https://example.net';

$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
if ($key === 'openid-connect') {
return [
'provider-url' => $providerUrl,
'client-id' => 'client-id',
'client-secret' => 'secret',
'scopes' => ['openid', 'profile'],
'provider-params' => ['bar'],
'auth-params' => ['foo'],
'insecure' => true
];
}
throw new \InvalidArgumentException("Unexpected key: $key");
});
Expand Down

0 comments on commit 013e0ba

Please sign in to comment.