diff --git a/README.md b/README.md index 8c55869..925912a 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,9 @@ For development purpose APCu is reasonable as well. Please follow the [documentation on how to set up caching](https://doc.owncloud.org/server/admin_manual/configuration/server/caching_configuration.html#supported-caching-backends). ### Setup config.php -The OpenId integration is established by entering the parameters below to the +The OpenId integration is established by entering the parameters below to the ownCloud configuration file. -_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId +_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId Provider setup. _loginButtonName_ can be chosen freely depending on the installation. @@ -55,12 +55,12 @@ $CONFIG = [ ### Setup within the OpenId Provider When registering ownCloud as OpenId Client use ```https://cloud.example.net/index.php/apps/openidconnect/redirect``` as redirect url . -In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) +In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) is supported please enter ```https://cloud.example.net/index.php/apps/openidconnect/logout``` as logout url within the client registration of the OpenId Provider. We require ```frontchannel_logout_session_required``` to be true. ### Setup service discovery -In order to allow other clients to use OpenID Connect when talking to ownCloud please setup +In order to allow other clients to use OpenID Connect when talking to ownCloud please setup a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config This is an .htaccess example @@ -104,14 +104,16 @@ To set it up locally do the following: 'loginButtonName' => 'node-oidc-provider', 'mode' => 'userid', 'search-attribute' => 'sub', - 'use-token-introspection-endpoint' => true + 'use-token-introspection-endpoint' => true, + // do not verify tls host or peer + 'insecure' => true ], ]; - + ``` 8. Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header. -9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP. +9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP. Keep in mind that by default, oidc app will search for the `email` attribute - which is hardcoded to `johndoe@example.com` [ref](https://github.com/panva/node-oidc-provider/blob/master/example/support/account.js#L32) If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following: ``` diff --git a/lib/Client.php b/lib/Client.php index 854edec..d078efb 100644 --- a/lib/Client.php +++ b/lib/Client.php @@ -66,7 +66,8 @@ public function __construct(IConfig $config, $scopes = $openIdConfig['scopes'] ?? ['openid', 'profile', 'email']; $this->addScope($scopes); - if ($this->config->getSystemValue('debug', false)) { + $insecure = $openIdConfig['insecure'] ?? false; + if ($insecure) { $this->setVerifyHost(false); $this->setVerifyPeer(false); } diff --git a/tests/unit/ClientTest.php b/tests/unit/ClientTest.php index ca4276e..62a8f78 100644 --- a/tests/unit/ClientTest.php +++ b/tests/unit/ClientTest.php @@ -75,9 +75,8 @@ public function testGetWellKnown(): void { public function testCtor(): void { $providerUrl = 'https://example.net'; - $debug = true; - $this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($debug, $providerUrl) { + $this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) { if ($key === 'openid-connect') { return [ 'provider-url' => $providerUrl, @@ -85,11 +84,35 @@ public function testCtor(): void { 'client-secret' => 'secret', 'scopes' => ['openid', 'profile'], 'provider-params' => ['bar'], - 'auth-params' => ['foo'] + 'auth-params' => ['foo'], ]; } - if ($key === 'debug') { - return $debug; + throw new \InvalidArgumentException("Unexpected key: $key"); + }); + $this->client = $this->getMockBuilder(Client::class) + ->setConstructorArgs([$this->config, $this->urlGenerator, $this->session]) + ->setMethods(['fetchURL']) + ->getMock(); + + self::assertEquals($providerUrl, $this->client->getProviderURL()); + self::assertEquals(true, $this->client->getVerifyHost()); + self::assertEquals(true, $this->client->getVerifyPeer()); + } + + public function testCtorInsecure(): void { + $providerUrl = 'https://example.net'; + + $this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) { + if ($key === 'openid-connect') { + return [ + 'provider-url' => $providerUrl, + 'client-id' => 'client-id', + 'client-secret' => 'secret', + 'scopes' => ['openid', 'profile'], + 'provider-params' => ['bar'], + 'auth-params' => ['foo'], + 'insecure' => true + ]; } throw new \InvalidArgumentException("Unexpected key: $key"); });