Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use dedicated 'insecure' param #89

Merged
merged 1 commit into from
Jul 27, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ For development purpose APCu is reasonable as well.
Please follow the [documentation on how to set up caching](https://doc.owncloud.org/server/admin_manual/configuration/server/caching_configuration.html#supported-caching-backends).

### Setup config.php
The OpenId integration is established by entering the parameters below to the
The OpenId integration is established by entering the parameters below to the
ownCloud configuration file.
_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId
_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId
Provider setup.
_loginButtonName_ can be chosen freely depending on the installation.

Expand Down Expand Up @@ -55,12 +55,12 @@ $CONFIG = [
### Setup within the OpenId Provider
When registering ownCloud as OpenId Client use ```https://cloud.example.net/index.php/apps/openidconnect/redirect``` as redirect url .

In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
is supported please enter ```https://cloud.example.net/index.php/apps/openidconnect/logout``` as logout url within the client registration of the OpenId Provider.
We require ```frontchannel_logout_session_required``` to be true.

### Setup service discovery
In order to allow other clients to use OpenID Connect when talking to ownCloud please setup
In order to allow other clients to use OpenID Connect when talking to ownCloud please setup
a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config

This is an .htaccess example
Expand Down Expand Up @@ -104,14 +104,16 @@ To set it up locally do the following:
'loginButtonName' => 'node-oidc-provider',
'mode' => 'userid',
'search-attribute' => 'sub',
'use-token-introspection-endpoint' => true
'use-token-introspection-endpoint' => true,
// do not verify tls host or peer
'insecure' => true
],
];

```
8. Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary
to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.
9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.
9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.
Keep in mind that by default, oidc app will search for the `email` attribute - which is hardcoded to `[email protected]` [ref](https://github.com/panva/node-oidc-provider/blob/master/example/support/account.js#L32)
If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:
```
Expand Down
3 changes: 2 additions & 1 deletion lib/Client.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ public function __construct(IConfig $config,
$scopes = $openIdConfig['scopes'] ?? ['openid', 'profile', 'email'];
$this->addScope($scopes);

if ($this->config->getSystemValue('debug', false)) {
$insecure = $openIdConfig['insecure'] ?? false;
if ($insecure) {
$this->setVerifyHost(false);
$this->setVerifyPeer(false);
}
Expand Down
33 changes: 28 additions & 5 deletions tests/unit/ClientTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -75,21 +75,44 @@ public function testGetWellKnown(): void {

public function testCtor(): void {
$providerUrl = 'https://example.net';
$debug = true;

$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($debug, $providerUrl) {
$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
if ($key === 'openid-connect') {
return [
'provider-url' => $providerUrl,
'client-id' => 'client-id',
'client-secret' => 'secret',
'scopes' => ['openid', 'profile'],
'provider-params' => ['bar'],
'auth-params' => ['foo']
'auth-params' => ['foo'],
];
}
if ($key === 'debug') {
return $debug;
throw new \InvalidArgumentException("Unexpected key: $key");
});
$this->client = $this->getMockBuilder(Client::class)
->setConstructorArgs([$this->config, $this->urlGenerator, $this->session])
->setMethods(['fetchURL'])
->getMock();

self::assertEquals($providerUrl, $this->client->getProviderURL());
self::assertEquals(true, $this->client->getVerifyHost());
self::assertEquals(true, $this->client->getVerifyPeer());
}

public function testCtorInsecure(): void {
$providerUrl = 'https://example.net';

$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
if ($key === 'openid-connect') {
return [
'provider-url' => $providerUrl,
'client-id' => 'client-id',
'client-secret' => 'secret',
'scopes' => ['openid', 'profile'],
'provider-params' => ['bar'],
'auth-params' => ['foo'],
'insecure' => true
];
}
throw new \InvalidArgumentException("Unexpected key: $key");
});
Expand Down