diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a39ec268c..43d864986 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,8 @@ updates: interval: daily time: "03:00" timezone: Europe/Paris + cooldown: + default-days: 10 open-pull-requests-limit: 10 ignore: - dependency-name: coenjacobs/mozart @@ -20,6 +22,8 @@ updates: interval: daily time: "03:00" timezone: Europe/Paris + cooldown: + default-days: 10 open-pull-requests-limit: 10 ignore: - dependency-name: webpack-cli diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index fbc8d1b15..b712fad17 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -33,6 +33,9 @@ jobs: - php-versions: 8.3 databases: mysql server-versions: stable33 + - php-versions: 8.3 + databases: mysql + server-versions: stable34 - php-versions: 8.4 databases: mysql server-versions: master diff --git a/.github/workflows/phpunit.yml b/.github/workflows/phpunit.yml index d221380ae..05f20e0fb 100644 --- a/.github/workflows/phpunit.yml +++ b/.github/workflows/phpunit.yml @@ -22,7 +22,7 @@ jobs: matrix: php-versions: ['8.2', '8.3', '8.4'] databases: ['mysql'] - server-versions: ['stable31', 'stable32', 'stable33', 'master'] + server-versions: ['stable31', 'stable32', 'stable33', 'stable34', 'master'] exclude: # Reduce matrix - test pgsql only on master and latest stable - databases: pgsql @@ -34,6 +34,9 @@ jobs: - php-versions: 8.5 databases: mysql server-versions: stable33 + - php-versions: 8.5 + databases: mysql + server-versions: stable34 - php-versions: 8.5 databases: mysql server-versions: master diff --git a/README.md b/README.md index fc315ea9d..10278f48f 100644 --- a/README.md +++ b/README.md @@ -215,7 +215,7 @@ login. Admins can still use the regular login through adding the `?direct=1` parameter to the login URL. ```bash -sudo -u www-data php var/www/nextcloud/occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends +sudo -u www-data php /var/www/nextcloud/occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends ``` ### PKCE diff --git a/appinfo/info.xml b/appinfo/info.xml index 8685f1915..fd5b3bfc9 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -8,7 +8,7 @@ OpenID Connect user backend Use an OpenID Connect backend to login to your Nextcloud Allows flexible configuration of an OIDC server as Nextcloud login user backend. - 8.10.1 + 8.11.0-dev.0 agpl Roeland Jago Douma Julius Härtl @@ -23,7 +23,7 @@ https://github.com/nextcloud/user_oidc/issues https://github.com/nextcloud/user_oidc - + OCA\UserOIDC\Settings\AdminSettings diff --git a/composer.lock b/composer.lock index e41e91796..0bf30538e 100644 --- a/composer.lock +++ b/composer.lock @@ -174,16 +174,16 @@ }, { "name": "phpseclib/phpseclib", - "version": "2.0.53", + "version": "2.0.54", "source": { "type": "git", "url": "https://github.com/phpseclib/phpseclib.git", - "reference": "2d1a664b940b9b8f367185307dc010d11a2790f3" + "reference": "a96a835067c39ee7a709329fe70869817da18081" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/2d1a664b940b9b8f367185307dc010d11a2790f3", - "reference": "2d1a664b940b9b8f367185307dc010d11a2790f3", + "url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/a96a835067c39ee7a709329fe70869817da18081", + "reference": "a96a835067c39ee7a709329fe70869817da18081", "shasum": "" }, "require": { @@ -264,7 +264,7 @@ ], "support": { "issues": "https://github.com/phpseclib/phpseclib/issues", - "source": "https://github.com/phpseclib/phpseclib/tree/2.0.53" + "source": "https://github.com/phpseclib/phpseclib/tree/2.0.54" }, "funding": [ { @@ -280,7 +280,7 @@ "type": "tidelift" } ], - "time": "2026-04-10T01:30:02+00:00" + "time": "2026-04-27T06:59:24+00:00" } ], "packages-dev": [ @@ -2578,16 +2578,16 @@ }, { "name": "symfony/event-dispatcher", - "version": "v7.4.8", + "version": "v7.4.9", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher.git", - "reference": "f57b899fa736fd71121168ef268f23c206083f0a" + "reference": "e4a2e29753c7801f7a8340e066cfa788f3bc8101" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/f57b899fa736fd71121168ef268f23c206083f0a", - "reference": "f57b899fa736fd71121168ef268f23c206083f0a", + "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/e4a2e29753c7801f7a8340e066cfa788f3bc8101", + "reference": "e4a2e29753c7801f7a8340e066cfa788f3bc8101", "shasum": "" }, "require": { @@ -2639,7 +2639,7 @@ "description": "Provides tools that allow your application components to communicate with each other by dispatching events and listening to them", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/event-dispatcher/tree/v7.4.8" + "source": "https://github.com/symfony/event-dispatcher/tree/v7.4.9" }, "funding": [ { @@ -2659,7 +2659,7 @@ "type": "tidelift" } ], - "time": "2026-03-30T13:54:39+00:00" + "time": "2026-04-18T13:18:21+00:00" }, { "name": "symfony/event-dispatcher-contracts", diff --git a/l10n/en_GB.js b/l10n/en_GB.js index 78d0d2ee8..51fd6baa5 100644 --- a/l10n/en_GB.js +++ b/l10n/en_GB.js @@ -114,6 +114,8 @@ OC.L10N.register( "Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider." : "Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider.", "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}" : "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}", "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}" : "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}", + "Enrich login ID token with userinfo": "Enrich login ID token with userinfo", + "Fetch additional information not found in the login ID token from the userinfo endpoint. This setting is overwritten if the global enrich_login_id_token_with_userinfo option is enabled.": "Fetch additional information not found in the login ID token from the userinfo endpoint. This setting is overwritten if the global enrich_login_id_token_with_userinfo option is enabled.", "Back to %s" : "Back to %s", "Domain" : "Domain", "your.domain" : "your.domain" diff --git a/l10n/lv.js b/l10n/lv.js index 1b0d678cd..092ec7a04 100644 --- a/l10n/lv.js +++ b/l10n/lv.js @@ -14,6 +14,7 @@ OC.L10N.register( "Submit" : "Iesniegt", "Scope" : "Darbības joma", "Authentication and Access Control Settings" : "Autentificēšanās un piekļuves vadības iestatījumi", + "Back to %s" : "Atgriezties %s", "Domain" : "Domain" }, "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);"); diff --git a/l10n/lv.json b/l10n/lv.json index dc9759bba..2f3f177f0 100644 --- a/l10n/lv.json +++ b/l10n/lv.json @@ -12,6 +12,7 @@ "Submit" : "Iesniegt", "Scope" : "Darbības joma", "Authentication and Access Control Settings" : "Autentificēšanās un piekļuves vadības iestatījumi", + "Back to %s" : "Atgriezties %s", "Domain" : "Domain" },"pluralForm" :"nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);" } \ No newline at end of file diff --git a/l10n/ru.js b/l10n/ru.js index fd6431aeb..c57813f8d 100644 --- a/l10n/ru.js +++ b/l10n/ru.js @@ -4,6 +4,8 @@ OC.L10N.register( "Error" : "Ошибка", "Access forbidden" : "Доступ запрещён", "User conflict" : "Конфликт пользователей", + "Registered Providers" : "Зарегистрированные провайдеры", + "Register new provider" : "Зарегистрировать нового провайдера", "Client ID" : "ID клиента", "Update" : "Обновление", "Remove" : "Исключить", diff --git a/l10n/ru.json b/l10n/ru.json index 56ee76b35..8345c251a 100644 --- a/l10n/ru.json +++ b/l10n/ru.json @@ -2,6 +2,8 @@ "Error" : "Ошибка", "Access forbidden" : "Доступ запрещён", "User conflict" : "Конфликт пользователей", + "Registered Providers" : "Зарегистрированные провайдеры", + "Register new provider" : "Зарегистрировать нового провайдера", "Client ID" : "ID клиента", "Update" : "Обновление", "Remove" : "Исключить", diff --git a/l10n/sv.js b/l10n/sv.js index 9b86f0627..08304b75c 100644 --- a/l10n/sv.js +++ b/l10n/sv.js @@ -3,6 +3,8 @@ OC.L10N.register( { "Error" : "Fel", "Access forbidden" : "Åtkomst förbjuden", + "Registered Providers" : "Registrerade leverantörer", + "Register new provider" : "Registrera ny leverantör", "Client ID" : "Klient-ID", "Update" : "Uppdatera", "Remove" : "Ta bort", diff --git a/l10n/sv.json b/l10n/sv.json index a7c14e6cb..309ca22e4 100644 --- a/l10n/sv.json +++ b/l10n/sv.json @@ -1,6 +1,8 @@ { "translations": { "Error" : "Fel", "Access forbidden" : "Åtkomst förbjuden", + "Registered Providers" : "Registrerade leverantörer", + "Register new provider" : "Registrera ny leverantör", "Client ID" : "Klient-ID", "Update" : "Uppdatera", "Remove" : "Ta bort", diff --git a/l10n/tr.js b/l10n/tr.js index 88090c1f9..b340f14b7 100644 --- a/l10n/tr.js +++ b/l10n/tr.js @@ -21,6 +21,7 @@ OC.L10N.register( "There is no such OpenID Connect provider." : "Böyle bir OpenID Connect hizmeti sağlayıcısı bulunamadı.", "Could not reach the OpenID Connect provider." : "OpenID Connect hizmeti sağlayıcısına erişilemedi.", "The identity provider failed to authenticate the user." : "Kimlik hizmeti sağlayıcı kullanıcının kimliğini doğrulayamadı.", + "The received state has expired." : "Alınan durumun geçerlilik süresi dolmuş.", "Failed to decrypt the OIDC provider client secret" : "OpenID Connect hizmeti sağlayıcısının parola şifresi çözülemedi", "Failed to contact the OIDC provider token endpoint" : "OpenID Connect hizmeti sağlayıcısı kod uç noktası ile iletişim kurulamadı.", "The issuer does not match the one from the discovery endpoint" : "Yetki veren, keşif uç noktasındakiyle eşleşmiyor", @@ -104,15 +105,15 @@ OC.L10N.register( "Use group provisioning." : "Grup hazırlama kullanılsın", "Group whitelist regex" : "Grup izin verilenler listesi kurallı ifadesi", "Restrict login for users that are not in any whitelisted group" : "İzin verilenler listesine alınmış herhangi bir grupta olmayan kullanıcıların oturum açması engellensin", - "Users that are not part of any whitelisted group are not created and can not login" : "İzin verilenler listesine alınmış herhangi bir grubun üyesi olmayan kullanıcılar eklenmez ve oturum açamaz", + "Users that are not part of any whitelisted group are not created and can not login" : "İzin verilenler listesine alınmış herhangi bir grubun üyesi olmayan kullanıcılar oluşturulmaz ve oturum açamaz", "Check Bearer token on API and WebDAV requests" : "API ve WebDAV isteklerinde Bearer kodu kontrol edilsin", "Do you want to allow API calls and WebDAV requests that are authenticated with an OIDC ID token or access token?" : "Bir OIDC kimlik kodu veya erişim kodu ile doğrulanmış API çağrılarına ve WebDAV isteğine izin verilsin mi?", "Auto provision user when accessing API and WebDAV with Bearer token" : "Bearer kodu ile API ve WebDAV erişiminde kullanıcı otomatik olarak yetkilendirilsin", "This automatically provisions the user, when sending API and WebDAV requests with a Bearer token. Auto provisioning and Bearer token check have to be activated for this to work." : "Bu seçenek, bir Bearer kodu ile API ve WebDAV istekleri gönderirken kullanıcıyı otomatik olarak yetkilendirir. Çalışması için otomatik yetkilendirme ve Bearer kodu denetiminin açılması gerekir.", "Send ID token hint on logout" : "Oturumu kapatıldığında kimlik kodu ipucu gönderilsin", "Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider." : "OpenID oturumu kapatma adresine id_token_hint GET parametresi olarak kimlik kodu eklensin mi? Kullanıcılar Nextcloud oturumlarını kapattıktan sonra bu adrese yönlendirilir. Bu ayarı açmak, OIDC kimlik kodunu kullanıcı uygulamasına sunar. Bu işlem OIDC hizmeti sağlayıcısına bağlı olarak gerekli olmayabilir.", - "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}" : "Yalnızca izin verilenler listesi kurallı ifadesine uygun gruplar grup isteği tarafından eklenir, güncellenir ve silinir. Örneğin: {regex} ifadesi, kimliği {substr} ile başlayan tüm gruplara izin verir", - "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}" : "Bu seçenek, kimlik kodundaki grupların isteğine bağlı olarak kullanıcı gruplarını ekler ve günceller. İstek gruplarının biçim değeri {sample1}, {sample2} veya {sample3} olabilir", + "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}" : "Yalnızca izin verilenler listesi kurallı ifadesine uygun gruplar grup isteği tarafından oluşturulur, güncellenir ve silinir. Örneğin: {regex} ifadesi, kimliği {substr} ile başlayan tüm gruplara izin verir", + "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}" : "Bu seçenek, kimlik kodundaki grupların isteğine bağlı olarak kullanıcı gruplarını oluşturur ve günceller. İstek gruplarının biçim değeri {sample1}, {sample2} veya {sample3} olabilir", "Back to %s" : "%s sayfasına dön", "Domain" : "Etki alanı", "your.domain" : "etki.alaniniz" diff --git a/l10n/tr.json b/l10n/tr.json index 1e0bfed59..7273fae8a 100644 --- a/l10n/tr.json +++ b/l10n/tr.json @@ -19,6 +19,7 @@ "There is no such OpenID Connect provider." : "Böyle bir OpenID Connect hizmeti sağlayıcısı bulunamadı.", "Could not reach the OpenID Connect provider." : "OpenID Connect hizmeti sağlayıcısına erişilemedi.", "The identity provider failed to authenticate the user." : "Kimlik hizmeti sağlayıcı kullanıcının kimliğini doğrulayamadı.", + "The received state has expired." : "Alınan durumun geçerlilik süresi dolmuş.", "Failed to decrypt the OIDC provider client secret" : "OpenID Connect hizmeti sağlayıcısının parola şifresi çözülemedi", "Failed to contact the OIDC provider token endpoint" : "OpenID Connect hizmeti sağlayıcısı kod uç noktası ile iletişim kurulamadı.", "The issuer does not match the one from the discovery endpoint" : "Yetki veren, keşif uç noktasındakiyle eşleşmiyor", @@ -102,15 +103,15 @@ "Use group provisioning." : "Grup hazırlama kullanılsın", "Group whitelist regex" : "Grup izin verilenler listesi kurallı ifadesi", "Restrict login for users that are not in any whitelisted group" : "İzin verilenler listesine alınmış herhangi bir grupta olmayan kullanıcıların oturum açması engellensin", - "Users that are not part of any whitelisted group are not created and can not login" : "İzin verilenler listesine alınmış herhangi bir grubun üyesi olmayan kullanıcılar eklenmez ve oturum açamaz", + "Users that are not part of any whitelisted group are not created and can not login" : "İzin verilenler listesine alınmış herhangi bir grubun üyesi olmayan kullanıcılar oluşturulmaz ve oturum açamaz", "Check Bearer token on API and WebDAV requests" : "API ve WebDAV isteklerinde Bearer kodu kontrol edilsin", "Do you want to allow API calls and WebDAV requests that are authenticated with an OIDC ID token or access token?" : "Bir OIDC kimlik kodu veya erişim kodu ile doğrulanmış API çağrılarına ve WebDAV isteğine izin verilsin mi?", "Auto provision user when accessing API and WebDAV with Bearer token" : "Bearer kodu ile API ve WebDAV erişiminde kullanıcı otomatik olarak yetkilendirilsin", "This automatically provisions the user, when sending API and WebDAV requests with a Bearer token. Auto provisioning and Bearer token check have to be activated for this to work." : "Bu seçenek, bir Bearer kodu ile API ve WebDAV istekleri gönderirken kullanıcıyı otomatik olarak yetkilendirir. Çalışması için otomatik yetkilendirme ve Bearer kodu denetiminin açılması gerekir.", "Send ID token hint on logout" : "Oturumu kapatıldığında kimlik kodu ipucu gönderilsin", "Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider." : "OpenID oturumu kapatma adresine id_token_hint GET parametresi olarak kimlik kodu eklensin mi? Kullanıcılar Nextcloud oturumlarını kapattıktan sonra bu adrese yönlendirilir. Bu ayarı açmak, OIDC kimlik kodunu kullanıcı uygulamasına sunar. Bu işlem OIDC hizmeti sağlayıcısına bağlı olarak gerekli olmayabilir.", - "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}" : "Yalnızca izin verilenler listesi kurallı ifadesine uygun gruplar grup isteği tarafından eklenir, güncellenir ve silinir. Örneğin: {regex} ifadesi, kimliği {substr} ile başlayan tüm gruplara izin verir", - "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}" : "Bu seçenek, kimlik kodundaki grupların isteğine bağlı olarak kullanıcı gruplarını ekler ve günceller. İstek gruplarının biçim değeri {sample1}, {sample2} veya {sample3} olabilir", + "Only groups matching the whitelist regex will be created, updated and deleted by the group claim. For example: {regex} allows all groups which ID starts with {substr}" : "Yalnızca izin verilenler listesi kurallı ifadesine uygun gruplar grup isteği tarafından oluşturulur, güncellenir ve silinir. Örneğin: {regex} ifadesi, kimliği {substr} ile başlayan tüm gruplara izin verir", + "This will create and update the users groups depending on the groups claim in the ID token. The Format of the groups claim value should be {sample1}, {sample2} or {sample3}" : "Bu seçenek, kimlik kodundaki grupların isteğine bağlı olarak kullanıcı gruplarını oluşturur ve günceller. İstek gruplarının biçim değeri {sample1}, {sample2} veya {sample3} olabilir", "Back to %s" : "%s sayfasına dön", "Domain" : "Etki alanı", "your.domain" : "etki.alaniniz" diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php index abba810cc..fee1de4a1 100644 --- a/lib/Controller/LoginController.php +++ b/lib/Controller/LoginController.php @@ -539,10 +539,18 @@ public function code(string $state = '', string $code = '', string $scope = '', } // default is false - if (isset($oidcSystemConfig['enrich_login_id_token_with_userinfo']) && $oidcSystemConfig['enrich_login_id_token_with_userinfo']) { + $globalEnrichWithUserinfo = isset($oidcSystemConfig['enrich_login_id_token_with_userinfo']) && $oidcSystemConfig['enrich_login_id_token_with_userinfo']; + $providerEnrichWithUserinfo = $this->providerService->getSetting( + $provider->getId(), + ProviderService::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO, + '0' + ) === '1'; + if ($globalEnrichWithUserinfo || $providerEnrichWithUserinfo) { $userInfo = $this->oidcService->userInfo($provider, $data['access_token']); $this->logger->debug('[UserInfoEnrich] Enriching the JWT payload with userinfo values'); + $this->logger->debug('[UserInfoEnrich] Full userinfo response: ' . print_r($userInfo, true)); foreach ($userInfo as $key => $value) { + $this->logger->debug('[UserInfoEnrich] Testing if key value pair is set: ' . $key . ': ' . $value); // give priority to id token values, only use userinfo ones if they are missing in the ID token if (!isset($idTokenPayload->{$key})) { $idTokenPayload->{$key} = $value; @@ -889,8 +897,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok // REQUIRED claims check step // https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken - // Note : exp claim is deliberately not checked. See #1432 - $requiredClaims = ['iss', 'aud', 'iat', 'jti', 'events']; + $requiredClaims = ['iss', 'aud', 'iat', 'exp', 'jti', 'events']; $missingClaims = []; $logoutTokenArray = (array)$logoutTokenPayload; foreach ($requiredClaims as $claim) { @@ -960,7 +967,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok ); } - if (isset($logoutTokenPayload->exp) && $logoutTokenPayload->exp < $this->timeFactory->getTime()) { + if (($logoutTokenPayload->exp ?? 0) < $this->timeFactory->getTime()) { return $this->getBackchannelLogoutErrorResponse( 'invalid exp', 'The logout token is expired', diff --git a/lib/ResponseDefinitions.php b/lib/ResponseDefinitions.php index b2c7153d9..bc55c4a21 100644 --- a/lib/ResponseDefinitions.php +++ b/lib/ResponseDefinitions.php @@ -46,6 +46,7 @@ * groupWhitelistRegex: string, * restrictLoginToGroups: bool, * nestedAndFallbackClaims: bool, + * enrichLoginIdTokenWithUserinfo: bool, * } * * @psalm-type UserOIDCProvider = array{ diff --git a/lib/Service/ProviderService.php b/lib/Service/ProviderService.php index f5a82a511..05a2a3646 100644 --- a/lib/Service/ProviderService.php +++ b/lib/Service/ProviderService.php @@ -61,6 +61,7 @@ class ProviderService { public const SETTING_RESTRICT_LOGIN_TO_GROUPS = 'restrictLoginToGroups'; public const SETTING_AZURE_GROUP_NAMES = 'azureGroupNames'; public const SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING = 'nestedAndFallbackClaims'; + public const SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO = 'enrichLoginIdTokenWithUserinfo'; public const BOOLEAN_SETTINGS_DEFAULT_VALUES = [ self::SETTING_GROUP_PROVISIONING => false, @@ -72,6 +73,7 @@ class ProviderService { self::SETTING_RESTRICT_LOGIN_TO_GROUPS => false, self::SETTING_AZURE_GROUP_NAMES => false, self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING => false, + self::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO => false, ]; public function __construct( @@ -195,6 +197,7 @@ public function getSupportedSettings(): array { self::SETTING_RESTRICT_LOGIN_TO_GROUPS, self::SETTING_AZURE_GROUP_NAMES, self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING, + self::SETTING_ENRICH_LOGIN_ID_TOKEN_WITH_USERINFO, ]; } diff --git a/openapi.json b/openapi.json index 1b6450da2..ee522918e 100644 --- a/openapi.json +++ b/openapi.json @@ -124,7 +124,8 @@ "groupProvisioning", "groupWhitelistRegex", "restrictLoginToGroups", - "nestedAndFallbackClaims" + "nestedAndFallbackClaims", + "enrichLoginIdTokenWithUserinfo" ], "properties": { "mappingDisplayName": { @@ -231,6 +232,9 @@ }, "nestedAndFallbackClaims": { "type": "boolean" + }, + "enrichLoginIdTokenWithUserinfo": { + "type": "boolean" } } } diff --git a/package-lock.json b/package-lock.json index c24fda02f..a1c8462ae 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "user_oidc", - "version": "8.4.0-dev.0", + "version": "8.11.0-dev.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "user_oidc", - "version": "8.4.0-dev.0", + "version": "8.11.0-dev.0", "license": "AGPL-3.0-or-later", "dependencies": { "@nextcloud/axios": "^2.5.1", @@ -8954,9 +8954,9 @@ "peer": true }, "node_modules/fast-uri": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", - "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "dev": true, "funding": [ { @@ -8967,8 +8967,7 @@ "type": "opencollective", "url": "https://opencollective.com/fastify" } - ], - "license": "BSD-3-Clause" + ] }, "node_modules/fast-xml-parser": { "version": "4.5.6", @@ -13192,9 +13191,9 @@ } }, "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "version": "8.5.13", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz", + "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==", "funding": [ { "type": "opencollective", @@ -13209,7 +13208,6 @@ "url": "https://github.com/sponsors/ai" } ], - "license": "MIT", "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", diff --git a/package.json b/package.json index 7a72b64e7..f352af376 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "user_oidc", "description": "OIDC connect user backend for Nextcloud", - "version": "8.4.0-dev.0", + "version": "8.11.0-dev.0", "author": "Roeland Jago Douma ", "repository": { "url": "https://github.com/nextcloud/user_oidc", diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue index ea630bfbd..67e6ab399 100644 --- a/src/components/AdminSettings.vue +++ b/src/components/AdminSettings.vue @@ -203,6 +203,7 @@ export default { providerBasedId: false, groupProvisioning: false, sendIdTokenHint: true, + enrichLoginIdTokenWithUserinfo: false, }, }, showNewProvider: false, diff --git a/src/components/SettingsForm.vue b/src/components/SettingsForm.vue index 8abdab669..f0095b192 100644 --- a/src/components/SettingsForm.vue +++ b/src/components/SettingsForm.vue @@ -333,6 +333,14 @@

{{ t('user_oidc', 'Should the ID token be included as the id_token_hint GET parameter in the OpenID logout URL? Users are redirected to this URL after logging out of Nextcloud. Enabling this setting exposes the OIDC ID token to the user agent, which may not be necessary depending on the OIDC provider.') }}

+ + {{ t('user_oidc', 'Enrich login ID token with userinfo') }} + +

+ {{ t('user_oidc', 'Fetch additional information not found in the login ID token from the userinfo endpoint. This setting is overwritten if the global enrich_login_id_token_with_userinfo option is enabled.') }} +

{{ t('user_oidc', 'Cancel') }} diff --git a/tests/unit/Service/ProviderServiceTest.php b/tests/unit/Service/ProviderServiceTest.php index 24fd9ffb5..c22d9e8f9 100644 --- a/tests/unit/Service/ProviderServiceTest.php +++ b/tests/unit/Service/ProviderServiceTest.php @@ -99,6 +99,7 @@ public function testGetProvidersWithSettings() { 'restrictLoginToGroups' => true, 'azureGroupNames' => true, 'nestedAndFallbackClaims' => true, + 'enrichLoginIdTokenWithUserinfo' => false, ], ], [ @@ -146,6 +147,7 @@ public function testGetProvidersWithSettings() { 'restrictLoginToGroups' => true, 'azureGroupNames' => true, 'nestedAndFallbackClaims' => true, + 'enrichLoginIdTokenWithUserinfo' => false, ], ], ], $this->providerService->getProvidersWithSettings()); @@ -189,6 +191,7 @@ public function testSetSettings() { 'restrictLoginToGroups' => false, 'azureGroupNames' => false, 'nestedAndFallbackClaims' => false, + 'enrichLoginIdTokenWithUserinfo' => false, ]; $this->appConfig->expects(self::any()) ->method('getValueString')