+
diff --git a/apps/oauth2/appinfo/info.xml b/apps/oauth2/appinfo/info.xml
new file mode 100644
index 0000000000..ebead97eb7
--- /dev/null
+++ b/apps/oauth2/appinfo/info.xml
@@ -0,0 +1,18 @@
+
+
+ oauth2
+ OAuth 2.0
+ The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.
+ AGPL
+ Lukas Reschke
+ OAuth2
+ 1.0.3
+
+
+
+
+
+
+ OCA\OAuth2\Settings\Admin
+
+
diff --git a/apps/oauth2/appinfo/routes.php b/apps/oauth2/appinfo/routes.php
new file mode 100644
index 0000000000..b088dff0d4
--- /dev/null
+++ b/apps/oauth2/appinfo/routes.php
@@ -0,0 +1,46 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+return [
+ 'routes' => [
+ [
+ 'name' => 'Settings#addClient',
+ 'url' => '/settings',
+ 'verb' => 'POST',
+ ],
+ [
+ 'name' => 'Settings#deleteClient',
+ 'url' => '/clients/{id}/delete',
+ 'verb' => 'POST'
+ ],
+ [
+ 'name' => 'LoginRedirector#authorize',
+ 'url' => '/authorize',
+ 'verb' => 'GET',
+ ],
+ [
+ 'name' => 'OauthApi#getToken',
+ 'url' => '/api/v1/token',
+ // TODO: POST!
+ 'verb' => 'GET'
+ ],
+ ],
+];
\ No newline at end of file
diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php
new file mode 100644
index 0000000000..1a2e00ef5d
--- /dev/null
+++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php
@@ -0,0 +1,78 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+
+class LoginRedirectorController extends Controller {
+ /** @var IURLGenerator */
+ private $urlGenerator;
+ /** @var ClientMapper */
+ private $clientMapper;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IURLGenerator $urlGenerator
+ * @param ClientMapper $clientMapper
+ */
+ public function __construct($appName,
+ IRequest $request,
+ IURLGenerator $urlGenerator,
+ ClientMapper $clientMapper) {
+ parent::__construct($appName, $request);
+ $this->urlGenerator = $urlGenerator;
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ *
+ * @param string $client_id
+ * @param string $redirect_uri
+ * @param string $state
+ * @return RedirectResponse
+ */
+ public function authorize($client_id,
+ $redirect_uri,
+ $state) {
+ $client = $this->clientMapper->getByIdentifier($client_id);
+
+ if($client->getRedirectUri() !== $redirect_uri) {
+ throw new \Exception('Redirect URI does not match');
+ }
+
+ $targetUrl = $this->urlGenerator->linkToRouteAbsolute(
+ 'core.ClientFlowLogin.showAuthPickerPage',
+ [
+ 'clientIdentifier' => $client->getClientIdentifier(),
+ 'oauthState' => $state,
+ ]
+ );
+ return new RedirectResponse($targetUrl);
+ }
+}
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
new file mode 100644
index 0000000000..8432830bce
--- /dev/null
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -0,0 +1,88 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OC\Authentication\Token\DefaultTokenMapper;
+use OCA\OAuth2\Db\AccessTokenMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\IRequest;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+
+class OauthApiController extends Controller {
+ /** @var AccessTokenMapper */
+ private $accessTokenMapper;
+ /** @var ICrypto */
+ private $crypto;
+ /** @var DefaultTokenMapper */
+ private $defaultTokenMapper;
+ /** @var ISecureRandom */
+ private $secureRandom;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param ICrypto $crypto
+ * @param AccessTokenMapper $accessTokenMapper
+ * @param DefaultTokenMapper $defaultTokenMapper
+ * @param ISecureRandom $secureRandom
+ */
+ public function __construct($appName,
+ IRequest $request,
+ ICrypto $crypto,
+ AccessTokenMapper $accessTokenMapper,
+ DefaultTokenMapper $defaultTokenMapper,
+ ISecureRandom $secureRandom) {
+ parent::__construct($appName, $request);
+ $this->crypto = $crypto;
+ $this->accessTokenMapper = $accessTokenMapper;
+ $this->defaultTokenMapper = $defaultTokenMapper;
+ $this->secureRandom = $secureRandom;
+ }
+
+ /**
+ * @PublicPage
+ * @NoCSRFRequired
+ *
+ * @param string $code
+ * @return JSONResponse
+ */
+ public function getToken($code) {
+ $accessToken = $this->accessTokenMapper->getByCode($code);
+ $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code);
+ $newCode = $this->secureRandom->generate(128);
+ $accessToken->setHashedCode(hash('sha512', $newCode));
+ $accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode));
+ $this->accessTokenMapper->update($accessToken);
+
+ return new JSONResponse(
+ [
+ 'access_token' => $decryptedToken,
+ 'token_type' => 'token',
+ 'expires_in' => 3600,
+ 'refresh_token' => $newCode,
+ 'user_id' => ($this->defaultTokenMapper->getTokenById($accessToken->getTokenId()))->getUID(),
+ ]
+ );
+ }
+}
diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php
new file mode 100644
index 0000000000..1d376694f5
--- /dev/null
+++ b/apps/oauth2/lib/Controller/SettingsController.php
@@ -0,0 +1,86 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Controller;
+
+use OCA\OAuth2\Db\Client;
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\RedirectResponse;
+use OCP\IRequest;
+use OCP\IURLGenerator;
+use OCP\Security\ISecureRandom;
+
+class SettingsController extends Controller {
+ /** @var IURLGenerator */
+ private $urlGenerator;
+ /** @var ClientMapper */
+ private $clientMapper;
+ /** @var ISecureRandom */
+ private $secureRandom;
+
+ const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IURLGenerator $urlGenerator
+ * @param ClientMapper $clientMapper
+ * @param ISecureRandom $secureRandom
+ */
+ public function __construct($appName,
+ IRequest $request,
+ IURLGenerator $urlGenerator,
+ ClientMapper $clientMapper,
+ ISecureRandom $secureRandom) {
+ parent::__construct($appName, $request);
+ $this->urlGenerator = $urlGenerator;
+ $this->secureRandom = $secureRandom;
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @param string $name
+ * @param string $redirectUri
+ * @return RedirectResponse
+ */
+ public function addClient($name,
+ $redirectUri) {
+ $client = new Client();
+ $client->setName($name);
+ $client->setRedirectUri($redirectUri);
+ $client->setSecret($this->secureRandom->generate(64, self::validChars));
+ $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
+ $this->clientMapper->insert($client);
+ return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+ }
+
+ /**
+ * @param int $id
+ * @return RedirectResponse
+ */
+ public function deleteClient($id) {
+ $client = new Client();
+ $client->setId($id);
+ $this->clientMapper->delete($client);
+ return new RedirectResponse($this->urlGenerator->getAbsoluteURL('/index.php/settings/admin/security'));
+ }
+}
diff --git a/apps/oauth2/lib/Db/AccessToken.php b/apps/oauth2/lib/Db/AccessToken.php
new file mode 100644
index 0000000000..8266a9a006
--- /dev/null
+++ b/apps/oauth2/lib/Db/AccessToken.php
@@ -0,0 +1,53 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method int getTokenId()
+ * @method void setTokenId(int $identifier)
+ * @method int getClientId()
+ * @method void setClientId(int $identifier)
+ * @method string getEncryptedToken()
+ * @method void setEncryptedToken(string $token)
+ * @method string getHashedCode()
+ * @method void setHashedCode(string $token)
+ */
+class AccessToken extends Entity {
+ /** @var int */
+ protected $tokenId;
+ /** @var int */
+ protected $clientId;
+ /** @var string */
+ protected $hashedCode;
+ /** @var string */
+ protected $encryptedToken;
+
+ public function __construct() {
+ $this->addType('id', 'int');
+ $this->addType('token_id', 'int');
+ $this->addType('client_id', 'int');
+ $this->addType('hashed_code', 'string');
+ $this->addType('encrypted_token', 'string');
+ }
+}
diff --git a/apps/oauth2/lib/Db/AccessTokenMapper.php b/apps/oauth2/lib/Db/AccessTokenMapper.php
new file mode 100644
index 0000000000..0400ad6366
--- /dev/null
+++ b/apps/oauth2/lib/Db/AccessTokenMapper.php
@@ -0,0 +1,49 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Mapper;
+use OCP\IDBConnection;
+
+class AccessTokenMapper extends Mapper {
+
+ /**
+ * @param IDBConnection $db
+ */
+ public function __construct(IDBConnection $db) {
+ parent::__construct($db, 'oauth2_access_tokens');
+ }
+
+ /**
+ * @param string $code
+ * @return AccessToken
+ */
+ public function getByCode($code) {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName)
+ ->where($qb->expr()->eq('hashed_code', $qb->createParameter('hashedCode')));
+
+ return $this->findEntity($qb->getSQL(), [hash('sha512', $code)]);
+ }
+}
diff --git a/apps/oauth2/lib/Db/Client.php b/apps/oauth2/lib/Db/Client.php
new file mode 100644
index 0000000000..85c1630cb1
--- /dev/null
+++ b/apps/oauth2/lib/Db/Client.php
@@ -0,0 +1,53 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Entity;
+
+/**
+ * @method string getClientIdentifier()
+ * @method void setClientIdentifier(string $identifier)
+ * @method string getSecret()
+ * @method void setSecret(string $secret)
+ * @method string getRedirectUri()
+ * @method void setRedirectUri(string $redirectUri)
+ * @method string getName()
+ * @method void setName(string $name)
+ */
+class Client extends Entity {
+ /** @var string */
+ protected $name;
+ /** @var string */
+ protected $redirectUri;
+ /** @var string */
+ protected $clientIdentifier;
+ /** @var string */
+ protected $secret;
+
+ public function __construct() {
+ $this->addType('id', 'int');
+ $this->addType('name', 'string');
+ $this->addType('redirect_uri', 'string');
+ $this->addType('client_identifier', 'string');
+ $this->addType('secret', 'string');
+ }
+}
diff --git a/apps/oauth2/lib/Db/ClientMapper.php b/apps/oauth2/lib/Db/ClientMapper.php
new file mode 100644
index 0000000000..d3c09ac5c6
--- /dev/null
+++ b/apps/oauth2/lib/Db/ClientMapper.php
@@ -0,0 +1,61 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Db;
+
+use OCP\AppFramework\Db\Mapper;
+use OCP\IDBConnection;
+
+class ClientMapper extends Mapper {
+
+ /**
+ * @param IDBConnection $db
+ */
+ public function __construct(IDBConnection $db) {
+ parent::__construct($db, 'oauth2_clients');
+ }
+
+ /**
+ * @param string $clientIdentifier
+ * @return Client
+ */
+ public function getByIdentifier($clientIdentifier) {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName)
+ ->where($qb->expr()->eq('client_identifier', $qb->createParameter('clientId')));
+
+ return $this->findEntity($qb->getSQL(), [$clientIdentifier]);
+ }
+
+ /**
+ * @return Client[]
+ */
+ public function getClients() {
+ $qb = $this->db->getQueryBuilder();
+ $qb
+ ->select('*')
+ ->from($this->tableName);
+
+ return $this->findEntities($qb->getSQL());
+ }
+}
diff --git a/apps/oauth2/lib/Settings/Admin.php b/apps/oauth2/lib/Settings/Admin.php
new file mode 100644
index 0000000000..aa120bcb7d
--- /dev/null
+++ b/apps/oauth2/lib/Settings/Admin.php
@@ -0,0 +1,67 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+namespace OCA\OAuth2\Settings;
+
+use OCA\OAuth2\Db\ClientMapper;
+use OCP\AppFramework\Http\TemplateResponse;
+use OCP\IConfig;
+use OCP\Settings\ISettings;
+
+class Admin implements ISettings {
+ /** @var ClientMapper */
+ private $clientMapper;
+
+ /**
+ * @param ClientMapper $clientMapper
+ */
+ public function __construct(ClientMapper $clientMapper) {
+ $this->clientMapper = $clientMapper;
+ }
+
+ /**
+ * @return TemplateResponse
+ */
+ public function getForm() {
+ return new TemplateResponse(
+ 'oauth2',
+ 'admin',
+ [
+ 'clients' => $this->clientMapper->getClients(),
+ ],
+ ''
+ );
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getSection() {
+ return 'security';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getPriority() {
+ return 0;
+ }
+}
diff --git a/apps/oauth2/templates/admin.php b/apps/oauth2/templates/admin.php
new file mode 100644
index 0000000000..f5b8532e6b
--- /dev/null
+++ b/apps/oauth2/templates/admin.php
@@ -0,0 +1,70 @@
+
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+$urlGenerator = \OC::$server->getURLGenerator();
+$themingDefaults = \OC::$server->getThemingDefaults();
+
+/** @var array $_ */
+/** @var \OCA\OAuth2\Db\Client[] $clients */
+$clients = $_['clients'];
+?>
+
+
+
t('OAuth 2.0 clients')); ?>
+
t('OAuth 2.0 allows external services to request access to your %s.', [$themingDefaults->getName()])); ?>