Commit Graph

25 Commits

Author SHA1 Message Date
Roeland Jago Douma 66367797df
Fix template paramter
Else we get shown an error page instead of the correct 403.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-18 15:30:38 +01:00
Roeland Jago Douma e6ac233947
Fix loginflow with apptoken enter on iOS
It seems iOS doesn't like us to change the location. So now we submit it
to the server that geneartes the redirect.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-04 21:51:36 +01:00
Roeland Jago Douma 763b52d402
Fix SAML Client login flow on Apple devices
Because the redirect from the SAML/SSO endpoint is a POST the lax/strict
cookies are not properly send.

Note that it is not strictly requried on this endpoint as we do not need
the remember me data. Only the real session info is enough. The endpoint
is also already protected by a state token.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 12:50:32 +01:00
John Molakvoæ (skjnldsv) 5e4990fadd
Remove redirect page
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2018-11-29 10:27:22 +01:00
Roeland Jago Douma 92582a350d
Use the proper server for the apptoken flow login
If a user can't authenticate normally (because they have 2FA that is not
available on their devices for example). The redirect that is generated
should be of the proper format.

This means

1. Include the protocol
2. Include the possible subfolder

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-01 11:45:35 +01:00
Roeland Jago Douma be2d8cc4e9
Do not invalidate main token on OAuth
Fixes #10584

We deleted the main token when using the login flow else mutliple tokens
would show up for a single user.

However in the case of OAuth this is perfectly fine as the
authentication happens really in your browser:

1. You are already logged in, no need to log you out
2. You are not logged in yet, but since you log in into the exact same
browser the expected behavior is to stay logged in.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-06 08:30:52 +02:00
Roeland Jago Douma 5a97148863
Don't use special chars to avoid confusion
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-22 09:24:17 +02:00
Roeland Jago Douma 177c8972cc
Improve login flow
* Add page explaining you are about to grant access
* Show grant access page after login

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-04-08 13:42:36 +02:00
Morris Jobke 4ef302c0be
Request->getHeader() should always return a string
PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant.

Found while enabling the strict_typing for lib/private for the PHP7+ migration.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-17 09:51:31 +01:00
Mario Danic cc742ce9e7
Fix bug with proxies
Signed-off-by: Mario Danic <mario@lovelyhq.com>
2018-01-15 00:50:49 +01:00
Roeland Jago Douma 82f03e1314
Clear login token once apppassword is generated
Fixes #7697

When using the new login flow a token will be generated since we login.
However after that we generate yet another token to return (as we
should).

However we should kill the current session token as we are done with it.
And will never use it again.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-04 14:30:40 +01:00
Mario Danic c2cd5fc5d3 Fix flow
Signed-off-by: Mario Danic <mario@lovelyhq.com>
2017-11-09 00:29:34 +01:00
Julius Härtl cd1bfea8c4
Theming: theme flow redirection page
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-11-08 14:56:32 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Morris Jobke 504c1abee0
Fix undefined index oauthState
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-09-06 16:38:24 +02:00
Lukas Reschke 26ee889fec
Add tests for ClientFlowLoginController
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:08 +02:00
Lukas Reschke b07a0f51ba
Add OAuth state to session
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:08 +02:00
Bjoern Schiessle 23b296b66e
use name of oauth app to identify auth token
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-05-18 20:49:07 +02:00
Bjoern Schiessle a74d67b69c
show error page if no valid client identifier is given and if it is not a API request
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-05-18 20:49:06 +02:00
Lukas Reschke e86749121c
Remove special characters
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:05 +02:00
Lukas Reschke 5f71805c35
Add basic implementation for OAuth 2.0 Authorization Code Flow
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:03 +02:00
Mario Danic e4aac15a92
Update login flow redirection
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-04 19:21:22 +02:00
Roeland Jago Douma aae079aa29
AppToken to 72 chars
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-25 20:18:49 +02:00
Roeland Jago Douma bb5e5efa6d
Do not remove the state token to early
we should check the stateToken before we remove it. Else the check will
always fail.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-25 20:18:49 +02:00
Lukas Reschke 6a16df7288
Add new auth flow
This implements the basics for the new app-password based authentication flow for our clients.
The current implementation tries to keep it as simple as possible and works the following way:

1. Unauthenticated client opens `/index.php/login/flow`
2. User will be asked whether they want to grant access to the client
3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password.

If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler.
While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the
near future we have to think about an automatic migration endpoint so there's that anyways :-)

If the user chooses to use the regular login the following happens:

1. A session state token is written to the session
2. User is redirected to the login page
3. If successfully authenticated they will be redirected to a page redirecting to the POST controller
4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler.

This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-25 20:18:49 +02:00