oauth2-proxy/providers/nextcloud.go

package providers

import (
	"context"
	"fmt"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
)

// NextcloudProvider represents an Nextcloud based Identity Provider
type NextcloudProvider struct {
	*ProviderData
}

var _ Provider = (*NextcloudProvider)(nil)

const nextCloudProviderName = "Nextcloud"

// NewNextcloudProvider initiates a new NextcloudProvider
func NewNextcloudProvider(p *ProviderData) *NextcloudProvider {
	p.ProviderName = nextCloudProviderName
	p.getAuthorizationHeaderFunc = makeOIDCHeader
	if p.EmailClaim == options.OIDCEmailClaim {
		// This implies the email claim has not been overridden, we should set a default
		// for this provider
		p.EmailClaim = "ocs.data.email"
	}
	return &NextcloudProvider{ProviderData: p}
}

// EnrichSession uses the Nextcloud userinfo endpoint to populate
// the session's email, user, and groups.
func (p *NextcloudProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
	// Fallback to ValidateURL if ProfileURL not set for legacy compatibility
	profileURL := p.ValidateURL.String()
	if p.ProfileURL.String() != "" {
		profileURL = p.ProfileURL.String()
	}

	json, err := requests.New(profileURL).
		WithContext(ctx).
		SetHeader("Authorization", "Bearer "+s.AccessToken).
		Do().
		UnmarshalJSON()
	if err != nil {
		logger.Errorf("failed making request %v", err)
		return err
	}

	groups, err := json.GetPath("ocs", "data", "groups").StringArray()
	if err == nil {
		for _, group := range groups {
			if group != "" {
				s.Groups = append(s.Groups, group)
			}
		}
	}

	user, err := json.GetPath("ocs", "data", "id").String()
	if err != nil {
		return fmt.Errorf("unable to extract id from userinfo endpoint: %v", err)
	}
	s.User = user

	email, err := json.GetPath("ocs", "data", "email").String()
	if err != nil {
		return fmt.Errorf("unable to extract email from userinfo endpoint: %v", err)
	}
	s.Email = email

	return nil
}

// ValidateSession validates the AccessToken
func (p *NextcloudProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
	return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
}
Add Nextcloud provider (#179) 2019-06-05 18:59:04 +02:00			`package providers`

20220802 fix nextcloud (#1750) * Avoid Nextcloud "Current user is not logged in" (Statuscode 997) The error message results from oauth2-proxy trying to pass the access token via URL. Instead it needs to be sent via header, thus the Nextcloud provider requires a fix similar to what #1502 did before for the keycloak provider. * Implement EnrichSession() for Nextcloud provider Parse nested JSON to transform relevant information (groups, id, email) from the OAuth2 userinfo endpoint into session. * Update CHANGELOG.md (add link to PR #1750) 2022-10-15 15:25:15 +02:00			`import (`
			`"context"`
			`"fmt"`

			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"`
			`)`
Move provider initialisation into providers package 2022-02-15 11:18:32 +00:00
Add Nextcloud provider (#179) 2019-06-05 18:59:04 +02:00			`// NextcloudProvider represents an Nextcloud based Identity Provider`
			`type NextcloudProvider struct {`
			`*ProviderData`
			`}`

Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`var _ Provider = (*NextcloudProvider)(nil)`

Move provider URLs to package level vars 2020-05-25 13:08:04 +01:00			`const nextCloudProviderName = "Nextcloud"`

Add Nextcloud provider (#179) 2019-06-05 18:59:04 +02:00			`// NewNextcloudProvider initiates a new NextcloudProvider`
			`func NewNextcloudProvider(p ProviderData) NextcloudProvider {`
Move provider URLs to package level vars 2020-05-25 13:08:04 +01:00			`p.ProviderName = nextCloudProviderName`
Integrate claim extractor into providers 2021-06-26 11:49:08 +01:00			`p.getAuthorizationHeaderFunc = makeOIDCHeader`
Move provider initialisation into providers package 2022-02-15 11:18:32 +00:00			`if p.EmailClaim == options.OIDCEmailClaim {`
Integrate claim extractor into providers 2021-06-26 11:49:08 +01:00			`// This implies the email claim has not been overridden, we should set a default`
			`// for this provider`
			`p.EmailClaim = "ocs.data.email"`
Add Nextcloud provider (#179) 2019-06-05 18:59:04 +02:00			`}`
Integrate claim extractor into providers 2021-06-26 11:49:08 +01:00			`return &NextcloudProvider{ProviderData: p}`
Add Nextcloud provider (#179) 2019-06-05 18:59:04 +02:00			`}`
20220802 fix nextcloud (#1750) * Avoid Nextcloud "Current user is not logged in" (Statuscode 997) The error message results from oauth2-proxy trying to pass the access token via URL. Instead it needs to be sent via header, thus the Nextcloud provider requires a fix similar to what #1502 did before for the keycloak provider. * Implement EnrichSession() for Nextcloud provider Parse nested JSON to transform relevant information (groups, id, email) from the OAuth2 userinfo endpoint into session. * Update CHANGELOG.md (add link to PR #1750) 2022-10-15 15:25:15 +02:00
			`// EnrichSession uses the Nextcloud userinfo endpoint to populate`
			`// the session's email, user, and groups.`
			`func (p NextcloudProvider) EnrichSession(ctx context.Context, s sessions.SessionState) error {`
			`// Fallback to ValidateURL if ProfileURL not set for legacy compatibility`
			`profileURL := p.ValidateURL.String()`
			`if p.ProfileURL.String() != "" {`
			`profileURL = p.ProfileURL.String()`
			`}`

			`json, err := requests.New(profileURL).`
			`WithContext(ctx).`
			`SetHeader("Authorization", "Bearer "+s.AccessToken).`
			`Do().`
			`UnmarshalJSON()`
			`if err != nil {`
			`logger.Errorf("failed making request %v", err)`
			`return err`
			`}`

			`groups, err := json.GetPath("ocs", "data", "groups").StringArray()`
			`if err == nil {`
			`for _, group := range groups {`
			`if group != "" {`
			`s.Groups = append(s.Groups, group)`
			`}`
			`}`
			`}`

			`user, err := json.GetPath("ocs", "data", "id").String()`
			`if err != nil {`
			`return fmt.Errorf("unable to extract id from userinfo endpoint: %v", err)`
			`}`
			`s.User = user`

			`email, err := json.GetPath("ocs", "data", "email").String()`
			`if err != nil {`
			`return fmt.Errorf("unable to extract email from userinfo endpoint: %v", err)`
			`}`
			`s.Email = email`

			`return nil`
			`}`

			`// ValidateSession validates the AccessToken`
			`func (p NextcloudProvider) ValidateSession(ctx context.Context, s sessions.SessionState) bool {`
			`return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))`
			`}`