20220802 fix nextcloud (#1750)

* Avoid Nextcloud "Current user is not logged in" (Statuscode 997) The error message results from oauth2-proxy trying to pass the access token via URL. Instead it needs to be sent via header, thus the Nextcloud provider requires a fix similar to what #1502 did before for the keycloak provider. * Implement EnrichSession() for Nextcloud provider Parse nested JSON to transform relevant information (groups, id, email) from the OAuth2 userinfo endpoint into session. * Update CHANGELOG.md (add link to PR #1750)
2024-11-28 09:08:44 +02:00 · 2022-10-15 15:25:15 +02:00 · 2022-10-15 15:25:15 +02:00 · c395669649
commit c395669649
parent 965fab422d
2 changed files with 59 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -41,6 +41,8 @@ to remain consistent with CLI flags. You should specify `code_challenge_method`

 - [#1760](https://github.com/oauth2-proxy/oauth2-proxy/pull/1760) Option to configure API routes

+- [#1750](https://github.com/oauth2-proxy/oauth2-proxy/pull/1750) Fix Nextcloud provider
+

 # V7.3.0

--- a/providers/nextcloud.go
+++ b/providers/nextcloud.go
@ -1,6 +1,14 @@
 package providers

-import "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+import (
+	"context"
+	"fmt"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
+)

 // NextcloudProvider represents an Nextcloud based Identity Provider
 type NextcloudProvider struct {
@ -22,3 +30,51 @@ func NewNextcloudProvider(p *ProviderData) *NextcloudProvider {
 	}
 	return &NextcloudProvider{ProviderData: p}
 }
+
+// EnrichSession uses the Nextcloud userinfo endpoint to populate
+// the session's email, user, and groups.
+func (p *NextcloudProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
+	// Fallback to ValidateURL if ProfileURL not set for legacy compatibility
+	profileURL := p.ValidateURL.String()
+	if p.ProfileURL.String() != "" {
+		profileURL = p.ProfileURL.String()
+	}
+
+	json, err := requests.New(profileURL).
+		WithContext(ctx).
+		SetHeader("Authorization", "Bearer "+s.AccessToken).
+		Do().
+		UnmarshalJSON()
+	if err != nil {
+		logger.Errorf("failed making request %v", err)
+		return err
+	}
+
+	groups, err := json.GetPath("ocs", "data", "groups").StringArray()
+	if err == nil {
+		for _, group := range groups {
+			if group != "" {
+				s.Groups = append(s.Groups, group)
+			}
+		}
+	}
+
+	user, err := json.GetPath("ocs", "data", "id").String()
+	if err != nil {
+		return fmt.Errorf("unable to extract id from userinfo endpoint: %v", err)
+	}
+	s.User = user
+
+	email, err := json.GetPath("ocs", "data", "email").String()
+	if err != nil {
+		return fmt.Errorf("unable to extract email from userinfo endpoint: %v", err)
+	}
+	s.Email = email
+
+	return nil
+}
+
+// ValidateSession validates the AccessToken
+func (p *NextcloudProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
+	return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
+}