diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index fbb79ed8a..303bcbe0b 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -270,7 +270,7 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal AND `app_passwd`.`active` = '1' AND `app_passwd`.`mailbox` = :user :has_access_query" - ); + ); // check if app password has protocol access // skip if protocol is false and the call is not external $has_access_query = ''; @@ -308,83 +308,6 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal return false; } - -// ROPC Flow (deprecated oAuth2.1) -// uses direct user credentials for UI, IMAP and SMTP Auth -function keycloak_mbox_login_ropc($user, $pass, $iam_settings, $is_internal = false, $create = false){ - global $pdo; - - $url = "{$iam_settings['server_url']}/realms/{$iam_settings['realm']}/protocol/openid-connect/token"; - $req = http_build_query(array( - 'grant_type' => 'password', - 'client_id' => $iam_settings['client_id'], - 'client_secret' => $iam_settings['client_secret'], - 'username' => $user, - 'password' => $pass, - )); - $curl = curl_init(); - curl_setopt($curl, CURLOPT_URL, $url); - curl_setopt($curl, CURLOPT_POST, 1); - curl_setopt($curl, CURLOPT_POSTFIELDS, $req); - curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); - curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); - $res = json_decode(curl_exec($curl), true); - $code = curl_getinfo($curl, CURLINFO_HTTP_CODE); - curl_close ($curl); - - if ($code == 200) { - // decode jwt - $user_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $res['access_token'])[1]))), true); - if ($user != $user_data['email']){ - // check if $user is email address, only accept email address as username - return false; - } - if ($create && !empty($iam_settings['mappers'])){ - // try to create mbox on successfull login - $mbox_template = null; - // check if matching attribute mapping exists - foreach ($iam_settings['mappers'] as $index => $mapper){ - if (in_array($mapper, $iam_settings['mappers'])) { - $mbox_template = $iam_settings['templates'][$index]; - break; - } - } - if (!$mbox_template){ - // no matching template found - return false; - } - - $stmt = $pdo->prepare("SELECT * FROM `templates` - WHERE `template` = :template AND type = 'mailbox'"); - $stmt->execute(array( - ":template" => $mbox_template - )); - $mbox_template_data = $stmt->fetch(PDO::FETCH_ASSOC); - - if (!empty($mbox_template_data)){ - $mbox_template_data = json_decode($mbox_template_data["attributes"], true); - $mbox_template_data['domain'] = explode('@', $user)[1]; - $mbox_template_data['local_part'] = explode('@', $user)[0]; - $mbox_template_data['authsource'] = 'keycloak'; - $_SESSION['iam_create_login'] = true; - $create_res = mailbox('add', 'mailbox', $mbox_template_data); - $_SESSION['iam_create_login'] = false; - if (!$create_res){ - return false; - } - } - } - - $_SESSION['return'][] = array( - 'type' => 'success', - 'log' => array(__FUNCTION__, $user, '*'), - 'msg' => array('logged_in_as', $user) - ); - return 'user'; - } else { - return false; - } -} // Keycloak REST Api Flow - auth user by mailcow_password attribute // This password will be used for direct UI, IMAP and SMTP Auth // To use direct user credentials, only Authorization Code Flow is valid