support AD FS (#7140)

* support AD FS Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * drop unnecessary else Co-authored-by: kobergj <jkoberg@owncloud.com> --------- Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> Co-authored-by: kobergj <jkoberg@owncloud.com>
owncloud · Sep 1, 2023 · f1d09af · f1d09af
1 parent 7e1e48c
commit f1d09af
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/changelog/unreleased/access-token-issuer.md b/changelog/unreleased/access-token-issuer.md
@@ -0,0 +1,5 @@
+Enhancement: Support spec violating AD FS access token issuer
+
+AD FS `/adfs/.well-known/openid-configuration` has an optional `access_token_issuer` which, in violation of the OpenID Connect spec, takes precedence over `issuer`.
+
+https://github.com/owncloud/ocis/pull/7138
diff --git a/ocis-pkg/oidc/client.go b/ocis-pkg/oidc/client.go
@@ -308,7 +308,14 @@ func (c *oidcClient) verifyAccessTokenJWT(token string) (RegClaimsWithSID, jwt.M
 		return claims, mapClaims, err
 	}
 
-	if !claims.VerifyIssuer(c.issuer, true) {
+	issuer := c.issuer
+	if c.provider.AccessTokenIssuer != "" {
+		// AD FS .well-known/openid-configuration has an optional `access_token_issuer` which takes precedence over `issuer`
+		// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
+		issuer = c.provider.AccessTokenIssuer
+	}
+
+	if !claims.VerifyIssuer(issuer, true) {
 		vErr := jwt.ValidationError{}
 		vErr.Inner = jwt.ErrTokenInvalidIssuer
 		vErr.Errors |= jwt.ValidationErrorIssuer

diff --git a/ocis-pkg/oidc/metadata.go b/ocis-pkg/oidc/metadata.go
@@ -21,7 +21,10 @@ type ProviderMetadata struct {
 	//grant_types_supported
 	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
 	Issuer                           string   `json:"issuer,omitempty"`
-	JwksURI                          string   `json:"jwks_uri,omitempty"`
+	// AccessTokenIssuer is only used by AD FS and needs to be used when validating the iss of its access tokens
+	// See https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/586de7dd-3385-47c7-93a2-935d9e90441c
+	AccessTokenIssuer string `json:"access_token_issuer,omitempty"`
+	JwksURI           string `json:"jwks_uri,omitempty"`
 	//registration_endpoint
 	//request_object_signing_alg_values_supported
 	//request_parameter_supported