Add capability to be an OAuth *provider* as well as client.

OAuth providers rely on $Opt["oAuthIssuer"], and on a preconfigured list of acceptable clients in $Opt["oAuthClients"]. The authorization landing page is kind of wonky still.
kohler · Jan 19, 2024 · 06b5c75 · 06b5c75
1 parent 88df930
commit 06b5c75
Show file tree

Hide file tree

Showing 7 changed files with 412 additions and 3 deletions.
diff --git a/etc/apifunctions.json b/etc/apifunctions.json
@@ -117,6 +117,10 @@
         "name": "mentioncompletion", "get": true, "post": true,
         "function": "Completion_API::mentioncompletion_api"
     },
+    {
+        "name": "oauthtoken", "post": true, "allow_disabled": true, "check_token": false,
+        "function": "Authorize_Page::oauthtoken_api"
+    },
     {
         "name": "paper", "get": true,
         "function": "Paper_API::run"

diff --git a/etc/pages.json b/etc/pages.json
@@ -211,6 +211,16 @@
     [   "graph/reviewerlameness", false, "graph/procrastination"    ],
 
 
+    {   "name": "authorize", "print_function": "*Authorize_Page::go", "allow_disabled": true   },
+    [   "authorize/form/title", 1, "*Authorize_Page::print_form_title"   ],
+    [   "authorize/form/description", 10, "*Authorize_Page::print_form_description"   ],
+    [   "authorize/form/active", 15, "*Authorize_Page::print_form_active"   ],
+    [   "authorize/form/email", 20, "signin/form/email"   ],
+    [   "authorize/form/password", 30, "signin/form/password"   ],
+    [   "authorize/form/actions", 100, "*Authorize_Page::print_form_actions"   ],
+    [   "authorize/form/oauth", 1000, "Signin_Page::print_signin_form_oauth"   ],
+
+
     {   "name": "api", "print_function": "API_Page::go", "allow_disabled": true   },
     {   "name": "assign", "print_function": "Assign_Page::go"   },
     {   "name": "autoassign", "print_function": "Autoassign_Page::go"   },

diff --git a/lib/jwtparser.php b/lib/jwtparser.php
@@ -326,6 +326,20 @@ function validate_id_token($payload, $authi, $level = 1) {
      * @return string */
     static function make_plaintext($payload) {
         $jose = '{"alg":"none","typ":"JWT"}';
-        return base64url_encode($jose) . "." . base64url_encode(json_encode_db($payload)) . ".";
+        $payload = json_encode_db($payload);
+        return base64url_encode($jose) . "." . base64url_encode($payload) . ".";
+    }
+
+    /** @param object $payload
+     * @param string $key
+     * @param 'HS256'|'HS384'|'HS512' $alg
+     * @return string */
+    static function make_mac($payload, $key, $alg = "HS256") {
+        assert(isset(self::$hash_alg_map[$alg]));
+        $jose = '{"alg":"' . $alg . '","typ":"JWT"}';
+        $payload = json_encode_db($payload);
+        $s = base64url_encode($jose) . "." . base64url_encode($payload);
+        $signature = hash_hmac(self::$hash_alg_map[$alg], $s, $key);
+        return $s . "." . base64url_encode($signature);
     }
 }
diff --git a/src/conference.php b/src/conference.php
@@ -5354,7 +5354,7 @@ function call_api_on($uf, $fn, Contact $user, Qrequest $qreq, $prow) {
             && $method !== "OPTIONS"
             && !$qreq->valid_token()
             && (!$uf || ($uf->post ?? false))
-            && (!$uf || !($uf->allow_xss ?? false))) {
+            && (!$uf || ($uf->check_token ?? null) !== false)) {
             return JsonResult::make_error(403, "<0>Missing credentials");
         } else if ($user->is_disabled()
                    && (!$uf || !($uf->allow_disabled ?? false))) {

diff --git a/src/helpers.php b/src/helpers.php
@@ -106,6 +106,8 @@ class JsonResult implements JsonSerializable, ArrayAccess {
     public $content;
     /** @var bool */
     public $pretty_print;
+    /** @var bool */
+    public $minimal = false;
 
     /** @param int|array<string,mixed>|\stdClass|\JsonSerializable $a1
      * @param ?array<string,mixed> $a2 */
@@ -137,6 +139,17 @@ function __construct($a1, $a2 = null) {
         }
     }
 
+    /** @param int $status
+     * @param array<string,mixed> $content
+     * @return JsonResult */
+    static function make_minimal($status, $content) {
+        $jr = new JsonResult(null);
+        $jr->status = $status;
+        $jr->content = $content;
+        $jr->minimal = true;
+        return $jr;
+    }
+
     /** @param int $status
      * @param string $ftext
      * @return JsonResult */
@@ -222,7 +235,7 @@ function offsetUnset($offset) {
 
     /** @param ?bool $validated */
     function emit($validated = null) {
-        if ($this->status) {
+        if ($this->status && !$this->minimal) {
             if (!isset($this->content["ok"])) {
                 $this->content["ok"] = $this->status <= 299;
             }