Save OIDC tokens to OpenProject database

app/models/sessions/user_session.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #-- copyright
 # OpenProject is an open source project management software.
 # Copyright (C) the OpenProject GmbH
@@ -33,6 +35,8 @@ module Sessions
   class UserSession < ::ApplicationRecord
     self.table_name = "sessions"
 
+    belongs_to :user
+
     scope :for_user, ->(user) do
       user_id = user.is_a?(User) ? user.id : user.to_i
 

app/services/authentication/omniauth_service.rb

@@ -165,7 +165,7 @@ def find_existing_user
     def remap_existing_user
       return unless Setting.oauth_allow_remapping_of_existing_users?
 
-      User.not_builtin.find_by_login(user_attributes[:login]) # rubocop:disable Rails/DynamicFindBy
+      User.not_builtin.find_by_login(user_attributes[:login])
     end
 
     ##
@@ -285,7 +285,7 @@ def identity_url_from_omniauth
     # Try to provide some context of the auth_hash in case of errors
     def auth_uid
       hash = auth_hash || {}
-      hash.dig(:info, :uid) || hash.dig(:uid) || "unknown"
+      hash.dig(:info, :uid) || hash[:uid] || "unknown"
     end
   end
 end

modules/openid_connect/app/models/openid_connect/user_session_link.rb

@@ -1,3 +1,33 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2024 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
 module OpenIDConnect
   class UserSessionLink < ::ApplicationRecord
     self.table_name = "oidc_user_session_links"

modules/openid_connect/app/models/openid_connect/user_token.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2024 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module OpenIDConnect
+  class UserToken < ::ApplicationRecord
+    self.table_name = "oidc_user_tokens"
+
+    IDP_AUDIENCE = "__op-idp__"
+
+    belongs_to :user
+
+    scope :idp, -> { where(audience: IDP_AUDIENCE) }
+  end
+end

modules/openid_connect/app/services/openid_connect/associate_user_token.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+# +
+
+module OpenIDConnect
+  class AssociateUserToken
+    def initialize(user)
+      @user = user
+    end
+
+    def call(access_token:, refresh_token: nil, known_audiences: [], clear_previous: false)
+      if access_token.blank?
+        Rails.logger.error("Could not associate token to user: No access token")
+        return
+      end
+
+      if @user.nil?
+        Rails.logger.error("Could not associate token to user: Can't find user")
+        return
+      end
+
+      @user.oidc_user_tokens.destroy_all if clear_previous
+
+      token = @user.oidc_user_tokens.build(access_token:, refresh_token:, audiences: Array(known_audiences))
+      # We should discover further audiences from the token in the future
+      token.save! if token.audiences.any?
+    end
+  end
+end

modules/openid_connect/db/migrate/20241212131910_add_oidc_user_tokens.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class AddOidcUserTokens < ActiveRecord::Migration[7.1]
+  def change
+    create_table :oidc_user_tokens do |t|
+      t.references :user, null: false, index: true, foreign_key: { on_delete: :cascade }
+
+      t.string :access_token, null: false
+      t.string :refresh_token, null: true
+      t.jsonb :audiences, null: false, default: []
+
+      t.timestamps
+    end
+  end
+end

modules/openid_connect/lib/open_project/openid_connect/engine.rb

@@ -25,6 +25,8 @@ class Engine < ::Rails::Engine
       openid_connect/auth_provider-custom.png
     )
 
+    patches %i[Sessions::UserSession User]
+
     class_inflection_override("openid_connect" => "OpenIDConnect")
 
     register_auth_providers do
@@ -49,7 +51,11 @@ class Engine < ::Rails::Engine
           end
 
           # Remember oidc session values when logging in user
-          h[:retain_from_session] = %w[omniauth.oidc_sid]
+          h[:retain_from_session] = %w[
+            omniauth.oidc_sid
+            omniauth.oidc_access_token
+            omniauth.oidc_refresh_token
+          ]
 
           h[:backchannel_logout_callback] = ->(logout_token) do
             ::OpenProject::OpenIDConnect::SessionMapper.handle_logout(logout_token)

modules/openid_connect/lib/open_project/openid_connect/hooks/hook.rb

@@ -33,17 +33,34 @@ class Hook < OpenProject::Hook::Listener
       # Once the user has signed in and has an oidc session
       # we want to map that to the internal session
       def user_logged_in(context)
-        session = context[:session]
-        oidc_sid = session["omniauth.oidc_sid"]
-        return if oidc_sid.nil?
+        session = context.fetch(:session)
+        ::OpenProject::OpenIDConnect::SessionMapper.handle_login(session)
+
+        user = context.fetch(:user)
+
+        # We clear previous tokens while adding this one to avoid keeping
+        # stale tokens around (and to avoid piling up duplicate IDP tokens)
+        # -> Fresh login causes fresh set of tokens
+        OpenIDConnect::AssociateUserToken.new(user).call(
+          access_token: session["omniauth.oidc_access_token"],
+          refresh_token: session["omniauth.oidc_refresh_token"],
+          known_audiences: [OpenIDConnect::UserToken::IDP_AUDIENCE],
+          clear_previous: true
+        )
 
-        ::OpenProject::OpenIDConnect::SessionMapper.handle_login(oidc_sid, session)
       end
 
       ##
       # Called once omniauth has returned with an auth hash
-      # NOTE: It's a passthrough as we no longer persist the access token into the cookie
-      def omniauth_user_authorized(_context); end
+      def omniauth_user_authorized(context)
+        controller = context.fetch(:controller)
+        session = controller.session
+
+        session["omniauth.oidc_access_token"] = context.dig(:auth_hash, :credentials, :token)
+        session["omniauth.oidc_refresh_token"] = context.dig(:auth_hash, :credentials, :refresh_token)
+
+        nil
+      end
     end
   end
 end

modules/openid_connect/lib/open_project/openid_connect/patches.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module OpenProject::OpenIDConnect::Patches
+end

modules/openid_connect/lib/open_project/openid_connect/patches/sessions/user_session_patch.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module OpenProject::OpenIDConnect::Patches::Sessions::UserSessionPatch
+  def self.included(base) # :nodoc:
+    base.extend(ClassMethods)
+    base.include(InstanceMethods)
+
+    base.class_eval do
+      has_one :oidc_session_link, class_name: "OpenIDConnect::UserSessionLink", foreign_key: "session_id"
+    end
+  end
+
+  module ClassMethods
+  end
+
+  module InstanceMethods
+  end
+end

modules/openid_connect/lib/open_project/openid_connect/patches/user_patch.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module OpenProject::OpenIDConnect::Patches::UserPatch
+  def self.included(base) # :nodoc:
+    base.extend(ClassMethods)
+    base.include(InstanceMethods)
+
+    base.class_eval do
+      has_many :oidc_user_tokens, class_name: "OpenIDConnect::UserToken", foreign_key: "user_id"
+    end
+  end
+
+  module ClassMethods
+  end
+
+  module InstanceMethods
+  end
+end