nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Roeland Jago Douma	be2d8cc4e9	Do not invalidate main token on OAuth Fixes #10584 We deleted the main token when using the login flow else mutliple tokens would show up for a single user. However in the case of OAuth this is perfectly fine as the authentication happens really in your browser: 1. You are already logged in, no need to log you out 2. You are not logged in yet, but since you log in into the exact same browser the expected behavior is to stay logged in. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	5a97148863	Don't use special chars to avoid confusion Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	177c8972cc	Improve login flow * Add page explaining you are about to grant access * Show grant access page after login Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	4ef302c0be	Request->getHeader() should always return a string PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant. Found while enabling the strict_typing for lib/private for the PHP7+ migration. Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Mario Danic	cc742ce9e7	Fix bug with proxies Signed-off-by: Mario Danic <mario@lovelyhq.com>	8 years ago
Roeland Jago Douma	82f03e1314	Clear login token once apppassword is generated Fixes #7697 When using the new login flow a token will be generated since we login. However after that we generate yet another token to return (as we should). However we should kill the current session token as we are done with it. And will never use it again. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Mario Danic	c2cd5fc5d3	Fix flow Signed-off-by: Mario Danic <mario@lovelyhq.com>	8 years ago
Julius Härtl	cd1bfea8c4	Theming: theme flow redirection page Signed-off-by: Julius Härtl <jus@bitgrid.net>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Morris Jobke	504c1abee0	Fix undefined index oauthState Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Lukas Reschke	26ee889fec	Add tests for ClientFlowLoginController Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	b07a0f51ba	Add OAuth state to session Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Bjoern Schiessle	23b296b66e	use name of oauth app to identify auth token Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Bjoern Schiessle	a74d67b69c	show error page if no valid client identifier is given and if it is not a API request Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Lukas Reschke	e86749121c	Remove special characters Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Mario Danic	e4aac15a92	Update login flow redirection Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	aae079aa29	AppToken to 72 chars Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	bb5e5efa6d	Do not remove the state token to early we should check the stateToken before we remove it. Else the check will always fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Lukas Reschke	6a16df7288	Add new auth flow This implements the basics for the new app-password based authentication flow for our clients. The current implementation tries to keep it as simple as possible and works the following way: 1. Unauthenticated client opens `/index.php/login/flow` 2. User will be asked whether they want to grant access to the client 3. If accepted the user has the chance to do so using existing App Token or automatically generate an app password. If the user chooses to use an existing app token then that one will simply be redirected to the `nc://` protocol handler. While we can improve on that in the future, I think keeping this smaller at the moment has its advantages. Also, in the near future we have to think about an automatic migration endpoint so there's that anyways :-) If the user chooses to use the regular login the following happens: 1. A session state token is written to the session 2. User is redirected to the login page 3. If successfully authenticated they will be redirected to a page redirecting to the POST controller 4. The POST controller will check if the CSRF token as well as the state token is correct, if yes the user will be redirected to the `nc://` protocol handler. This approach is quite simple but also allows to be extended in the future. One could for example allow external websites to consume this authentication endpoint as well. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago

20 Commits (be2d8cc4e9b6f0aac2e0c8f82e8635dbbce2a51d)