discover OIDC parameters from WebFinger (based on opencloud-eu/opencloud#2072)

Author: kaivol

src/libsync/creds/oauth.cpp

@@ -238,6 +238,7 @@ OAuth::OAuth(const QUrl &serverUrl, QNetworkAccessManager *networkAccessManager,
     , _networkAccessManager(networkAccessManager)
     , _clientId(Theme::instance()->oauthClientId())
     , _clientSecret(Theme::instance()->oauthClientSecret())
+    , _scopes(Theme::instance()->openIdConnectScopes())
     , _supportedPromtValues(defaultOauthPromtValue())
 {
 }
@@ -434,7 +435,7 @@ QNetworkReply *OAuth::postTokenRequest(QUrlQuery &&queryItems)
     req.setHeader(QNetworkRequest::ContentTypeHeader, QStringLiteral("application/x-www-form-urlencoded; charset=UTF-8"));
     req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
 
-    queryItems.addQueryItem(QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes())));
+    queryItems.addQueryItem(QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(this->_scopes)));
     req.setUrl(_tokenEndpoint);
     return _networkAccessManager->post(req, queryItems.toString(QUrl::FullyEncoded).toUtf8());
 }
@@ -540,8 +541,12 @@ void OAuth::fetchWellKnown()
     } else {
         QNetworkRequest webfingerReq;
         webfingerReq.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
-        webfingerReq.setUrl(
-            Utility::concatUrlPath(_serverUrl, QStringLiteral("/.well-known/webfinger"), {{QStringLiteral("resource"), _serverUrl.toString()}}));
+        webfingerReq.setUrl(Utility::concatUrlPath(_serverUrl, QStringLiteral("/.well-known/webfinger"),
+            {
+                {QStringLiteral("resource"), _serverUrl.toString()},
+                {QStringLiteral("rel"), QStringLiteral("http://openid.net/specs/connect/1.0/issuer")},
+                {QStringLiteral("platform"), QStringLiteral("desktop")},
+            }));
         webfingerReq.setTransferTimeout(defaultTimeoutMs());
 
         auto webfingerReply = _networkAccessManager->get(webfingerReq);
@@ -596,6 +601,28 @@ void OAuth::fetchWellKnown()
                 return;
             }
 
+            const auto properties = doc.object().value(QStringLiteral("properties")).toObject();
+            if (const auto clientId = properties.value(QStringLiteral("http://opencloud.eu/ns/oidc/client_id")).toString(); !clientId.isNull()) {
+                this->_clientId = clientId;
+            }
+            if (const auto scopes = properties.value(QStringLiteral("http://opencloud.eu/ns/oidc/client_id")).toObject(); !scopes.isEmpty()) {
+                auto scopesString = QString();
+                for (auto scope : scopes) {
+                    auto s = scope.toString();
+                    if (s.isNull()) {
+                        qCWarning(lcOauth) << u"unexpected non-string scope received from WebFinger, ignoring";
+                        continue;
+                    }
+                    if (s.isEmpty()) {
+                        qCWarning(lcOauth) << u"empty scope received from WebFinger, ignoring";
+                        continue;
+                    }
+                    scopesString.append(s);
+                    scopesString.append(QStringLiteral(" "));
+                }
+                this->_scopes = scopesString;
+            }
+
             auto const oidcWellKnownUrl = Utility::concatUrlPath(QUrl(issuerUrl), wellKnownPathC);
             qCDebug(lcOauth) << u"fetching" << oidcWellKnownUrl;
 

src/libsync/creds/oauth.h

@@ -110,6 +110,7 @@ class OPENCLOUD_SYNC_EXPORT OAuth : public QObject
 
     QString _clientId;
     QString _clientSecret;
+    QString _scopes;
 
     QUrl _registrationEndpoint;