Micke/roundcubemail-plugins-kolab
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SSO: Add some more documentation

Browse source
This commit is contained in:
Aleksander Machniak 2018-11-27 11:03:10 +01:00
parent bf29bd2e19
commit 3c0d00ef67
3 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
plugins/kolab_sso/README
View file

@ -37,6 +37,18 @@ and on the provider side configured URI will be https://host/roundcubemail/sso.
IMPLEMENTATION NOTES
--------------------
Specification: https://openid.net/specs/openid-connect-core-1_0.html
Limitations:
- OpenIDC Discovery and Dynamic Client Registration is not supported,
- Authentication with Authorization Code Flow is the only one supported,
- required grant types: authorization_code, refresh_token (for token refresh),
- required claims: id_token,
- required scopes: email, openid, offline_access (for token refresh),
- endpoints used: token, authorization,
- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
- supported token endpoint auth methods: client_secret_basic, client_secret_post.
[IMAP] Because Kolab backend do not support token authentication it is required
to use master user (sasl proxy) authentication, i.e. you have to put
master user credentials in plugin's config.

2
plugins/kolab_sso/config.inc.php.dist
View file

@ -45,7 +45,7 @@ $config['kolab_sso_options'] = array(
// Token URI, if different than <uri>/token
'token_uri' => 'https://kolab.eu.auth0.com/oauth/token',
// Authorize URI, if different than <uri>/authorize
'authorize_uri' => 'https://kolab.eu.auth0.com/authorize',
'auth_uri' => 'https://kolab.eu.auth0.com/authorize',
// Response URI, by default we use https://domain.tld/path?_task=login&_action=sso
// Define it if the Provider does not allow above
// to use https://domain.tld/path/<response_uri> instead

6
plugins/kolab_sso/drivers/openidc.php
View file

@ -53,7 +53,7 @@ class kolab_sso_openidc
// TODO: Other params by config: display, prompt, max_age,
$url = $this->config['authorize_uri'] ?: (unslashify($this->config['uri']) . '/authorize');
$url = $this->config['auth_uri'] ?: (unslashify($this->config['uri']) . '/authorize');
$url .= '?' . http_build_query($params);
$this->plugin->debug("[{$this->id}][authorize] Redirecting to $url");
@ -178,11 +178,11 @@ class kolab_sso_openidc
$this->plugin->debug("[{$this->id}][$mode] Requesting POST $url?$post");
try {
// TODO: HTTP Basic and JWT methods of client authentication
// TODO: JWT-based methods of client authentication
// https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.9
$request = $this->get_request($url, 'POST');
// $request->setAuth($this->config['client_id'], $this->config['client_secret']);
$request->setAuth($this->config['client_id'], $this->config['client_secret']);
$request->setBody($post);
$response = $request->send();