feat(cloud_federation_api): add token exchange endpoint issuing JWT access tokens

Co-authored-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

apps/cloud_federation_api/appinfo/info.xml

@@ -21,4 +21,8 @@
 	<dependencies>
 		<nextcloud min-version="35" max-version="35"/>
 	</dependencies>
+
+	<background-jobs>
+		<job>OCA\CloudFederationAPI\BackgroundJob\CleanupExpiredOcmTokensJob</job>
+	</background-jobs>
 </info>

apps/cloud_federation_api/composer/composer/autoload_classmap.php

@@ -8,13 +8,18 @@
 return array(
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
     'OCA\\CloudFederationAPI\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
+    'OCA\\CloudFederationAPI\\BackgroundJob\\CleanupExpiredOcmTokensJob' => $baseDir . '/../lib/BackgroundJob/CleanupExpiredOcmTokensJob.php',
     'OCA\\CloudFederationAPI\\Capabilities' => $baseDir . '/../lib/Capabilities.php',
     'OCA\\CloudFederationAPI\\Config' => $baseDir . '/../lib/Config.php',
     'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => $baseDir . '/../lib/Controller/OCMRequestController.php',
     'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => $baseDir . '/../lib/Controller/RequestHandlerController.php',
+    'OCA\\CloudFederationAPI\\Controller\\TokenController' => $baseDir . '/../lib/Controller/TokenController.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => $baseDir . '/../lib/Db/FederatedInvite.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => $baseDir . '/../lib/Db/FederatedInviteMapper.php',
+    'OCA\\CloudFederationAPI\\Db\\OcmTokenMap' => $baseDir . '/../lib/Db/OcmTokenMap.php',
+    'OCA\\CloudFederationAPI\\Db\\OcmTokenMapMapper' => $baseDir . '/../lib/Db/OcmTokenMapMapper.php',
     'OCA\\CloudFederationAPI\\Events\\FederatedInviteAcceptedEvent' => $baseDir . '/../lib/Events/FederatedInviteAcceptedEvent.php',
     'OCA\\CloudFederationAPI\\Migration\\Version1016Date202502262004' => $baseDir . '/../lib/Migration/Version1016Date202502262004.php',
+    'OCA\\CloudFederationAPI\\Migration\\Version1017Date20260306120000' => $baseDir . '/../lib/Migration/Version1017Date20260306120000.php',
     'OCA\\CloudFederationAPI\\ResponseDefinitions' => $baseDir . '/../lib/ResponseDefinitions.php',
 );

apps/cloud_federation_api/composer/composer/autoload_static.php

@@ -23,14 +23,19 @@ class ComposerStaticInitCloudFederationAPI
     public static $classMap = array (
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
         'OCA\\CloudFederationAPI\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
+        'OCA\\CloudFederationAPI\\BackgroundJob\\CleanupExpiredOcmTokensJob' => __DIR__ . '/..' . '/../lib/BackgroundJob/CleanupExpiredOcmTokensJob.php',
         'OCA\\CloudFederationAPI\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',
         'OCA\\CloudFederationAPI\\Config' => __DIR__ . '/..' . '/../lib/Config.php',
         'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => __DIR__ . '/..' . '/../lib/Controller/OCMRequestController.php',
         'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => __DIR__ . '/..' . '/../lib/Controller/RequestHandlerController.php',
+        'OCA\\CloudFederationAPI\\Controller\\TokenController' => __DIR__ . '/..' . '/../lib/Controller/TokenController.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => __DIR__ . '/..' . '/../lib/Db/FederatedInvite.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => __DIR__ . '/..' . '/../lib/Db/FederatedInviteMapper.php',
+        'OCA\\CloudFederationAPI\\Db\\OcmTokenMap' => __DIR__ . '/..' . '/../lib/Db/OcmTokenMap.php',
+        'OCA\\CloudFederationAPI\\Db\\OcmTokenMapMapper' => __DIR__ . '/..' . '/../lib/Db/OcmTokenMapMapper.php',
         'OCA\\CloudFederationAPI\\Events\\FederatedInviteAcceptedEvent' => __DIR__ . '/..' . '/../lib/Events/FederatedInviteAcceptedEvent.php',
         'OCA\\CloudFederationAPI\\Migration\\Version1016Date202502262004' => __DIR__ . '/..' . '/../lib/Migration/Version1016Date202502262004.php',
+        'OCA\\CloudFederationAPI\\Migration\\Version1017Date20260306120000' => __DIR__ . '/..' . '/../lib/Migration/Version1017Date20260306120000.php',
         'OCA\\CloudFederationAPI\\ResponseDefinitions' => __DIR__ . '/..' . '/../lib/ResponseDefinitions.php',
     );
 

apps/cloud_federation_api/lib/BackgroundJob/CleanupExpiredOcmTokensJob.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\CloudFederationAPI\BackgroundJob;
+
+use OCA\CloudFederationAPI\Db\OcmTokenMapMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\BackgroundJob\TimedJob;
+
+/**
+ * Periodically purge expired OCM access token mappings from ocm_token_map.
+ *
+ * The corresponding oc_authtoken entries (TEMPORARY_TOKEN with an expires
+ * timestamp) are cleaned up by Nextcloud's own token expiry jobs.
+ */
+class CleanupExpiredOcmTokensJob extends TimedJob {
+	public function __construct(
+		ITimeFactory $timeFactory,
+		private readonly OcmTokenMapMapper $mapper,
+	) {
+		parent::__construct($timeFactory);
+
+		$this->setInterval(6 * 60 * 60); // run every 6 hours
+		$this->setTimeSensitivity(self::TIME_INSENSITIVE);
+	}
+
+	#[\Override]
+	protected function run($argument): void {
+		$this->mapper->deleteExpired($this->time->getTime());
+	}
+}

apps/cloud_federation_api/lib/Controller/TokenController.php

@@ -0,0 +1,260 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\CloudFederationAPI\Controller;
+
+use Firebase\JWT\JWT;
+use OC\Authentication\Token\IProvider;
+use OC\OCM\OCMSignatoryManager;
+use OCA\CloudFederationAPI\Db\OcmTokenMap;
+use OCA\CloudFederationAPI\Db\OcmTokenMapMapper;
+use OCP\AppFramework\ApiController;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\FrontpageRoute;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\Authentication\Exceptions\ExpiredTokenException;
+use OCP\Authentication\Exceptions\InvalidTokenException;
+use OCP\Authentication\Token\IToken;
+use OCP\IAppConfig;
+use OCP\IRequest;
+use OCP\Security\ISecureRandom;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\Exceptions\SignatureNotFoundException;
+use OCP\Security\Signature\IIncomingSignedRequest;
+use OCP\Security\Signature\ISignatureManager;
+use OCP\Security\Signature\Model\Signatory;
+use OCP\Share\IManager as IShareManager;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Controller for the /token endpoint
+ * Exchanges long-lived refresh tokens for short-lived access tokens
+ *
+ * @since 32.0.0
+ */
+class TokenController extends ApiController {
+	public function __construct(
+		IRequest $request,
+		private readonly IProvider $tokenProvider,
+		private readonly ISecureRandom $random,
+		private readonly ITimeFactory $timeFactory,
+		private readonly LoggerInterface $logger,
+		private readonly ISignatureManager $signatureManager,
+		private readonly OCMSignatoryManager $signatoryManager,
+		private readonly IAppConfig $appConfig,
+		private readonly OcmTokenMapMapper $ocmTokenMapMapper,
+		private readonly IShareManager $shareManager,
+	) {
+		parent::__construct('cloud_federation_api', $request);
+	}
+
+	/**
+	 * Verify the signature of incoming request if available
+	 *
+	 * @return IIncomingSignedRequest|null null if remote does not support signed requests
+	 * @throws IncomingRequestException if signature is required but invalid
+	 */
+	private function verifySignedRequest(): ?IIncomingSignedRequest {
+		try {
+			$signedRequest = $this->signatureManager->getIncomingSignedRequest($this->signatoryManager);
+			$this->logger->debug('Token request signature verified', [
+				'origin' => $signedRequest->getOrigin()
+			]);
+			return $signedRequest;
+		} catch (SignatureNotFoundException|SignatoryNotFoundException $e) {
+			$this->logger->debug('Token request not signed', ['exception' => $e]);
+
+			if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true)) {
+				$this->logger->notice('Rejected unsigned token request', ['exception' => $e]);
+				throw new IncomingRequestException('Unsigned request not allowed');
+			}
+			return null;
+		} catch (SignatureException $e) {
+			$this->logger->warning('Invalid token request signature', ['exception' => $e]);
+			throw new IncomingRequestException('Invalid signature');
+		}
+	}
+
+	/**
+	 * @return array{0: string, 1: string} [JWS algorithm, key material accepted by firebase/php-jwt]
+	 * @throws \RuntimeException if the key cannot be parsed or its type is unsupported
+	 */
+	private function resolveJwtSigningKey(string $privateKeyPem): array {
+		$key = openssl_pkey_get_private($privateKeyPem);
+		if ($key === false) {
+			throw new \RuntimeException('Cannot parse signatory private key');
+		}
+		$details = openssl_pkey_get_details($key);
+
+		if (isset($details['rsa'])) {
+			$algorithm = $details['bits'] >= 4096 ? 'RS512' : 'RS256';
+			return [$algorithm, $privateKeyPem];
+		}
+		if (isset($details['ed25519'])) {
+			$der = base64_decode((string)preg_replace('/-----[^-]+-----|\s+/', '', $privateKeyPem), true);
+			if ($der === false || strlen($der) < 32) {
+				throw new \RuntimeException('Cannot decode Ed25519 PKCS#8 PEM');
+			}
+			// RFC 8410 §7: Ed25519 PKCS#8 v1 ends with the 32-byte raw seed
+			$seed = substr($der, -32);
+			$secretKey = sodium_crypto_sign_secretkey(sodium_crypto_sign_seed_keypair($seed));
+			return ['EdDSA', base64_encode($secretKey)];
+		}
+
+		throw new \RuntimeException('Unsupported signatory key type for JWT access token');
+	}
+
+	/**
+	 * Exchange a refresh token for a short-lived access token
+	 *
+	 * @param string $grant_type OAuth grant type, must be `authorization_code`
+	 * @param string $code The refresh token to exchange for an access token
+	 * @return DataResponse<Http::STATUS_OK, array{access_token: string, token_type: string, expires_in: int}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED|Http::STATUS_BAD_REQUEST|Http::STATUS_INTERNAL_SERVER_ERROR, array{error: string}, array{}>
+	 *
+	 * 200: Access token successfully generated
+	 * 400: Bad request - missing refresh token or invalid request format
+	 * 401: Unauthorized - invalid or expired refresh token, or invalid signature
+	 * 500: Internal server error
+	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
+	#[FrontpageRoute(verb: 'POST', url: '/api/v1/access-token')]
+	public function accessToken(string $grant_type = '', string $code = ''): DataResponse {
+		try {
+			$signedRequest = $this->verifySignedRequest();
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('Token request signature verification failed', [
+				'exception' => $e
+			]);
+			return new DataResponse(
+				['error' => 'invalid_request'],
+				Http::STATUS_UNAUTHORIZED
+			);
+		}
+
+		if ($grant_type !== 'authorization_code') {
+			return new DataResponse(
+				['error' => 'unsupported_grant_type'],
+				Http::STATUS_BAD_REQUEST
+			);
+		}
+
+		if ($code === '') {
+			return new DataResponse(
+				['error' => 'refresh_token is required'],
+				Http::STATUS_BAD_REQUEST
+			);
+		}
+
+		$refreshToken = $code;
+
+		try {
+			$token = $this->tokenProvider->getToken($refreshToken);
+
+			if ($token->getType() !== IToken::PERMANENT_TOKEN) {
+				$this->logger->warning('Attempted to use non-permanent token as refresh token', [
+					'tokenId' => $token->getId(),
+				]);
+				return new DataResponse(
+					['error' => 'invalid_grant'],
+					Http::STATUS_UNAUTHORIZED
+				);
+			}
+
+			// Revoke the previous access token for this refresh token, if any.
+			$existingMapping = $this->ocmTokenMapMapper->findByRefreshToken($refreshToken);
+			if ($existingMapping !== null) {
+				try {
+					$this->tokenProvider->invalidateTokenById(
+						$token->getUID(),
+						$existingMapping->getAccessTokenId()
+					);
+				} catch (\Exception) {
+					// Token may already be gone; ignore.
+				}
+				$this->ocmTokenMapMapper->delete($existingMapping);
+			}
+
+			$share = $this->shareManager->getShareByToken($refreshToken);
+			$expiresIn = 3600; // 1 hour in seconds
+			$issuedAt = $this->timeFactory->getTime();
+			$expiresAt = $issuedAt + $expiresIn;
+
+			$signatory = $this->signatoryManager->getLocalSignatory();
+			$keyId = $signatory->getKeyId();
+			$issuer = parse_url($keyId, PHP_URL_SCHEME) . '://' . Signatory::extractIdentityFromUri($keyId);
+
+			[$jwtAlgorithm, $jwtKey] = $this->resolveJwtSigningKey($signatory->getPrivateKey());
+
+			$payload = [
+				'iss' => $issuer,
+				'sub' => $share->getShareOwner(),
+				'aud' => $share->getSharedWith(),
+				'client_id' => (string)$token->getId(),
+				'iat' => $issuedAt,
+				'exp' => $expiresAt,
+				'jti' => $this->random->generate(16, ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS),
+			];
+
+			$accessTokenString = JWT::encode($payload, $jwtKey, $jwtAlgorithm, $keyId);
+
+			$accessToken = $this->tokenProvider->generateToken(
+				$accessTokenString,
+				$token->getUID(),
+				$token->getLoginName(),
+				null, // No password for access tokens
+				IToken::OCM_ACCESS_TOKEN_NAME,
+				IToken::TEMPORARY_TOKEN,
+				IToken::DO_NOT_REMEMBER
+			);
+
+			$accessToken->setExpires($expiresAt);
+			$this->tokenProvider->updateToken($accessToken);
+
+			$mapping = new OcmTokenMap();
+			$mapping->setAccessTokenId($accessToken->getId());
+			$mapping->setRefreshToken($refreshToken);
+			$mapping->setExpires($expiresAt);
+			$this->ocmTokenMapMapper->insert($mapping);
+
+			return new DataResponse([
+				'access_token' => $accessTokenString,
+				'token_type' => 'Bearer',
+				'expires_in' => $expiresIn,
+			], Http::STATUS_OK);
+		} catch (InvalidTokenException $e) {
+			$this->logger->info('Invalid refresh token provided', [
+				'exception' => $e,
+			]);
+			return new DataResponse(
+				['error' => 'invalid_grant'],
+				Http::STATUS_UNAUTHORIZED
+			);
+		} catch (ExpiredTokenException $e) {
+			$this->logger->info('Expired refresh token provided', [
+				'exception' => $e,
+			]);
+			return new DataResponse(
+				['error' => 'invalid_grant'],
+				Http::STATUS_UNAUTHORIZED
+			);
+		} catch (\Exception $e) {
+			$this->logger->error('Error generating access token', [
+				'exception' => $e,
+			]);
+			return new DataResponse(
+				['error' => 'server_error'],
+				Http::STATUS_INTERNAL_SERVER_ERROR
+			);
+		}
+	}
+}

apps/cloud_federation_api/lib/Db/OcmTokenMap.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\CloudFederationAPI\Db;
+
+use OCP\AppFramework\Db\Entity;
+use OCP\DB\Types;
+
+/**
+ * Maps a short-lived OCM access token (by its oc_authtoken id) to the
+ * long-lived refresh token it was issued for.
+ *
+ * @method int getAccessTokenId()
+ * @method void setAccessTokenId(int $id)
+ * @method string getRefreshToken()
+ * @method void setRefreshToken(string $token)
+ * @method int getExpires()
+ * @method void setExpires(int $expires)
+ */
+class OcmTokenMap extends Entity {
+	/** @var int ID of the access token row in oc_authtoken */
+	protected $accessTokenId;
+
+	/** @var string The refresh token this access token was issued for */
+	protected $refreshToken;
+
+	/** @var int Unix timestamp when the access token expires */
+	protected $expires;
+
+	public function __construct() {
+		$this->addType('accessTokenId', Types::INTEGER);
+		$this->addType('refreshToken', Types::STRING);
+		$this->addType('expires', Types::INTEGER);
+	}
+}