add new boolean setting to enable private key jwt auth

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Command/UpsertProvider.php

@@ -27,6 +27,10 @@ class UpsertProvider extends Base {
 			'shortcut' => null, 'mode' => InputOption::VALUE_REQUIRED, 'setting_key' => ProviderService::SETTING_UNIQUE_UID,
 			'description' => 'Determines if unique user ids shall be used or not. 1 to enable, 0 to disable',
 		],
+		'use-private-key-jwt' => [
+			'shortcut' => null, 'mode' => InputOption::VALUE_REQUIRED, 'setting_key' => ProviderService::SETTING_USE_PRIVATE_KEY_JWT,
+			'description' => 'If enabled, user_oidc will use the private key JWT authentication method instead of using the client secret. 1 to enable, 0 to disable (default when creating a new provider)',
+		],
 		'check-bearer' => [
 			'shortcut' => null, 'mode' => InputOption::VALUE_REQUIRED, 'setting_key' => ProviderService::SETTING_CHECK_BEARER,
 			'description' => 'Determines if Nextcloud API/WebDav calls should check the Bearer token against this provider or not. 1 to enable, 0 to disable (default when creating a new provider)',

lib/Service/JwkService.php

@@ -128,10 +128,8 @@ public function getJwkFromSslKey(array $sslKeyDetails, bool $isEncryptionKey = f
 			'crv' => 'P-384',
 			'x' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['x']), '+/', '-_'), '='),
 			'y' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['y']), '+/', '-_'), '='),
+			'alg' => $isEncryptionKey ? 'ECDH-ES+A192KW' : 'ES384',
 		];
-		if ($isEncryptionKey) {
-			$jwk['alg'] = 'ECDH-ES+A192KW';
-		}
 		return $jwk;
 	}
 

lib/Service/ProviderService.php

@@ -18,6 +18,7 @@
 
 class ProviderService {
 	public const SETTING_CHECK_BEARER = 'checkBearer';
+	public const SETTING_USE_PRIVATE_KEY_JWT = 'usePrivateKeyJwt';
 	public const SETTING_SEND_ID_TOKEN_HINT = 'sendIdTokenHint';
 	public const SETTING_BEARER_PROVISIONING = 'bearerProvisioning';
 	public const SETTING_UNIQUE_UID = 'uniqueUid';
@@ -62,6 +63,7 @@ class ProviderService {
 		self::SETTING_BEARER_PROVISIONING => false,
 		self::SETTING_UNIQUE_UID => true,
 		self::SETTING_CHECK_BEARER => false,
+		self::SETTING_USE_PRIVATE_KEY_JWT => false,
 		self::SETTING_SEND_ID_TOKEN_HINT => false,
 		self::SETTING_RESTRICT_LOGIN_TO_GROUPS => false,
 		self::SETTING_RESOLVE_NESTED_AND_FALLBACK_CLAIMS_MAPPING => false,
@@ -169,6 +171,7 @@ private function getSupportedSettings(): array {
 			self::SETTING_MAPPING_BIRTHDATE,
 			self::SETTING_UNIQUE_UID,
 			self::SETTING_CHECK_BEARER,
+			self::SETTING_USE_PRIVATE_KEY_JWT,
 			self::SETTING_SEND_ID_TOKEN_HINT,
 			self::SETTING_BEARER_PROVISIONING,
 			self::SETTING_EXTRA_CLAIMS,

src/components/AdminSettings.vue

@@ -200,6 +200,7 @@ export default {
 				endSessionEndpoint: '',
 				postLogoutUri: '',
 				settings: {
+					usePrivateKeyJwt: false,
 					uniqueUid: true,
 					checkBearer: false,
 					bearerProvisioning: false,

src/components/SettingsForm.vue

@@ -23,13 +23,21 @@
 				type="text"
 				required>
 		</p>
+		<NcCheckboxRadioSwitch
+			v-model="localProvider.settings.usePrivateKeyJwt"
+			wrapper-element="div">
+			{{ t('user_oidc', 'Use private key JWT authentication method') }}
+		</NcCheckboxRadioSwitch>
+		<!-- TODO: link to https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication -->
+		<!-- TODO: give the JWKs URL to configure the IdP -->
 		<p>
 			<label for="oidc-client-secret">{{ t('user_oidc', 'Client secret') }}</label>
 			<input id="oidc-client-secret"
 				v-model="localProvider.clientSecret"
-				:placeholder="update ? t('user_oidc', 'Leave empty to keep existing') : null"
+				:placeholder="clientSecretPlaceholder"
 				type="text"
-				:required="!update"
+				:disabled="localProvider.settings.usePrivateKeyJwt"
+				:required="!update && !localProvider.settings.usePrivateKeyJwt"
 				autocomplete="off">
 		</p>
 		<p class="settings-hint warning-hint">
@@ -392,6 +400,14 @@ export default {
 		identifierLength() {
 			return this.localProvider.identifier.length
 		},
+		clientSecretPlaceholder() {
+			if (this.localProvider.settings.usePrivateKeyJwt) {
+				return t('user_oidc', 'Not used with private key JWT authentication')
+			}
+			return this.update
+				? t('user_oidc', 'Leave empty to keep existing')
+				: null
+		},
 	},
 	created() {
 		this.localProvider = this.provider

tests/unit/Service/ProviderServiceTest.php

@@ -89,6 +89,7 @@ public function testGetProvidersWithSettings() {
 					'mappingBirthdate' => '1',
 					'uniqueUid' => true,
 					'checkBearer' => true,
+					'usePrivateKeyJwt' => true,
 					'bearerProvisioning' => true,
 					'sendIdTokenHint' => true,
 					'extraClaims' => '1',
@@ -135,6 +136,7 @@ public function testGetProvidersWithSettings() {
 					'mappingBirthdate' => '1',
 					'uniqueUid' => true,
 					'checkBearer' => true,
+					'usePrivateKeyJwt' => true,
 					'bearerProvisioning' => true,
 					'sendIdTokenHint' => true,
 					'extraClaims' => '1',
@@ -157,6 +159,7 @@ public function testSetSettings() {
 			'mappingGroups' => 'groups',
 			'uniqueUid' => true,
 			'checkBearer' => false,
+			'usePrivateKeyJwt' => false,
 			'bearerProvisioning' => false,
 			'sendIdTokenHint' => true,
 			'extraClaims' => 'claim1 claim2',
@@ -216,6 +219,7 @@ public function testSetSettings() {
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_MAPPING_BIRTHDATE, '', 'birthdate'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_UNIQUE_UID, '', '1'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_CHECK_BEARER, '', '0'],
+				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_USE_PRIVATE_KEY_JWT, '', '0'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_BEARER_PROVISIONING, '', '0'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_SEND_ID_TOKEN_HINT, '', '1'],
 				[Application::APP_ID, 'provider-1-' . ProviderService::SETTING_EXTRA_CLAIMS, '', 'claim1 claim2'],