tests

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Controller/LoginController.php

@@ -21,6 +21,7 @@
 use OCA\UserOIDC\Event\TokenObtainedEvent;
 use OCA\UserOIDC\Helper\HttpClientHelper;
 use OCA\UserOIDC\Service\DiscoveryService;
+use OCA\UserOIDC\Service\JweService;
 use OCA\UserOIDC\Service\JwkService;
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\OIDCService;
@@ -93,6 +94,7 @@ public function __construct(
 		private TokenService $tokenService,
 		private OidcService $oidcService,
 		private JwkService $jwkService,
+		private JweService $jweService,
 	) {
 		parent::__construct($request, $config, $l10n);
 	}
@@ -181,6 +183,8 @@ public function login(int $providerId, ?string $redirectUrl = null) {
 		$this->session->set(self::NONCE, $nonce);
 
 		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
+		// TODO add config param to force PKCE even if not supported in discovery
+		// condition becomes: ($isPkceSupported || $force) && ($oidcSystemConfig['use_pkce'] ?? true)
 		$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
 		$isPkceEnabled = $isPkceSupported && ($oidcSystemConfig['use_pkce'] ?? true);
 
@@ -450,11 +454,27 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		}
 
 		$data = json_decode($body, true);
-		$this->logger->debug('Received code response: ' . json_encode($data, JSON_THROW_ON_ERROR));
+		$this->logger->warning('Received code response: ' . json_encode($data, JSON_THROW_ON_ERROR));
 		$this->eventDispatcher->dispatchTyped(new TokenObtainedEvent($data, $provider, $discovery));
 
 		// TODO: proper error handling
 		$idTokenRaw = $data['id_token'];
+		if ($usePrivateKeyJwt) {
+			// we could check the header there
+			// if kid is our private JWK, we have a JWE to decrypt
+			// if typ=JWT, we have a classic JWT to decode
+			$jwtParts = explode('.', $idTokenRaw, 3);
+			$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
+			$this->logger->warning('JWT HEADER', ['jwt_header' => $jwtHeader]);
+			if (isset($jwtHeader['typ']) && $jwtHeader['typ'] === 'JWT') {
+				// we have a JWT
+			} elseif (isset($jwtHeader['cty']) && $jwtHeader['cty'] === 'JWT') {
+				// we have a JWE
+			}
+
+			// $dec = $this->jweService->decryptSerializedJwe($idTokenRaw);
+			// $this->logger->warning('decrypted JWE', ['decrypted_jwe' => json_decode($dec, true)]);
+		}
 		$jwks = $this->discoveryService->obtainJWK($provider, $idTokenRaw);
 		JWT::$leeway = 60;
 		try {

lib/Service/JweService.php

@@ -41,7 +41,7 @@ public function __construct(
 	 * @param string $contentEncryptionAlg the algorithm to use for the content encryption
 	 * @return string
 	 */
-	public function createSerializedJwe(
+	public function createSerializedJweWithKey(
 		array $payloadArray, array $encryptionJwk,
 		string $keyEncryptionAlg = JwkService::PEM_ENC_KEY_ALGORITHM,
 		string $contentEncryptionAlg = self::CONTENT_ENCRYPTION_ALGORITHM,
@@ -94,7 +94,7 @@ public function createSerializedJwe(
 	 * @return string
 	 * @throws \Exception
 	 */
-	public function decryptSerializedJwe(string $serializedJwe, array $jwkArray): string {
+	public function decryptSerializedJweWithKey(string $serializedJwe, array $jwkArray): string {
 		$algorithmManager = new AlgorithmManager([
 			new A256KW(),
 			new A256CBCHS512(),
@@ -162,6 +162,24 @@ public function decryptSerializedJwe(string $serializedJwe, array $jwkArray): st
 		return $payload;
 	}
 
+	public function decryptSerializedJwe(string $serializedJwe): string {
+		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey(true);
+		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
+		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
+		$encPrivJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true, includePrivateKey: true);
+
+		return $this->decryptSerializedJweWithKey($serializedJwe, $encPrivJwk);
+	}
+
+	public function createSerializedJwe(array $payloadArray): string {
+		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey(true);
+		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
+		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
+		$encPublicJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true);
+
+		return $this->createSerializedJweWithKey($payloadArray, $encPublicJwk);
+	}
+
 	public function debug(): array {
 		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey(true);
 		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
@@ -185,12 +203,17 @@ public function debug(): array {
 		$serializedJweToken = $this->createSerializedJwe($payloadArray, $exampleJwkArray);
 		$decryptedJweString = $this->decryptSerializedJwe($serializedJweToken, $exampleJwkArray);
 		*/
-		$serializedJweToken = $this->createSerializedJwe($payloadArray, $encPublicJwk);
-		$decryptedJweString = $this->decryptSerializedJwe($serializedJweToken, $encPrivJwk);
+		$serializedJweToken = $this->createSerializedJweWithKey($payloadArray, $encPublicJwk);
+		$jwtParts = explode('.', $serializedJweToken, 3);
+		$jwtHeader = json_decode(base64_decode($jwtParts[0]), true);
+		$decryptedJweString = $this->decryptSerializedJweWithKey($serializedJweToken, $encPrivJwk);
 
 		return [
+			'public_key' => $encPublicJwk,
+			'private_key' => $encPrivJwk,
 			'input_payloadArray' => $payloadArray,
 			'input_serializedJweToken' => $serializedJweToken,
+			'jwe_header' => $jwtHeader,
 			'output_payloadArray' => json_decode($decryptedJweString, true),
 		];
 	}

tests/unit/Service/JweServiceTest.php

@@ -45,8 +45,8 @@ public function testJweEncryptionDecryption() {
 			'aud' => 'Your application',
 		];
 
-		$serializedJweToken = $this->jweService->createSerializedJwe($inputPayloadArray, $encPublicJwk);
-		$decryptedJweString = $this->jweService->decryptSerializedJwe($serializedJweToken, $encPrivJwk);
+		$serializedJweToken = $this->jweService->createSerializedJweWithKey($inputPayloadArray, $encPublicJwk);
+		$decryptedJweString = $this->jweService->decryptSerializedJweWithKey($serializedJweToken, $encPrivJwk);
 
 		$outputPayloadArray = json_decode($decryptedJweString, true);
 		$this->assertEquals($inputPayloadArray, $outputPayloadArray);