Previously it was possible to configure them through the UI, but they
were not passed into configuration of the Omniauth provider at all.
Correct configuration also uncovered a bug in omniauth-openid-connect that
was fixed through an update of the gem.
Azure/Entra ID seems to return stringly typed
expiry dates under certain conditions. We'll now
also handle properly readable numeric strings.
Missing expiration times or non-numeric strings,
such as "banana" will be treated as not knowing
the expiration time.
Some files were missing the corresponding comment before.
This change was effectively achieved through:
rubocop -A --only Style/FrozenStringLiteralComment,Layout/EmptyLineAfterMagicComment,Style/RedundantFreeze modules/openid_connect
Other parameters stored in the session are kind of optional,
but without the access token we can't create a user token.
The most popular case for a missing access token should be
that the login happened through a non-OIDC provider.
The hook we are using is firing for all kinds of omniauth
logins. By ensuring that we have a matching OpenIDConnect provider,
we know that we are currently performing an OIDC login, which is
the only case where we want to try storing OIDC tokens.
This commit provides an alternative implementation
for storing tokens compared to the parent commit.
The idea is that we will not only need to store access
and refresh tokens obtained via Omniauth, but also the ones
to access third party services that will most likely be obtained
through OAuth 2.0 Token Exchange. This structure allows to store
all of these tokens in the same data model, while keeping the
implementation separated from the back-channel logout logic.
Storing tokens in the database to have them available for
requests to third parties (e.g. Nextcloud) later.
The OIDC session is now marked as optional, since the
session link is also used to store access and refresh tokens
associated with the session. Those tokens might be present,
even if the session id (which belongs to the optional
OIDC Back-Channel Logout specification) is missing.
Oliver Günther