From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 15 May 2023 08:51:19 +0000 (+0300)
Subject: auth: mech-oauth2 - Look for openid configuration URL if missing
X-Git-Tag: 2.3.21~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59647f483c49c9e54c43cade168bf10f44a49292;p=thirdparty%2Fdovecot%2Fcore.git

auth: mech-oauth2 - Look for openid configuration URL if missing
---

diff --git a/src/auth/mech-oauth2.c b/src/auth/mech-oauth2.c
index 1b145674b3..c51d16f73f 100644
--- a/src/auth/mech-oauth2.c
+++ b/src/auth/mech-oauth2.c
@@ -14,6 +14,29 @@ struct oauth2_auth_request {
 	bool failed;
 };
 
+static bool oauth2_find_oidc_url(struct auth_request *req, const char **url_r)
+{
+	struct auth_passdb *db = req->passdb;
+	if (req->openid_config_url != NULL) {
+		*url_r = req->openid_config_url;
+		return TRUE;
+	}
+
+	/* keep looking until you get a value */
+	for (; db != NULL; db = db->next) {
+		if (strcmp(db->passdb->iface.name, "oauth2") == 0) {
+			const char *url =
+				passdb_oauth2_get_oidc_url(req->passdb->passdb);
+			if (url == NULL || *url == '\0')
+				continue;
+			*url_r = url;
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
 /* RFC5801 based unescaping */
 static bool oauth2_unescape_username(const char *in, const char **username_r)
 {
@@ -44,6 +67,7 @@ static void oauth2_verify_callback(enum passdb_result result,
 {
 	struct oauth2_auth_request *oauth2_req =
 			(struct oauth2_auth_request*)request;
+	const char *oidc_url;
 
 	i_assert(result == PASSDB_RESULT_OK || error_fields != NULL);
 	switch (result) {
@@ -76,11 +100,11 @@ static void oauth2_verify_callback(enum passdb_result result,
 		   This **must** be removed from here and db-oauth2 once the
 		   validation result et al is handled here.
 		*/
-		if (request->openid_config_url != NULL) {
+		if (oauth2_find_oidc_url(request, &oidc_url)) {
 			if (str_len(error) > 0)
 				str_append_c(error, ',');
 			str_printfa(error, "\"openid-configuration\":\"");
-			json_append_escaped(error, request->openid_config_url);
+			json_append_escaped(error, oidc_url);
 			str_append_c(error, '"');
 		}
 		str_append_c(error, '}');
diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c
index 000d1ec6e8..e52a73f573 100644
--- a/src/auth/passdb-oauth2.c
+++ b/src/auth/passdb-oauth2.c
@@ -67,6 +67,16 @@ static void oauth2_deinit(struct passdb_module *passdb)
 	db_oauth2_unref(&module->db);
 }
 
+/* FIXME: Remove when oauth2 mech is fixed */
+const char *passdb_oauth2_get_oidc_url(struct passdb_module *passdb)
+{
+	struct oauth2_passdb_module *module =
+		container_of(passdb, struct oauth2_passdb_module, module);
+	if (module->db != NULL)
+		return db_oauth2_get_openid_configuration_url(module->db);
+	return NULL;
+}
+
 struct passdb_module_interface passdb_oauth2 = {
 	"oauth2",
 
diff --git a/src/auth/passdb.h b/src/auth/passdb.h
index b405aa7e3f..f9b33ea81f 100644
--- a/src/auth/passdb.h
+++ b/src/auth/passdb.h
@@ -116,6 +116,8 @@ void passdbs_generate_md5(unsigned char md5[STATIC_ARRAY MD5_RESULTLEN]);
 void passdbs_init(void);
 void passdbs_deinit(void);
 
+const char *passdb_oauth2_get_oidc_url(struct passdb_module *passdb);
+
 #include "auth-request.h"
 
 #endif