Merge pull request #1025 from nextcloud/fix/1024/no-token_refresh_expires_in

fix(token-refresh): handle missing attributes in login token

Author: julien-nc

docs/token_exchange.md

@@ -6,6 +6,13 @@
 
 If your IdP supports token exchange, user_oidc can exchange the login token against another token.
 
+:warning: The token exchange feature is disabled by default. You can enable it in `config.php`:
+``` php
+'user_oidc' => [
+    'token_exchange' => true,
+],
+```
+
 Keycloak supports token exchange if its "Preview" mode is enabled. See https://www.keycloak.org/securing-apps/token-exchange .
 
 :warning: Your IdP need to be configured accordingly. For example, Keycloak requires that token exchange is explicitely

lib/Controller/LoginController.php

@@ -518,12 +518,15 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			$this->eventDispatcher->dispatchTyped(new UserLoggedInEvent($user, $user->getUID(), null, false));
 		}
 
-		// store all token information for potential token exchange requests
-		$tokenData = array_merge(
-			$data,
-			['provider_id' => $providerId],
-		);
-		$this->tokenService->storeToken($tokenData);
+		$tokenExchangeEnabled = (isset($oidcSystemConfig['token_exchange']) && $oidcSystemConfig['token_exchange'] === true);
+		if ($tokenExchangeEnabled) {
+			// store all token information for potential token exchange requests
+			$tokenData = array_merge(
+				$data,
+				['provider_id' => $providerId],
+			);
+			$this->tokenService->storeToken($tokenData);
+		}
 		$this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
 
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO

lib/Model/Token.php

@@ -15,17 +15,17 @@ class Token implements JsonSerializable {
 	private ?string $idToken;
 	private string $accessToken;
 	private int $expiresIn;
-	private int $refreshExpiresIn;
-	private string $refreshToken;
+	private ?int $refreshExpiresIn;
+	private ?string $refreshToken;
 	private int $createdAt;
 	private ?int $providerId;
 
 	public function __construct(array $tokenData) {
 		$this->idToken = $tokenData['id_token'] ?? null;
 		$this->accessToken = $tokenData['access_token'];
 		$this->expiresIn = $tokenData['expires_in'];
-		$this->refreshExpiresIn = $tokenData['refresh_expires_in'];
-		$this->refreshToken = $tokenData['refresh_token'];
+		$this->refreshExpiresIn = $tokenData['refresh_expires_in'] ?? null;
+		$this->refreshToken = $tokenData['refresh_token'] ?? null;
 		$this->createdAt = $tokenData['created_at'] ?? time();
 		$this->providerId = $tokenData['provider_id'] ?? null;
 	}
@@ -47,16 +47,21 @@ public function getExpiresInFromNow(): int {
 		return $expiresAt - time();
 	}
 
-	public function getRefreshExpiresIn(): int {
+	public function getRefreshExpiresIn(): ?int {
 		return $this->refreshExpiresIn;
 	}
 
 	public function getRefreshExpiresInFromNow(): int {
+		// if there is no refresh_expires_in, we assume the refresh token never expires
+		// so we don't need getRefreshExpiresInFromNow
+		if ($this->refreshExpiresIn === null) {
+			return 0;
+		}
 		$refreshExpiresAt = $this->createdAt + $this->refreshExpiresIn;
 		return $refreshExpiresAt - time();
 	}
 
-	public function getRefreshToken(): string {
+	public function getRefreshToken(): ?string {
 		return $this->refreshToken;
 	}
 
@@ -73,10 +78,18 @@ public function isExpiring(): bool {
 	}
 
 	public function refreshIsExpired(): bool {
+		// if there is no refresh_expires_in, we assume the refresh token never expires
+		if ($this->refreshExpiresIn === null) {
+			return false;
+		}
 		return time() > ($this->createdAt + $this->refreshExpiresIn);
 	}
 
 	public function refreshIsExpiring(): bool {
+		// if there is no refresh_expires_in, we assume the refresh token never expires
+		if ($this->refreshExpiresIn === null) {
+			return false;
+		}
 		return time() > ($this->createdAt + (int)($this->refreshExpiresIn / 2));
 	}
 

lib/Service/TokenService.php

@@ -84,8 +84,8 @@ public function getToken(bool $refreshIfExpired = true): ?Token {
 		}
 
 		// token has expired
-		// try to refresh the token if the refresh token is still valid
-		if ($refreshIfExpired && !$token->refreshIsExpired()) {
+		// try to refresh the token if there is a refresh token and it is still valid
+		if ($refreshIfExpired && $token->getRefreshToken() !== null && !$token->refreshIsExpired()) {
 			$this->logger->debug('[TokenService] getToken: token is expired and refresh token is still valid, refresh expires in ' . $token->getRefreshExpiresInFromNow());
 			return $this->refresh($token);
 		}
@@ -102,6 +102,12 @@ public function getToken(bool $refreshIfExpired = true): ?Token {
 	 * @throws PreConditionNotMetException
 	 */
 	public function checkLoginToken(): void {
+		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
+		$tokenExchangeEnabled = (isset($oidcSystemConfig['token_exchange']) && $oidcSystemConfig['token_exchange'] === true);
+		if (!$tokenExchangeEnabled) {
+			return;
+		}
+
 		$currentUser = $this->userSession->getUser();
 		if (!$this->userSession->isLoggedIn() || $currentUser === null) {
 			$this->logger->debug('[TokenService] checkLoginToken: user not logged in');
@@ -212,6 +218,15 @@ public function decodeIdToken(Token $token): array {
 	 * @throws \JsonException
 	 */
 	public function getExchangedToken(string $targetAudience): Token {
+		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
+		$tokenExchangeEnabled = (isset($oidcSystemConfig['token_exchange']) && $oidcSystemConfig['token_exchange'] === true);
+		if (!$tokenExchangeEnabled) {
+			throw new TokenExchangeFailedException(
+				'Failed to exchange token, the token exchange feature is disabled. It can be enabled in config.php',
+				0,
+			);
+		}
+
 		$loginToken = $this->getToken();
 		if ($loginToken === null) {
 			$this->logger->debug('[TokenService] Failed to exchange token, no login token found in the session');