nextcloud · SagarGi · Dec 31, 2024 · Dec 31, 2024 · Jan 6, 2025 · Jan 7, 2025
diff --git a/.github/workflows/shared_workflow.yml b/.github/workflows/shared_workflow.yml
@@ -116,10 +116,12 @@ jobs:
       - name: PHP & Vue Unit Tests
         run: |
           git clone --depth 1 https://github.com/nextcloud/groupfolders.git -b ${{ matrix.nextcloudVersion }} server/apps/groupfolders
+          git clone --depth 1 https://github.com/nextcloud/user_oidc.git server/apps/user_oidc
           mkdir -p server/apps/integration_openproject
           cp -r `ls -A | grep -v 'server'` server/apps/integration_openproject/
           cd server
           ./occ a:e groupfolders
+          ./occ a:e user_oidc
           ./occ a:e integration_openproject
           cd apps/integration_openproject
           # The following if block can be removed once Nextcloud no longer supports PHP 8.0

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [Unreleased]
 ### Changed
 - Add application's support for Nextcloud 31
+- Add support for OIDC-based connection between Nextcloud and OpenProject
 
 ## 2.7.2 - 2024-12-16
 ### Fixed

diff --git a/lib/Controller/ConfigController.php b/lib/Controller/ConfigController.php
@@ -142,6 +142,30 @@ public function clearUserInfo(string $userId = null) {
 		$this->config->deleteUserValue($userId, Application::APP_ID, 'refresh_token');
 	}
 
+	/**
+	 * @return void
+	 */
+	public function resetOauth2Configs(): void {
+		// for oauth2 reset we reset openproject client credential as well as nextcloud client credential
+		$this->config->setAppValue(Application::APP_ID, 'openproject_client_id', "");
+		$this->config->setAppValue(Application::APP_ID, 'openproject_client_secret', "");
+		$this->deleteOauthClient();
+	}
+
+	/**
+	 * @return void
+	 */
+	public function resetOIDCConfigs(string $userId = null): void {
+		if ($userId === null) {
+			$userId = $this->userId;
+		}
+		$this->config->setAppValue(Application::APP_ID, 'oidc_provider', "");
+		$this->config->setAppValue(Application::APP_ID, 'targeted_audience_client_id', "");
+		$this->config->deleteUserValue($userId, Application::APP_ID, 'user_id');
+		$this->config->deleteUserValue($userId, Application::APP_ID, 'user_name');
+	}
+
+
 	/**
 	 * set config values
 	 * @NoAdminRequired
@@ -184,6 +208,9 @@ public function setConfig(array $values): DataResponse {
 	private function setIntegrationConfig(array $values): array {
 		$allowedKeys = [
 			'openproject_instance_url',
+			'authorization_method',
+			'oidc_provider',
+			'targeted_audience_client_id',
 			'openproject_client_id',
 			'openproject_client_secret',
 			'default_enable_navigation',
@@ -233,17 +260,72 @@ private function setIntegrationConfig(array $values): array {
 				);
 			}
 		}
-
+		$oldClientId = $oldClientSecret = '';
 		$oldOpenProjectOauthUrl = $this->config->getAppValue(
 			Application::APP_ID, 'openproject_instance_url', ''
 		);
-		$oldClientId = $this->config->getAppValue(
-			Application::APP_ID, 'openproject_client_id', ''
+		$oldAuthMethod = $this->config->getAppValue(
+			Application::APP_ID, 'authorization_method', ''
 		);
-		$oldClientSecret = $this->config->getAppValue(
-			Application::APP_ID, 'openproject_client_secret', ''
+		// when 'openproject_instance_url' && 'authorization_method' does not have a value at the same time,
+		// it means a full reset is done
+		$runningFullReset = key_exists('openproject_instance_url', $values) &&
+			key_exists('authorization_method', $values) &&
+			!$values['openproject_instance_url'] &&
+			!$values['authorization_method'];
+
+		// determine if the full reset is done when configuration is already with "oauth2"
+		$runningFullResetWithOAuth2Auth = (
+			$runningFullReset &&
+			$oldAuthMethod === OpenProjectAPIService::AUTH_METHOD_OAUTH
 		);
 
+		// determine if the full reset is done when configuration is already with "oidc"
+		$runningFullResetWithOIDCAuth = (
+			$runningFullReset &&
+			$oldAuthMethod === OpenProjectAPIService::AUTH_METHOD_OIDC
+		);
+		if (
+			(key_exists('openproject_client_id', $values) && key_exists('openproject_client_secret', $values))
+		) {
+			$oldClientId = $this->config->getAppValue(
+				Application::APP_ID, 'openproject_client_id', ''
+			);
+			$oldClientSecret = $this->config->getAppValue(
+				Application::APP_ID, 'openproject_client_secret', ''
+			);
+		}
+		// since we can now switch between both authorization method we need to know what we are resetting (either "oauth2" or "oidc" method)
+		// determines if we are switching from "oauth2" to "oidc" auth method
+		$runningOauth2Reset = (
+			key_exists('openproject_client_id', $values) &&
+			!$values['openproject_client_id'] &&
+			key_exists('openproject_client_secret', $values) &&
+			!$values['openproject_client_secret'] &&
+			$oldOpenProjectOauthUrl &&
+			$oldClientId &&
+			$oldClientSecret
+		);
+
+		// determines if we are switching from "oidc" to "oauth2" auth method
+		$runningOIDCReset = false;
+		if (
+			key_exists('oidc_provider', $values) &&
+			key_exists('targeted_audience_client_id', $values)
+		) {
+			$oldOidcProvider = $this->config->getAppValue(
+				Application::APP_ID, 'oidc_provider', ''
+			);
+			$oldTargetedAudienceClient = $this->config->getAppValue(
+				Application::APP_ID, 'targeted_audience_client_id', ''
+			);
+			$runningOIDCReset = (
+				$oldOidcProvider &&
+				$oldTargetedAudienceClient &&
+				!$values['oidc_provider'] &&
+				!$values['targeted_audience_client_id']);
+		}
+
 		foreach ($values as $key => $value) {
 			if ($key === 'setup_project_folder' || $key === 'setup_app_password') {
 				continue;
@@ -253,7 +335,7 @@ private function setIntegrationConfig(array $values): array {
 
 		// if the OpenProject OAuth URL has changed
 		if (key_exists('openproject_instance_url', $values)
-			&& $oldOpenProjectOauthUrl !== $values['openproject_instance_url']
+			&& $oldOpenProjectOauthUrl !== $values['openproject_instance_url'] && (!$runningOIDCReset || !$runningFullResetWithOIDCAuth)
 		) {
 			// delete the existing OAuth client if new OAuth URL is passed empty
 			if (
@@ -272,22 +354,6 @@ private function setIntegrationConfig(array $values): array {
 			}
 		}
 
-		$runningFullReset = (
-
-			key_exists('openproject_instance_url', $values) &&
-
-			key_exists('openproject_client_id', $values) &&
-
-			key_exists('openproject_client_secret', $values) &&
-
-			$values['openproject_instance_url'] === null &&
-
-			$values['openproject_client_id'] === null &&
-
-			$values['openproject_client_secret'] === null
-
-		);
-
 		// resetting and keeping the project folder setup should delete the user app password
 		if (key_exists('setup_app_password', $values) && $values['setup_app_password'] === false) {
 			$this->openprojectAPIService->deleteAppPassword();
@@ -301,10 +367,11 @@ private function setIntegrationConfig(array $values): array {
 		$this->config->deleteAppValue(Application::APP_ID, 'oPOAuthTokenRevokeStatus');
 		if (
 			// when the OP client information has changed
-			((key_exists('openproject_client_id', $values) && $values['openproject_client_id'] !== $oldClientId) ||
-				(key_exists('openproject_client_secret', $values) && $values['openproject_client_secret'] !== $oldClientSecret)) ||
-			// when the OP client information is for reset
-			$runningFullReset
+			(!$runningFullResetWithOIDCAuth && ((key_exists('openproject_client_id', $values) && $values['openproject_client_id'] !== $oldClientId) ||
+						(key_exists('openproject_client_secret', $values) && $values['openproject_client_secret'] !== $oldClientSecret))) ||
+			// when the OP client information is reset
+			$runningFullResetWithOAuth2Auth ||
+			$runningOauth2Reset
 		) {
 			$this->userManager->callForAllUsers(function (IUser $user) use (
 				$oldOpenProjectOauthUrl, $oldClientId, $oldClientSecret
@@ -346,6 +413,8 @@ private function setIntegrationConfig(array $values): array {
 				}
 				$this->clearUserInfo($userUID);
 			});
+		} elseif ($runningFullResetWithOIDCAuth) {
+			$this->resetOIDCConfigs();
 		}
 
 
@@ -362,6 +431,18 @@ private function setIntegrationConfig(array $values): array {
 			$this->config->setAppValue(Application::APP_ID, 'fresh_project_folder_setup', "0");
 		}
 
+		// when switching from "oauth2" to "oidc" authorization method
+		if (key_exists('authorization_method', $values) &&
+			$values['authorization_method'] === OpenProjectAPIService::AUTH_METHOD_OIDC && $runningOauth2Reset) {
+			$this->resetOauth2Configs();
+		}
+
+		// when switching from "oidc" to "oauth2" authorization method
+		if (key_exists('authorization_method', $values) &&
+			$values['authorization_method'] === OpenProjectAPIService::AUTH_METHOD_OAUTH && $runningOIDCReset) {
+			$this->resetOIDCConfigs();
+		}
+
 		// if the revoke has failed at least once, the last status is stored in the database
 		// this is not a neat way to give proper information about the revoke status
 		// TODO: find way to report every user's revoke status
@@ -604,13 +685,12 @@ public function checkConfig(): DataResponse {
 	 * @return DataResponse
 	 */
 	public function checkAdminConfigOk(): DataResponse {
-		$adminConfigStatusWithoutGroupFolderSetupStatus = OpenProjectAPIService::isAdminConfigOk($this->config);
 		$appPasswordSetStatus = $this->openprojectAPIService->hasAppPassword();
 		// Admin config can be set in two parts
 		// 1. config without project folder set up (which is compulsory for integration)
 		// 2. config with project folder set up (which is optional for admin)
 		return new DataResponse([
-			'config_status_without_project_folder' => $adminConfigStatusWithoutGroupFolderSetupStatus,
+			'config_status_without_project_folder' => OpenProjectAPIService::isAdminConfigOk($this->config),
 			'project_folder_setup_status' => $appPasswordSetStatus
 		]);
 	}