query WebFinger for the current OIDC issuer everytime we fetch the /.well-known/openid-configuration

kaivol · kaivol · commit 31745c49f42b · 2026-01-04T19:42:30.000+01:00
diff --git a/src/libsync/creds/oauth.cpp b/src/libsync/creds/oauth.cpp
@@ -34,6 +34,7 @@
 #include <QNetworkReply>
 #include <QPixmap>
 #include <QRandomGenerator>
+#include <ranges>
 
 using namespace std::chrono;
 using namespace std::chrono_literals;
@@ -537,68 +538,128 @@ void OAuth::fetchWellKnown()
         _wellKnownFinished = true;
         Q_EMIT fetchWellKnownFinished();
     } else {
-        qCDebug(lcOauth) << u"fetching" << wellKnownPathC;
+        QNetworkRequest webfingerReq;
+        webfingerReq.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
+        webfingerReq.setUrl(
+            Utility::concatUrlPath(_serverUrl, QStringLiteral("/.well-known/webfinger"), {{QStringLiteral("resource"), _serverUrl.toString()}}));
+        webfingerReq.setTransferTimeout(defaultTimeoutMs());
 
-        QNetworkRequest req;
-        req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
-        req.setUrl(Utility::concatUrlPath(_serverUrl, wellKnownPathC));
-        req.setTransferTimeout(defaultTimeoutMs());
+        auto webfingerReply = _networkAccessManager->get(webfingerReq);
 
-        auto reply = _networkAccessManager->get(req);
+        connect(webfingerReply, &QNetworkReply::finished, this, [webfingerReply, this] {
+            if (webfingerReply->error() != QNetworkReply::NoError) {
+                Q_EMIT result(Error);
+                return;
+            }
 
-        connect(reply, &QNetworkReply::finished, this, [reply, this] {
-            _wellKnownFinished = true;
-            if (reply->error() != QNetworkReply::NoError) {
-                qCDebug(lcOauth) << u"failed to fetch .well-known reply, error:" << reply->error();
-                if (_isRefreshingToken) {
-                    Q_EMIT refreshError(reply->error(), reply->errorString());
-                } else {
-                    Q_EMIT result(Error);
-                }
+            const QString contentTypeHeader = webfingerReply->header(QNetworkRequest::ContentTypeHeader).toString();
+            if (!contentTypeHeader.contains(QStringLiteral("application/json"), Qt::CaseInsensitive)) {
+                qCWarning(lcOauth) << u"server sent invalid content type:" << contentTypeHeader;
+                Q_EMIT result(Error);
                 return;
             }
-            QJsonParseError err = {};
-            QJsonObject data = QJsonDocument::fromJson(reply->readAll(), &err).object();
-            if (err.error == QJsonParseError::NoError) {
-                _authEndpoint = QUrl::fromEncoded(data[QStringLiteral("authorization_endpoint")].toString().toUtf8());
-                _tokenEndpoint = QUrl::fromEncoded(data[QStringLiteral("token_endpoint")].toString().toUtf8());
-                _registrationEndpoint = QUrl::fromEncoded(data[QStringLiteral("registration_endpoint")].toString().toUtf8());
-
-                if (_clientSecret.isEmpty()) {
-                    _endpointAuthMethod = TokenEndpointAuthMethods::none;
-                } else {
-                    const auto authMethods = data.value(QStringLiteral("token_endpoint_auth_methods_supported")).toArray();
-                    if (authMethods.contains(QStringLiteral("none"))) {
-                        _endpointAuthMethod = TokenEndpointAuthMethods::none;
-                    } else if (authMethods.contains(QStringLiteral("client_secret_post"))) {
-                        _endpointAuthMethod = TokenEndpointAuthMethods::client_secret_post;
-                    } else if (authMethods.contains(QStringLiteral("client_secret_basic"))) {
-                        _endpointAuthMethod = TokenEndpointAuthMethods::client_secret_basic;
+
+            QJsonParseError error;
+            const auto doc = QJsonDocument::fromJson(webfingerReply->readAll(), &error);
+
+            // empty or invalid response
+            if (error.error != QJsonParseError::NoError || doc.isNull()) {
+                qCWarning(lcOauth) << u"could not parse JSON response from server";
+                Q_EMIT result(Error);
+                return;
+            }
+
+            // make sure the reported subject matches the requested resource
+            const auto subject = doc.object().value(QStringLiteral("subject"));
+            if (subject != _serverUrl.toString()) {
+                qCWarning(lcOauth) << u"reply sent for different subject (server):" << subject;
+                Q_EMIT result(Error);
+                return;
+            }
+
+            // check for an OIDC issuer in the list of links provided (we use the first that matches our conditions)
+            const auto links = doc.object().value(QStringLiteral("links")).toArray();
+            const auto objects = std::views::transform(links, [](const QJsonValueConstRef &object) { return object.toObject(); });
+            const auto link = std::ranges::find_if(objects, [](const QJsonObject &linkObject) {
+                return linkObject.value(QStringLiteral("rel")).toString() == QStringLiteral("http://openid.net/specs/connect/1.0/issuer");
+            });
+            if (link == objects.end()) {
+                qCWarning(lcOauth) << u"could not find suitable relation in WebFinger response";
+                Q_EMIT result(Error);
+                return;
+            }
+
+            auto const issuerUrl = (*link).value(QStringLiteral("href")).toString();
+            if (issuerUrl.isNull()) {
+                qCWarning(lcOauth) << u"could not find href in WebFinger response";
+                Q_EMIT result(Error);
+                return;
+            }
+
+            auto const oidcWellKnownUrl = Utility::concatUrlPath(QUrl(issuerUrl), wellKnownPathC);
+            qCDebug(lcOauth) << u"fetching" << oidcWellKnownUrl;
+
+            QNetworkRequest req;
+            req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
+            req.setUrl(oidcWellKnownUrl);
+            req.setTransferTimeout(defaultTimeoutMs());
+
+            auto reply = _networkAccessManager->get(req);
+
+            connect(reply, &QNetworkReply::finished, this, [reply, this] {
+                _wellKnownFinished = true;
+                if (reply->error() != QNetworkReply::NoError) {
+                    qCDebug(lcOauth) << u"failed to fetch .well-known reply, error:" << reply->error();
+                    if (_isRefreshingToken) {
+                        Q_EMIT refreshError(reply->error(), reply->errorString());
                     } else {
-                        OC_ASSERT_X(
-                            false, qPrintable(QStringLiteral("Unsupported token_endpoint_auth_methods_supported: %1").arg(QDebug::toString(authMethods))));
+                        Q_EMIT result(Error);
                     }
+                    return;
                 }
-                const auto promtValuesSupported = data.value(QStringLiteral("prompt_values_supported")).toArray();
-                if (!promtValuesSupported.isEmpty()) {
-                    _supportedPromtValues = PromptValuesSupported::none;
-                    for (const auto &x : promtValuesSupported) {
-                        const auto flag = Utility::stringToEnum<PromptValuesSupported>(x.toString());
-                        // only use flags present in Theme::instance()->openIdConnectPrompt()
-                        if (flag & defaultOauthPromtValue())
-                            _supportedPromtValues |= flag;
+                QJsonParseError err = {};
+                QJsonObject data = QJsonDocument::fromJson(reply->readAll(), &err).object();
+                if (err.error == QJsonParseError::NoError) {
+                    _authEndpoint = QUrl::fromEncoded(data[QStringLiteral("authorization_endpoint")].toString().toUtf8());
+                    _tokenEndpoint = QUrl::fromEncoded(data[QStringLiteral("token_endpoint")].toString().toUtf8());
+                    _registrationEndpoint = QUrl::fromEncoded(data[QStringLiteral("registration_endpoint")].toString().toUtf8());
+
+                    if (_clientSecret.isEmpty()) {
+                        _endpointAuthMethod = TokenEndpointAuthMethods::none;
+                    } else {
+                        const auto authMethods = data.value(QStringLiteral("token_endpoint_auth_methods_supported")).toArray();
+                        if (authMethods.contains(QStringLiteral("none"))) {
+                            _endpointAuthMethod = TokenEndpointAuthMethods::none;
+                        } else if (authMethods.contains(QStringLiteral("client_secret_post"))) {
+                            _endpointAuthMethod = TokenEndpointAuthMethods::client_secret_post;
+                        } else if (authMethods.contains(QStringLiteral("client_secret_basic"))) {
+                            _endpointAuthMethod = TokenEndpointAuthMethods::client_secret_basic;
+                        } else {
+                            OC_ASSERT_X(
+                                false, qPrintable(QStringLiteral("Unsupported token_endpoint_auth_methods_supported: %1").arg(QDebug::toString(authMethods))));
+                        }
+                    }
+                    const auto promtValuesSupported = data.value(QStringLiteral("prompt_values_supported")).toArray();
+                    if (!promtValuesSupported.isEmpty()) {
+                        _supportedPromtValues = PromptValuesSupported::none;
+                        for (const auto &x : promtValuesSupported) {
+                            const auto flag = Utility::stringToEnum<PromptValuesSupported>(x.toString());
+                            // only use flags present in Theme::instance()->openIdConnectPrompt()
+                            if (flag & defaultOauthPromtValue())
+                                _supportedPromtValues |= flag;
+                        }
                     }
-                }
 
-                qCDebug(lcOauth) << u"parsing .well-known reply successful, auth endpoint" << _authEndpoint << u"and token endpoint" << _tokenEndpoint
-                                 << u"and registration endpoint" << _registrationEndpoint;
-            } else if (err.error == QJsonParseError::IllegalValue) {
-                qCDebug(lcOauth) << u"failed to parse .well-known reply as JSON, server might not support OIDC";
-            } else {
-                qCDebug(lcOauth) << u"failed to parse .well-known reply, error:" << err.error;
-                Q_EMIT result(Error);
-            }
-            Q_EMIT fetchWellKnownFinished();
+                    qCDebug(lcOauth) << u"parsing .well-known reply successful, auth endpoint" << _authEndpoint << u"and token endpoint" << _tokenEndpoint
+                                     << u"and registration endpoint" << _registrationEndpoint;
+                } else if (err.error == QJsonParseError::IllegalValue) {
+                    qCDebug(lcOauth) << u"failed to parse .well-known reply as JSON, server might not support OIDC";
+                } else {
+                    qCDebug(lcOauth) << u"failed to parse .well-known reply, error:" << err.error;
+                    Q_EMIT result(Error);
+                }
+                Q_EMIT fetchWellKnownFinished();
+            });
         });
     }
 }
