release (v1.8.11): fix(oidc): always send PKCE (S256) and treat empty secret as public client

2025-11-08 13:53:11 -05:00
parent c9a99506d7
commit 8f03cc7456
3 changed files with 32 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog

+## Changes 11/8/2025 (v1.8.11)
+
+release (v1.8.11): fix(oidc): always send PKCE (S256) and treat empty secret as public client
+
+- Force PKCE via setCodeChallengeMethod('S256') so Authelia’s public-client policy is satisfied.
+- Convert empty OIDC client secret to null to correctly signal a public client.
+- Optional commented hook to switch token endpoint auth to client_secret_post if desired.
+- OIDC_TOKEN_ENDPOINT_AUTH_METHOD added to config.php
+
+---
+
 ## Changes 11/8/2025 (v1.8.10)

 release(v1.8.10): theme-aware media modal, stronger file drag-and-drop, unified progress color, and favicon overhaul
--- a/config/config.php
+++ b/config/config.php
@@ -33,6 +33,10 @@ define('ONLYOFFICE_DOCS_ORIGIN', 'http://192.168.1.61'); // your Document Server
 define('ONLYOFFICE_DEBUG', true);
 */

+if (!defined('OIDC_TOKEN_ENDPOINT_AUTH_METHOD')) {
+    define('OIDC_TOKEN_ENDPOINT_AUTH_METHOD', 'client_secret_basic'); // default
+}
+
 // Encryption helpers
 function encryptData($data, $encryptionKey)
 {
--- a/src/controllers/AuthController.php
+++ b/src/controllers/AuthController.php
@@ -57,12 +57,26 @@ class AuthController
            $oidcAction = 'callback';
        }
        if ($oidcAction) {
-            $cfg = AdminModel::getConfig();
+            $cfg          = AdminModel::getConfig();
+            $clientId     = $cfg['oidc']['clientId']     ?? null;
+            $clientSecret = $cfg['oidc']['clientSecret'] ?? null;
+            // When configured as a public client (no secret), pass null, not an empty string.
+            if ($clientSecret === '') { $clientSecret = null; }
+
            $oidc = new OpenIDConnectClient(
                $cfg['oidc']['providerUrl'],
-                $cfg['oidc']['clientId'],
-                $cfg['oidc']['clientSecret']
+                $clientId ?: null,
+                $clientSecret
            );
+
+            // Always send PKCE (S256). Required by Authelia for public clients, safe for confidential ones.
+            if (method_exists($oidc, 'setCodeChallengeMethod')) {
+                $oidc->setCodeChallengeMethod('S256');
+            }
+            // client_secret_post with Authelia using config.php
+            if (method_exists($oidc, 'setTokenEndpointAuthMethod') && OIDC_TOKEN_ENDPOINT_AUTH_METHOD) {
+                $oidc->setTokenEndpointAuthMethod(OIDC_TOKEN_ENDPOINT_AUTH_METHOD);
+            }
            $oidc->setRedirectURL($cfg['oidc']['redirectUri']);
            $oidc->addScope(['openid','profile','email']);