joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

release (v1.8.11): fix(oidc): always send PKCE (S256) and treat empty secret as public client

Browse Source
This commit is contained in:
Ryan
2025-11-08 13:53:11 -05:00
committed by GitHub
parent c9a99506d7
commit 8f03cc7456
3 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
CHANGELOG.md
View File

@@ -1,5 +1,16 @@
# Changelog # Changelog
## Changes 11/8/2025 (v1.8.11)
release (v1.8.11): fix(oidc): always send PKCE (S256) and treat empty secret as public client
- Force PKCE via setCodeChallengeMethod('S256') so Authelias public-client policy is satisfied.
- Convert empty OIDC client secret to null to correctly signal a public client.
- Optional commented hook to switch token endpoint auth to client_secret_post if desired.
- OIDC_TOKEN_ENDPOINT_AUTH_METHOD added to config.php
---
## Changes 11/8/2025 (v1.8.10) ## Changes 11/8/2025 (v1.8.10)
release(v1.8.10): theme-aware media modal, stronger file drag-and-drop, unified progress color, and favicon overhaul release(v1.8.10): theme-aware media modal, stronger file drag-and-drop, unified progress color, and favicon overhaul

4
config/config.php
View File

@@ -33,6 +33,10 @@ define('ONLYOFFICE_DOCS_ORIGIN', 'http://192.168.1.61'); // your Document Server
define('ONLYOFFICE_DEBUG', true); define('ONLYOFFICE_DEBUG', true);
*/ */
if (!defined('OIDC_TOKEN_ENDPOINT_AUTH_METHOD')) {
define('OIDC_TOKEN_ENDPOINT_AUTH_METHOD', 'client_secret_basic'); // default
}
// Encryption helpers // Encryption helpers
function encryptData($data, $encryptionKey) function encryptData($data, $encryptionKey)
{ {

18
src/controllers/AuthController.php
View File

@@ -58,11 +58,25 @@ class AuthController
} }
if ($oidcAction) { if ($oidcAction) {
$cfg = AdminModel::getConfig(); $cfg = AdminModel::getConfig();
$clientId = $cfg['oidc']['clientId'] ?? null;
$clientSecret = $cfg['oidc']['clientSecret'] ?? null;
// When configured as a public client (no secret), pass null, not an empty string.
if ($clientSecret === '') { $clientSecret = null; }
$oidc = new OpenIDConnectClient( $oidc = new OpenIDConnectClient(
$cfg['oidc']['providerUrl'], $cfg['oidc']['providerUrl'],
$cfg['oidc']['clientId'], $clientId ?: null,
$cfg['oidc']['clientSecret'] $clientSecret
); );
// Always send PKCE (S256). Required by Authelia for public clients, safe for confidential ones.
if (method_exists($oidc, 'setCodeChallengeMethod')) {
$oidc->setCodeChallengeMethod('S256');
}
// client_secret_post with Authelia using config.php
if (method_exists($oidc, 'setTokenEndpointAuthMethod') && OIDC_TOKEN_ENDPOINT_AUTH_METHOD) {
$oidc->setTokenEndpointAuthMethod(OIDC_TOKEN_ENDPOINT_AUTH_METHOD);
}
$oidc->setRedirectURL($cfg['oidc']['redirectUri']); $oidc->setRedirectURL($cfg['oidc']['redirectUri']);
$oidc->addScope(['openid','profile','email']); $oidc->addScope(['openid','profile','email']);