Improve oauth2 authorization

src/libsync/configfile.cpp

@@ -91,6 +91,8 @@ const QString newBigFolderSizeLimitC() { return QStringLiteral("newBigFolderSize
 const QString useNewBigFolderSizeLimitC() { return QStringLiteral("useNewBigFolderSizeLimit"); }
 const QString confirmExternalStorageC() { return QStringLiteral("confirmExternalStorage"); }
 const QString moveToTrashC() { return QStringLiteral("moveToTrash"); }
+const QString oauthPromptC() { return QStringLiteral("oauthPrompt"); }
+const QString oauthBasicAuthC() { return QStringLiteral("oauthBasicAuth"); }
 }
 
 QString ConfigFile::_confDir = QString();
@@ -752,6 +754,31 @@ void ConfigFile::setPromptDeleteFiles(bool promptDeleteFiles)
     settings.setValue(promptDeleteC(), promptDeleteFiles);
 }
 
+bool ConfigFile::oauthPrompt() const
+{
+    QSettings settings(configFile(), QSettings::IniFormat);
+    return settings.value(oauthPromptC(), true).toBool();
+}
+
+void ConfigFile::setOauthPrompt(bool oauthPrompt)
+{
+    QSettings settings(configFile(), QSettings::IniFormat);
+    settings.setValue(oauthPromptC(), oauthPrompt);
+}
+
+bool ConfigFile::oauthBasicAuth() const
+{
+    QSettings settings(configFile(), QSettings::IniFormat);
+    return settings.value(oauthBasicAuthC(), true).toBool();
+}
+
+void ConfigFile::setOauthBasicAuth(bool oauthBasicAuth)
+{
+    QSettings settings(configFile(), QSettings::IniFormat);
+    settings.setValue(oauthBasicAuthC(), oauthBasicAuth);
+}
+
+
 bool ConfigFile::monoIcons() const
 {
     QSettings settings(configFile(), QSettings::IniFormat);

src/libsync/configfile.h

@@ -138,6 +138,14 @@ class OWNCLOUDSYNC_EXPORT ConfigFile
     bool confirmExternalStorage() const;
     void setConfirmExternalStorage(bool);
 
+    //disable sending of the prompt parameter for the oauth2 authorization_endpoint
+    bool oauthPrompt() const;
+    void setOauthPrompt(bool);
+
+    //disable sending of basic auth header for the oauth2 token endpoint
+    bool oauthBasicAuth() const;
+    void setOauthBasicAuth(bool);
+
     /** If we should move the files deleted on the server in the trash  */
     bool moveToTrash() const;
     void setMoveToTrash(bool);

src/libsync/creds/oauth.cpp

@@ -14,6 +14,7 @@
 
 #include "creds/oauth.h"
 
+#include "configfile.h"
 #include "account.h"
 #include "common/version.h"
 #include "credentialmanager.h"
@@ -227,16 +228,18 @@ void OAuth::startAuthentication()
                     httpReplyAndClose(socket, QByteArrayLiteral("400 Bad Request"), QByteArrayLiteral("<html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center></body></html>"));
                     return;
                 }
-                // we only allow one response
-                qCDebug(lcOauth) << "Recieved the first valid request, stoping to listen";
-                _server.close();
 
                 auto job = postTokenRequest({
                     { QStringLiteral("grant_type"), QStringLiteral("authorization_code") },
                     { QStringLiteral("code"), args.queryItemValue(QStringLiteral("code")) },
                     { QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort())) },
                     { QStringLiteral("code_verifier"), QString::fromUtf8(_pkceCodeVerifier) },
                 });
+
+                // we only allow one response
+                qCDebug(lcOauth) << "Recieved the first valid request, stoping to listen";
+                _server.close();
+
                 QObject::connect(job, &SimpleNetworkJob::finishedSignal, this, [this, socket](QNetworkReply *reply) {
                     const auto jsonData = reply->readAll();
                     QJsonParseError jsonParseError;
@@ -403,11 +406,14 @@ void OAuth::finalize(const QPointer<QTcpSocket> &socket, const QString &accessTo
 
 SimpleNetworkJob *OAuth::postTokenRequest(const QList<QPair<QString, QString>> &queryItems)
 {
+    ConfigFile cfg;
     const QUrl requestTokenUrl = _tokenEndpoint.isEmpty() ? Utility::concatUrlPath(_account->url(), QStringLiteral("/index.php/apps/oauth2/api/v1/token")) : _tokenEndpoint;
     QNetworkRequest req;
-    const QByteArray basicAuth = QStringLiteral("%1:%2").arg(_clientId, _clientSecret).toUtf8().toBase64();
-    req.setRawHeader("Authorization", "Basic " + basicAuth);
-    req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
+    if (cfg.oauthBasicAuth()){
+        const QByteArray basicAuth = QStringLiteral("%1:%2").arg(_clientId, _clientSecret).toUtf8().toBase64();
+        req.setRawHeader("Authorization", "Basic " + basicAuth);
+        req.setAttribute(HttpCredentials::DontAddCredentialsAttribute, true);
+    }
 
     QUrlQuery arguments;
     arguments.setQueryItems(QList<QPair<QString, QString>> { { QStringLiteral("client_id"), _clientId },
@@ -431,6 +437,7 @@ QByteArray OAuth::generateRandomString(size_t size) const
 
 QUrl OAuth::authorisationLink() const
 {
+    ConfigFile cfg;
     Q_ASSERT(_server.isListening());
     QUrlQuery query;
     const QByteArray code_challenge = QCryptographicHash::hash(_pkceCodeVerifier, QCryptographicHash::Sha256)
@@ -441,9 +448,12 @@ QUrl OAuth::authorisationLink() const
         { QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge) },
         { QStringLiteral("code_challenge_method"), QStringLiteral("S256") },
         { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() },
-        { QStringLiteral("prompt"), Theme::instance()->openIdConnectPrompt() },
         { QStringLiteral("state"), QString::fromUtf8(_state) } });
 
+    if (cfg.oauthPrompt()){
+        query.addQueryItem(QStringLiteral("prompt"), Theme::instance()->openIdConnectPrompt());
+    }
+
     if (!_account->davUser().isNull()) {
         const QString davUser = _account->davUser().replace(QLatin1Char('+'), QStringLiteral("%2B")); // Issue #7762;
         // open id connect