oauth: select auth scheme (XOAUTH2 vs OAUTHBEARER)

This is a WIP, will need new version of Net_SIEVE & Net_SMTP Signed-off-by: Edouard Vanbelle <[email protected]>
roundcube · Jan 15, 2024 · 0c3bad6 · 0c3bad6
1 parent 357cc90
commit 0c3bad6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 9 deletions.
diff --git a/program/include/rcmail_oauth.php b/program/include/rcmail_oauth.php
@@ -38,10 +38,8 @@ class rcmail_oauth
 
     public const JWKS_CACHE_TTL        = 30; // TTL for JWKS (in seconds)
 
-    // prepare the OAUTHBEARER which is now the official protocol (rfc 7628)
-    // but currently implement mostly the formal XOAUTH2
-    /** @var string */
-    protected $auth_type = 'XOAUTH2';
+    /** @var string XOAUTH2, OAUTHBEAER, OAUTH=choose the supported method */
+    protected $auth_type = 'OAUTH';
 
     /** @var rcmail */
     protected $rcmail;
@@ -1010,13 +1008,11 @@ public function storage_init($options)
         }
 
         if ($this->login_phase) {
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         } elseif (isset($_SESSION['oauth_token'])) {
             if ($this->check_token_validity($_SESSION['oauth_token']) === self::TOKEN_REFRESHED) {
                 $options['password'] = $this->rcmail->decrypt($_SESSION['password']);
             }
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         }
 
@@ -1044,7 +1040,6 @@ public function smtp_connect($options)
             // check token validity
             $this->check_token_validity($_SESSION['oauth_token']);
 
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['smtp_user'] = '%u';
             $options['smtp_pass'] = '%p';
             $options['smtp_auth_type'] = $this->auth_type;
@@ -1065,7 +1060,6 @@ public function managesieve_connect($options)
         if (isset($_SESSION['oauth_token'])) {
             // check token validity
             $this->check_token_validity($_SESSION['oauth_token']);
-            // enforce OAUTHBEARER/XOAUTH2 authorization type
             $options['auth_type'] = $this->auth_type;
         }
 

diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
@@ -927,14 +927,19 @@ public function connect($host, $user, $password, $options = [])
         $result       = null;
 
         // check for supported auth methods
-        if (!$auth_method || $auth_method == 'CHECK') {
+        if (!$auth_method || $auth_method === 'CHECK' || $auth_method === 'OAUTH') {
             if ($auth_caps = $this->getCapability('AUTH')) {
                 $auth_methods = $auth_caps;
             }
 
             // Use best (for security) supported authentication method
             $all_methods = ['DIGEST-MD5', 'CRAM-MD5', 'CRAM_MD5', 'PLAIN', 'LOGIN'];
 
+            // special case of OAUTH, use the supported method
+            if ($auth_method === 'OAUTH') {
+                $all_methods = ['OAUTHBEARER', 'XOAUTH2'];
+            }
+
             if (!empty($this->prefs['gssapi_cn'])) {
                 array_unshift($all_methods, 'GSSAPI');
             }