Enable OIDC bearer token authentication

[avinash-0007]

This Mr solves the issue mention in below ticket https://github.com/pulsejet/nextcloud-oidc-login/issues/242

[akhil1508]

@pulsejet Any update on this?

[akhil1508]

• For the non-OCS routes for e.g. notes API (/apps/notes/api/v0.2/notes) to work we also need a patch for lib/private/AppFramework/Middleware/Security/CORSMiddleware like

--- lib/private/AppFramework/Middleware/Security/CORSMiddleware.php 2024-04-08 08:53:20.410444998 +0530
+++ lib/private/AppFramework/Middleware/Security/CORSMiddleware-new.php 2024-04-09 19:05:21.133629632 +0530
@@ -97,6 +97,10 @@
            // Allow to use the current session if a CSRF token is provided
            if ($this->request->passesCSRFCheck()) {
                return;
+           }           
+           // Skip CORS check for requests with oidc token auth.
+           if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc_token_login') === 1) {
+               return;
            }
            // Skip CORS check for requests with AppAPI auth.
            if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {

• This is because CORS requires BASIC auth
• We can also set the session key to app_api as the CORS check is skipped for this one too as per https://github.com/nextcloud/server/blob/10fc78a9ea0d8a2081c1185f8f4c4b63b631d88e/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php#L96 but this approach seems hacky
  • I will add a PR to upstream to get the session change to be accepted, maybe their official user_oidc plugin could also use it :thinking:

[akhil1508]

@pulsejet I await response from NC devs on https://github.com/nextcloud/user_oidc/issues/836 so we can avoid patching