fix(Session): avoid password confirmation on SSO

SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.

Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.

Signed-off-by: Arthur Schiwon <[email protected]>

core/Controller/OCJSController.php

@@ -61,6 +61,7 @@ public function __construct(string $appName,
 								IURLGenerator $urlGenerator,
 								CapabilitiesManager $capabilitiesManager,
 								IInitialStateService $initialStateService) {
+		IProvider $tokenProvider,
 		parent::__construct($appName, $request);
 
 		$this->helper = new JSConfigHelper(

lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

@@ -61,9 +61,11 @@ class PasswordConfirmationMiddleware extends Middleware {
 	 * @param ITimeFactory $timeFactory
 	 */
 	public function __construct(ControllerMethodReflector $reflector,
-								ISession $session,
-								IUserSession $userSession,
-								ITimeFactory $timeFactory) {
+		ISession $session,
+		IUserSession $userSession,
+		ITimeFactory $timeFactory,
+		IProvider $tokenProvider,
+	) {
 		$this->reflector = $reflector;
 		$this->session = $session;
 		$this->userSession = $userSession;

lib/private/Template/JSConfigHelper.php

@@ -53,6 +53,7 @@
 use OCP\IURLGenerator;
 use OCP\ILogger;
 use OCP\IUser;
+use OCP\Session\Exceptions\SessionNotAvailableException;
 use OCP\User\Backend\IPasswordConfirmationBackend;
 use OCP\Util;
 
@@ -61,28 +62,20 @@ class JSConfigHelper {
 	/** @var array user back-ends excluded from password verification */
 	private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
 
-	public function __construct(IL10N $l,
-								Defaults $defaults,
-								IAppManager $appManager,
-								ISession $session,
-								?IUser $currentUser,
-								IConfig $config,
-								IGroupManager $groupManager,
-								IniGetWrapper $iniWrapper,
-								IURLGenerator $urlGenerator,
-								CapabilitiesManager $capabilitiesManager,
-								IInitialStateService $initialStateService) {
-		$this->l = $l;
-		$this->defaults = $defaults;
-		$this->appManager = $appManager;
-		$this->session = $session;
-		$this->currentUser = $currentUser;
-		$this->config = $config;
-		$this->groupManager = $groupManager;
-		$this->iniWrapper = $iniWrapper;
-		$this->urlGenerator = $urlGenerator;
-		$this->capabilitiesManager = $capabilitiesManager;
-		$this->initialStateService = $initialStateService;
+	public function __construct(
+		protected IL10N                $l,
+		protected Defaults             $defaults,
+		protected IAppManager          $appManager,
+		protected ISession             $session,
+		protected ?IUser               $currentUser,
+		protected IConfig              $config,
+		protected IGroupManager        $groupManager,
+		protected IniGetWrapper        $iniWrapper,
+		protected IURLGenerator        $urlGenerator,
+		protected CapabilitiesManager  $capabilitiesManager,
+		protected IInitialStateService $initialStateService,
+		protected IProvider            $tokenProvider,
+	) {
 	}
 
 	public function getConfig(): string {

lib/private/TemplateLayout.php

@@ -236,7 +236,8 @@ public function __construct($renderAs, $appId = '') {
 				\OC::$server->get(IniGetWrapper::class),
 				\OC::$server->getURLGenerator(),
 				\OC::$server->getCapabilitiesManager(),
-				\OC::$server->query(IInitialStateService::class)
+				\OCP\Server::get(IInitialStateService::class),
+				\OCP\Server::get(IProvider::class),
 			);
 			$config = $jsConfigHelper->getConfig();
 			if (\OC::$server->getContentSecurityPolicyNonceManager()->browserSupportsCspV3()) {

lib/private/legacy/OC_User.php

@@ -35,7 +35,7 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>
  *
  */
-
+use OC\Authentication\Token\IProvider;
 use OC\User\LoginException;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\ILogger;