Webfinger: Return client_id and scope

To solve many of the issues our users have with getting OpenCloud
to work with different IDPs we came up with a more generic way
for how clients should discover their OIDC setttings (issuer,
client_id and scopes).

This is described here:
https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0003-oidc-client-config-discovery.md

This is for #96

Author: guruz

opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/AccountAuthenticator.java

@@ -54,6 +54,7 @@
 import static eu.opencloud.android.data.authentication.AuthenticationConstantsKt.KEY_CLIENT_REGISTRATION_CLIENT_ID;
 import static eu.opencloud.android.data.authentication.AuthenticationConstantsKt.KEY_CLIENT_REGISTRATION_CLIENT_SECRET;
 import static eu.opencloud.android.data.authentication.AuthenticationConstantsKt.KEY_OAUTH2_REFRESH_TOKEN;
+import static eu.opencloud.android.data.authentication.AuthenticationConstantsKt.KEY_OAUTH2_SCOPE;
 import static eu.opencloud.android.presentation.authentication.AuthenticatorConstants.KEY_AUTH_TOKEN_TYPE;
 import static org.koin.java.KoinJavaComponent.inject;
 
@@ -386,7 +387,10 @@ private String refreshToken(
             clientAuth = OAuthUtils.Companion.getClientAuth(clientSecret, clientId);
         }
 
-        String scope = mContext.getResources().getString(R.string.oauth2_openid_scope);
+        String scope = accountManager.getUserData(account, KEY_OAUTH2_SCOPE);
+        if (scope == null) {
+            scope = mContext.getResources().getString(R.string.oauth2_openid_scope);
+        }
 
         TokenRequest oauthTokenRequest = new TokenRequest.RefreshToken(
                 baseUrl,

opencloudApp/src/main/java/eu/opencloud/android/presentation/authentication/LoginActivity.kt

@@ -50,6 +50,7 @@ import eu.opencloud.android.MainApp.Companion.accountType
 import eu.opencloud.android.R
 import eu.opencloud.android.data.authentication.KEY_USER_ID
 import eu.opencloud.android.databinding.AccountSetupBinding
+import eu.opencloud.android.domain.authentication.oauth.model.ClientRegistrationInfo
 import eu.opencloud.android.domain.authentication.oauth.model.ResponseType
 import eu.opencloud.android.domain.authentication.oauth.model.TokenRequest
 import eu.opencloud.android.domain.exceptions.NoNetworkConnectionException
@@ -447,14 +448,28 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
                 showOrHideBasicAuthFields(shouldBeVisible = false)
                 authTokenType = OAUTH_TOKEN_TYPE
                 oidcSupported = true
-                val registrationEndpoint = serverInfo.oidcServerConfiguration.registrationEndpoint
-                if (registrationEndpoint != null) {
-                    registerClient(
+                val webFingerClientId = serverInfo.webFingerClientId
+                val webFingerScopes = serverInfo.webFingerScopes
+                if (webFingerClientId != null) {
+                    performGetAuthorizationCodeRequest(
                         authorizationEndpoint = serverInfo.oidcServerConfiguration.authorizationEndpoint.toUri(),
-                        registrationEndpoint = registrationEndpoint
+                        clientId = webFingerClientId,
+                        webFingerScopes = webFingerScopes,
                     )
                 } else {
-                    performGetAuthorizationCodeRequest(serverInfo.oidcServerConfiguration.authorizationEndpoint.toUri())
+                    val registrationEndpoint = serverInfo.oidcServerConfiguration.registrationEndpoint
+                    if (registrationEndpoint != null) {
+                        registerClient(
+                            authorizationEndpoint = serverInfo.oidcServerConfiguration.authorizationEndpoint.toUri(),
+                            registrationEndpoint = registrationEndpoint,
+                            webFingerScopes = webFingerScopes,
+                        )
+                    } else {
+                        performGetAuthorizationCodeRequest(
+                            authorizationEndpoint = serverInfo.oidcServerConfiguration.authorizationEndpoint.toUri(),
+                            webFingerScopes = webFingerScopes,
+                        )
+                    }
                 }
             }
 
@@ -559,7 +574,8 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
      */
     private fun registerClient(
         authorizationEndpoint: Uri,
-        registrationEndpoint: String
+        registrationEndpoint: String,
+        webFingerScopes: List<String>? = null,
     ) {
         authenticationViewModel.registerClient(registrationEndpoint)
         authenticationViewModel.registerClient.observe(this) {
@@ -570,22 +586,24 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
                     uiResult.data?.let { clientRegistrationInfo ->
                         performGetAuthorizationCodeRequest(
                             authorizationEndpoint = authorizationEndpoint,
-                            clientId = clientRegistrationInfo.clientId
+                            clientId = clientRegistrationInfo.clientId,
+                            webFingerScopes = webFingerScopes,
                         )
                     }
                 }
 
                 is UIResult.Error -> {
                     Timber.e(uiResult.error, "Client registration failed.")
-                    performGetAuthorizationCodeRequest(authorizationEndpoint)
+                    performGetAuthorizationCodeRequest(authorizationEndpoint, webFingerScopes = webFingerScopes)
                 }
             }
         }
     }
 
     private fun performGetAuthorizationCodeRequest(
         authorizationEndpoint: Uri,
-        clientId: String = getString(R.string.oauth2_client_id)
+        clientId: String = getString(R.string.oauth2_client_id),
+        webFingerScopes: List<String>? = null,
     ) {
         Timber.d("A browser should be opened now to authenticate this user.")
 
@@ -597,19 +615,29 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         // which helps Firefox properly handle the OAuth redirect back to the app
         customTabsIntent.intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
 
+        val scope = if (!oidcSupported) {
+            ""
+        } else if (webFingerScopes != null) {
+            webFingerScopes.joinToString(" ")
+        } else {
+            mdmProvider.getBrandingString(CONFIGURATION_OAUTH2_OPEN_ID_SCOPE, R.string.oauth2_openid_scope)
+        }
+
         val authorizationEndpointUri = OAuthUtils.buildAuthorizationRequest(
             authorizationEndpoint = authorizationEndpoint,
             redirectUri = OAuthUtils.buildRedirectUri(applicationContext).toString(),
             clientId = clientId,
             responseType = ResponseType.CODE.string,
-            scope = if (oidcSupported) mdmProvider.getBrandingString(CONFIGURATION_OAUTH2_OPEN_ID_SCOPE, R.string.oauth2_openid_scope) else "",
+            scope = scope,
             prompt = if (oidcSupported) mdmProvider.getBrandingString(CONFIGURATION_OAUTH2_OPEN_ID_PROMPT, R.string.oauth2_openid_prompt) else "",
             codeChallenge = authenticationViewModel.codeChallenge,
             state = authenticationViewModel.oidcState,
             username = username,
             sendLoginHintAndUser = mdmProvider.getBrandingBoolean(mdmKey = CONFIGURATION_SEND_LOGIN_HINT_AND_USER,
                 booleanKey = R.bool.send_login_hint_and_user),
         )
+                Timber.d("A browser should be opened now to authenticate this user is $authorizationEndpointUri ")
+
 
         try {
             saveAuthState()
@@ -673,6 +701,7 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         val (clientId, clientSecret) = if (clientRegistrationInfo?.clientId != null && clientRegistrationInfo.clientSecret != null) {
             Pair(clientRegistrationInfo.clientId, clientRegistrationInfo.clientSecret as String)
         } else {
+            // May be overridden below by serverInfo.webFingerClientId if available
             Pair(getString(R.string.oauth2_client_id), getString(R.string.oauth2_client_secret))
         }
 
@@ -684,18 +713,21 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
         if (serverInfo is ServerInfo.OIDCServer) {
             tokenEndPoint = serverInfo.oidcServerConfiguration.tokenEndpoint
 
+            // Use webfinger-provided clientId if available, otherwise keep registration/default
+            val effectiveClientId = serverInfo.webFingerClientId ?: clientId
+
             // RFC 7636: Public clients (token_endpoint_auth_method: none) must not send Authorization header
             if (serverInfo.oidcServerConfiguration.isTokenEndpointAuthMethodNone()) {
                 clientAuth = ""
-                clientIdForRequest = clientId
+                clientIdForRequest = effectiveClientId
             } else if (serverInfo.oidcServerConfiguration.isTokenEndpointAuthMethodSupportedClientSecretPost()) {
                 // For client_secret_post, credentials go in body, not Authorization header
                 clientAuth = ""
-                clientIdForRequest = clientId
+                clientIdForRequest = effectiveClientId
                 clientSecretForRequest = clientSecret
             } else {
                 // For other methods (e.g., client_secret_basic), use Basic auth header
-                clientAuth = OAuthUtils.getClientAuth(clientSecret, clientId)
+                clientAuth = OAuthUtils.getClientAuth(clientSecret, effectiveClientId)
             }
         } else {
             tokenEndPoint = "$serverBaseUrl${File.separator}${contextProvider.getString(R.string.oauth2_url_endpoint_access)}"
@@ -725,18 +757,41 @@ class LoginActivity : AppCompatActivity(), SslUntrustedCertDialog.OnSslUntrusted
                     Timber.d("Tokens received ${uiResult.data}, trying to login, creating account and adding it to account manager")
                     val tokenResponse = uiResult.data ?: return@observe
 
+                    // When webfinger provides a client_id without dynamic registration,
+                    // store it so AccountAuthenticator can use it for token refresh
+                    val effectiveClientRegistrationInfo = clientRegistrationInfo
+                        ?: (serverInfo as? ServerInfo.OIDCServer)?.webFingerClientId?.let { wfClientId ->
+                            ClientRegistrationInfo(
+                                clientId = wfClientId,
+                                clientSecret = null,
+                                clientIdIssuedAt = null,
+                                clientSecretExpiration = 0,
+                            )
+                        }
+
+                    // Scope priority: webfinger scopes > MDM/string-resource > token response
+                    val webFingerScopes = if (serverInfo is ServerInfo.OIDCServer) {
+                        serverInfo.webFingerScopes
+                    } else {
+                        null
+                    }
+                    val effectiveScope = if (!oidcSupported) {
+                        tokenResponse.scope
+                    } else if (webFingerScopes != null) {
+                        webFingerScopes.joinToString(" ")
+                    } else {
+                        mdmProvider.getBrandingString(CONFIGURATION_OAUTH2_OPEN_ID_SCOPE, R.string.oauth2_openid_scope)
+                    }
+
                     authenticationViewModel.loginOAuth(
                         serverBaseUrl = serverBaseUrl,
                         username = tokenResponse.additionalParameters?.get(KEY_USER_ID).orEmpty(),
                         authTokenType = OAUTH_TOKEN_TYPE,
                         accessToken = tokenResponse.accessToken,
                         refreshToken = tokenResponse.refreshToken.orEmpty(),
-                        scope = if (oidcSupported) mdmProvider.getBrandingString(
-                            CONFIGURATION_OAUTH2_OPEN_ID_SCOPE,
-                            R.string.oauth2_openid_scope,
-                        ) else tokenResponse.scope,
+                        scope = effectiveScope,
                         updateAccountWithUsername = if (loginAction != ACTION_CREATE) userAccount?.name else null,
-                        clientRegistrationInfo = clientRegistrationInfo
+                        clientRegistrationInfo = effectiveClientRegistrationInfo
                     )
                 }
 

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/webfinger/GetInstancesViaWebFingerOperation.kt

@@ -40,13 +40,15 @@ class GetInstancesViaWebFingerOperation(
     private val lockupServerDomain: String,
     private val rel: String,
     private val resource: String,
-) : RemoteOperation<List<String>>() {
+    private val platform: String? = null,
+) : RemoteOperation<WebFingerResponse>() {
 
     private fun buildRequestUri() =
         Uri.parse(lockupServerDomain).buildUpon()
             .path(ENDPOINT_WEBFINGER_PATH)
             .appendQueryParameter("rel", rel)
             .appendQueryParameter("resource", resource)
+            .apply { platform?.let { appendQueryParameter("platform", it) } }
             .build()
 
     private fun isSuccess(status: Int): Boolean = status == HttpConstants.HTTP_OK
@@ -61,34 +63,35 @@ class GetInstancesViaWebFingerOperation(
         method: HttpMethod,
         response: String?,
         status: Int
-    ): RemoteOperationResult<List<String>> {
+    ): RemoteOperationResult<WebFingerResponse> {
         Timber.e("Failed requesting WebFinger info")
         if (response != null) {
             Timber.e("*** status code: $status; response message: $response")
         } else {
             Timber.e("*** status code: $status")
         }
-        return RemoteOperationResult<List<String>>(method)
+        return RemoteOperationResult<WebFingerResponse>(method)
     }
 
-    private fun onRequestSuccessful(rawResponse: String): RemoteOperationResult<List<String>> {
+    private fun onRequestSuccessful(rawResponse: String): RemoteOperationResult<WebFingerResponse> {
         val response = parseResponse(rawResponse)
         Timber.d("Successful WebFinger request: $response")
-        val operationResult = RemoteOperationResult<List<String>>(RemoteOperationResult.ResultCode.OK)
-        operationResult.data = response.links?.map { it.href } ?: listOf()
+        val operationResult = RemoteOperationResult<WebFingerResponse>(RemoteOperationResult.ResultCode.OK)
+        operationResult.data = response
         return operationResult
     }
 
-    override fun run(client: OpenCloudClient): RemoteOperationResult<List<String>> {
+    override fun run(client: OpenCloudClient): RemoteOperationResult<WebFingerResponse> {
         val requestUri = buildRequestUri()
+        Timber.d("Doing WebFinger request: $requestUri")
         val getMethod = GetMethod(URL(requestUri.toString()))
 
         // First iteration won't follow redirections.
         getMethod.followRedirects = false
 
         return try {
             val status = client.executeHttpMethod(getMethod)
-            val response = getMethod.getResponseBodyAsString()!!
+            val response = getMethod.getResponseBodyAsString()
 
             if (isSuccess(status)) {
                 onRequestSuccessful(response)
@@ -97,7 +100,7 @@ class GetInstancesViaWebFingerOperation(
             }
         } catch (e: Exception) {
             Timber.e(e, "Requesting WebFinger info failed")
-            RemoteOperationResult<List<String>>(e)
+            RemoteOperationResult<WebFingerResponse>(e)
         }
     }
 

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/webfinger/responses/WebFingerResponse.kt

@@ -24,12 +24,20 @@
 
 package eu.opencloud.android.lib.resources.webfinger.responses
 
+import com.squareup.moshi.Json
 import com.squareup.moshi.JsonClass
 
+@JsonClass(generateAdapter = true)
+data class WebFingerProperties(
+    @Json(name = "http://opencloud.eu/ns/oidc/client_id") val clientId: String?,
+    @Json(name = "http://opencloud.eu/ns/oidc/scopes") val scopes: List<String>?,
+)
+
 @JsonClass(generateAdapter = true)
 data class WebFingerResponse(
     val subject: String,
-    val links: List<LinkItem>?
+    val links: List<LinkItem>?,
+    val properties: WebFingerProperties? = null,
 )
 
 @JsonClass(generateAdapter = true)

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/webfinger/services/WebFingerService.kt

@@ -19,6 +19,7 @@ package eu.opencloud.android.lib.resources.webfinger.services
 
 import eu.opencloud.android.lib.common.OpenCloudClient
 import eu.opencloud.android.lib.common.operations.RemoteOperationResult
+import eu.opencloud.android.lib.resources.webfinger.responses.WebFingerResponse
 
 interface WebFingerService {
     fun getInstancesFromWebFinger(
@@ -27,4 +28,12 @@ interface WebFingerService {
         rel: String,
         client: OpenCloudClient,
     ): RemoteOperationResult<List<String>>
+
+    fun getOidcDiscoveryFromWebFinger(
+        lookupServer: String,
+        resource: String,
+        rel: String,
+        platform: String,
+        client: OpenCloudClient,
+    ): RemoteOperationResult<WebFingerResponse>
 }

opencloudComLibrary/src/main/java/eu/opencloud/android/lib/resources/webfinger/services/implementation/OCWebFingerService.kt

@@ -20,6 +20,7 @@ package eu.opencloud.android.lib.resources.webfinger.services.implementation
 import eu.opencloud.android.lib.common.OpenCloudClient
 import eu.opencloud.android.lib.common.operations.RemoteOperationResult
 import eu.opencloud.android.lib.resources.webfinger.GetInstancesViaWebFingerOperation
+import eu.opencloud.android.lib.resources.webfinger.responses.WebFingerResponse
 import eu.opencloud.android.lib.resources.webfinger.services.WebFingerService
 
 class OCWebFingerService : WebFingerService {
@@ -29,6 +30,23 @@ class OCWebFingerService : WebFingerService {
         resource: String,
         rel: String,
         client: OpenCloudClient,
-    ): RemoteOperationResult<List<String>> =
-        GetInstancesViaWebFingerOperation(lookupServer, rel, resource).execute(client)
+    ): RemoteOperationResult<List<String>> {
+        val result = GetInstancesViaWebFingerOperation(lockupServerDomain = lookupServer, rel = rel, resource = resource).execute(client)
+        if (!result.isSuccess) {
+            @Suppress("UNCHECKED_CAST")
+            return result as RemoteOperationResult<List<String>>
+        }
+        val listResult = RemoteOperationResult<List<String>>(RemoteOperationResult.ResultCode.OK)
+        listResult.data = result.data.links?.map { it.href } ?: listOf()
+        return listResult
+    }
+
+    override fun getOidcDiscoveryFromWebFinger(
+        lookupServer: String,
+        resource: String,
+        rel: String,
+        platform: String,
+        client: OpenCloudClient,
+    ): RemoteOperationResult<WebFingerResponse> =
+        GetInstancesViaWebFingerOperation(lockupServerDomain = lookupServer, rel = rel, resource = resource, platform = platform).execute(client)
 }