共计 4533 个字符,预计需要花费 12 分钟才能阅读完成。
基础环境
Nextcloud 15.0.5
oauth2
安装 sociallogin
在官方 app 应用商店下载 sociallogin
解压并拷贝 sociallogin 至 app 目录
打开 Nextcloud 并在 应用中启用
配置 oauth2
使用管理员账号打开 Nextcloud 找到 sociallogin 设置,选择 Custom OAuth2 并添加 oauth2 信息,如下
设置只使用 oauth2 登录,取消系统登录 编辑 /var/www/html/config/config.php 添加以下配置:
‘social_login_auto_redirect’ => true
使用 Oauth2 注销 Nextcloud
使用中发现点击登出后,Nextcloud 只是注销了本身的 session,并没有注销 oauth2 的 session,因此会登出失败. 打开 core/Controller/LoginController.php 找到 logout 方法,修改 $response 值如下:
$response = new RedirectResponse(‘http://10.0.4.3/logout?redirect_uri=http://10.0.4.33:8088’);
http://10.0.4.3/logout 为 oauth2 认证系统登出地址
使用用户信息创建组
在使用 oauth2 登录成功后,为了与原有 Nextcloud 用户区分,Nextcloud 会在数据库中创建一个用户名为 oauth2 Internal name + 登录名称的用户,这样使用起来及其不方便,我们可以通过修改以下代码,保证用户名正常不带前缀:
根据返回用户信息中其他信息创建组
sociallogin/lib/Controller/LoginController.php
private function login($uid, Profile $profile)
{
$user = $this->userManager->get($uid);
if (null === $user) {
$connectedUid = $this->socialConnect->findUID($uid);
$user = $this->userManager->get($connectedUid);
}
if ($this->userSession->isLoggedIn()) {
if (!$this->config->getAppValue($this->appName, ‘allow_login_connect’)) {
throw new LoginException($this->l->t(‘Social login connect is disabled’));
}
if (null !== $user) {
throw new LoginException($this->l->t(‘This account already connected’));
}
$currentUid = $this->userSession->getUser()->getUID();
$this->socialConnect->connectLogin($currentUid, $uid);
return new RedirectResponse($this->urlGenerator->linkToRoute(‘settings.PersonalSettings.index’, [‘section’ => ‘additional’]));
}
if (null === $user) {
if ($this->config->getAppValue($this->appName, ‘disable_registration’)) {
throw new LoginException($this->l->t(‘Auto creating new users is disabled’));
}
if (
$profile->email && $this->config->getAppValue($this->appName, ‘prevent_create_email_exists’)
&& count($this->userManager->getByEmail($profile->email)) !== 0
) {
throw new LoginException($this->l->t(‘Email already registered’));
}
$password = substr(base64_encode(random_bytes(64)), 0, 30);
$user = $this->userManager->createUser($uid, $password);
$user->setDisplayName($profile->displayName ?: $profile->identifier);
$user->setEMailAddress((string)$profile->email);
$newUserGroup = $this->config->getAppValue($this->appName, ‘new_user_group’);
if ($newUserGroup) {
try {
$group = $this->groupManager->get($newUserGroup);
$group->addUser($user);
} catch (\Exception $e) {
}
}
if ($profile->photoURL) {
$curl = new Curl();
try {
$photo = $curl->request($profile->photoURL);
$avatar = $this->avatarManager->getAvatar($uid);
$avatar->set($photo);
} catch (\Exception $e) {
}
}
$this->config->setUserValue($uid, $this->appName, ‘disable_password_confirmation’, 1);
if ($profile->data[‘departmentName’] !== null) {
$existGroup = $this->groupManager->get($profile->data[‘departmentName’]);
if ($existGroup === null) {
$newGroup = $this->groupManager->createGroup($profile->data[‘departmentName’]);
$newGroup->addUser($user);
} else {
$existGroup->addUser($user);
}
}
}
$this->userSession->completeLogin($user, [‘loginName’ => $user->getUID(), ‘password’ => null]);
$this->userSession->createSessionToken($this->request, $user->getUID(), $user->getUID());
if ($redirectUrl = $this->session->get(‘login_redirect_url’)) {
return new RedirectResponse($redirectUrl);
}
$this->session->set(‘last-password-confirm’, time());
return new RedirectResponse($this->urlGenerator->getAbsoluteURL(‘/’));
}
sociallogin/lib/Provider/CustomOAuth2.php
public function getUserProfile()
{
$profileFields = array_filter(
array_map(‘trim’, explode(‘,’, $this->config->get(‘profile_fields’))),
function ($val) {
return !empty($val);
}
);
$profileUrl = $this->config->get(‘endpoints’)->get(‘profile_url’);
if (count($profileFields) > 0) {
$profileUrl .= (strpos($profileUrl, ‘?’) !== false ? ‘&’ : ‘?’) . ‘fields=’ . implode(‘,’, $profileFields);
}
$response = $this->apiRequest($profileUrl);
if (!isset($response->identifier) && isset($response->id)) {
$response->identifier = $response->id;
}
if (!isset($response->identifier) && isset($response->data->id)) {
$response->identifier = $response->data->id;
}
if (!isset($response->identifier) && isset($response->user_id)) {
$response->identifier = $response->user_id;
}
$data = new Data\Collection($response);
if (!$data->exists(‘identifier’)) {
throw new UnexpectedApiResponseException(‘Provider API returned an unexpected response.’);
}
$userProfile = new User\Profile();
foreach ($data->toArray() as $key => $value) {
if (property_exists($userProfile, $key)) {
$userProfile->$key = $value;
}
}
if (!empty($userProfile->email)) {
$userProfile->emailVerified = $userProfile->email;
}
$attributes = new Data\Collection($data->get(‘attributes’));
$userProfile->data = [
“organizationName” => $attributes->get(‘organizationName’),
“departmentName” => $attributes->get(‘departmentName’),
];
if ($attributes->get(‘name’) !== null) {
$userProfile->displayName = $attributes->get(‘name’);
}
return $userProfile;
}