oauth: feat: use OIDC claims on user creation

[EdouardVanbelle]

Hello please find the user_create hook that uses the OIDC's identify when creating a new user

[alecpl]

Maybe we should validate the values coming from outside?

[EdouardVanbelle]

Good catch, here what I did:

1. ensure config setup only allowed keys (user & host are for example forbidden)
2. normalizing user_email & language, then I check validity

I also added tests

[EdouardVanbelle]

I just changed the language check, the list_languages() was too strict

-                            // check that language is supported
-                            $languages = $this->rcmail->list_languages();
-                            if (!array_key_exists($value, $languages)) {
+                            // check that language is at the correct format
+                            if (!preg_match('/^[a-z]{2}(\_[A-Z]{2,})?$/', $value)) {
                                 rcube::raise_error([

[Neustradamus]

@EdouardVanbelle: Nice, good job!

Linked to:

• OAuth improvements (+ add user_create hook) #9274
• oauth: feat: use OIDC claims on user creation #9286
• oauth: feat: add support of PKCE #9287
• oauth: security: add support of nonce #9288
• oauth: select auth scheme (XOAUTH2 vs OAUTHBEARER) #9289
• add support of OAUTHBEARER pear/Net_SMTP#79
• add support of OAUTHBEARER pear/Net_Sieve#10
• oauth: add a generic method OAUTH to choose automatically a supported method pear/Net_Sieve#11

[alecpl]

@Neustradamus Please, stop adding these references. It's misleading, not everything is related.

[alecpl]

That's not going to work with languages like "ast" or "es_419"

[EdouardVanbelle]

What about this simplification?

   // check that language is in the correct format (over simplification of RFC5646)
   if (!preg_match('/^[a-z]{2,8}(\_[a-z0-9]{1,8})*$/i', $value)) {
  ...

Which already sanitize data and ensure you are not going to have temptative hacks like $language="../../../password" or similar

What is the requirement on the user's property language

• does it need to be the wished language from the customer? (Permit respective translation to be added lately)
• or does it need to be a truly and currently supported language by roundcube?

If it has to be a supported language, the best option I see is to change rcube->language_prop() from protected to public and use it in this hook

What do you think ?

[alecpl]

In another place we're using /^[a-zA-Z0-9_-]+$/, but I'd add a length limit, lets say 8, and it will be fine.

[EdouardVanbelle]

done

please note, I saw that rcube->language_prop() is capturing browser's accepted language via

            if (preg_match('/^([a-z]+)[_-]([a-z]+)$/i', $lang, $m))

I added this: #9292