Skip to content

Issue 4450 OIDC for webservices and imap/smtp support #4667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: rel-11_1
Choose a base branch
from
Open

Issue 4450 OIDC for webservices and imap/smtp support #4667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a5e2fe9
config
MichaelThumes Jul 9, 2025
2e3db32
Issue #4450: initial merge of Package into 11_1
MichaelThumes Jul 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
177 changes: 177 additions & 0 deletions Kernel/Config/Files/XML/Framework.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10415,4 +10415,181 @@ via the Preferences button after logging in.
</Value>
</Setting>

<!-- OIDC/OAuth2 -->
<Setting Name="Frontend::Module###AdminOAuthTokenStore" Required="0" Valid="1">
<Description Translatable="1">Frontend module registration for the agent interface.</Description>
<Navigation>Frontend::Admin::ModuleRegistration</Navigation>
<Value>
<Item ValueType="FrontendRegistration">
<Hash>
<Item Key="GroupRo">
<Array>
</Array>
</Item>
<Item Key="Group">
<Array>
<Item>admin</Item>
</Array>
</Item>
<Item Key="Description">Admin</Item>
<Item Key="Title" Translatable="1">OAuth Tokens</Item>
<Item Key="NavBarName">Admin</Item>
</Hash>
</Item>
</Value>
</Setting>
<Setting Name="Loader::Module::AdminOAuthTokenStore###001-Framework" Required="0" Valid="1">
<Description Translatable="1">Loader module registration for the agent interface.</Description>
<Navigation>Frontend::Admin::ModuleRegistration::Loader</Navigation>
<Value>
<Hash>
<Item Key="JavaScript">
<Array>
<Item>Core.Agent.Admin.OAuth2Module.js</Item>
</Array>
</Item>
</Hash>
</Value>
</Setting>
<Setting Name="Frontend::Navigation###AdminOAuthTokenStore###001-Framework" Required="0" Valid="0">
<Description Translatable="1">Main menu item registration.</Description>
<Navigation>Frontend::Admin::ModuleRegistration::MainMenu</Navigation>
<Value>
<Array>
<DefaultItem ValueType="FrontendNavigation">
<Hash>
</Hash>
</DefaultItem>
</Array>
</Value>
</Setting>

<Setting Name="Frontend::NavigationModule###AdminOAuthTokenStore" Required="0" Valid="1">
<Description Translatable="1">Admin area navigation for the agent interface.</Description>
<Navigation>Frontend::Admin::ModuleRegistration::AdminOverview</Navigation>
<Value>
<Hash>
<Item Key="Group">
<Array>
<Item>admin</Item>
</Array>
</Item>
<Item Key="GroupRo">
<Array>
</Array>
</Item>
<Item Key="Module">Kernel::Output::HTML::NavBar::ModuleAdmin</Item>
<Item Key="Name" Translatable="1">OAuth Functional Accounts</Item>
<Item Key="Block">Administration</Item>
<Item Key="Description" Translatable="1">Functional Account and Token Management.</Item>
<Item Key="IconBig">fa-circle-o</Item>
<Item Key="IconSmall"></Item>
</Hash>
</Value>
</Setting>



<Setting Name="Frontend::Module###AdminOIDCProfiles" Required="0" Valid="1">
<Description Translatable="1">Frontend module registration for the agent interface.</Description>
<Navigation>Frontend::Admin::ModuleRegistration</Navigation>
<Value>
<Item ValueType="FrontendRegistration">
<Hash>
<Item Key="GroupRo">
<Array>
</Array>
</Item>
<Item Key="Group">
<Array>
<Item>admin</Item>
</Array>
</Item>
<Item Key="Description">Admin</Item>
<Item Key="Title" Translatable="1">OIDC Profiles</Item>
<Item Key="NavBarName">Admin</Item>
</Hash>
</Item>
</Value>
</Setting>

<Setting Name="Frontend::Navigation###AdminOIDCProfiles###001-Framework" Required="0" Valid="0">
<Description Translatable="1">Main menu item registration.</Description>
<Navigation>Frontend::Admin::ModuleRegistration::MainMenu</Navigation>
<Value>
<Array>
<DefaultItem ValueType="FrontendNavigation">
<Hash>
</Hash>
</DefaultItem>
</Array>
</Value>
</Setting>


<Setting Name="Frontend::NavigationModule###AdminOIDCProfiles" Required="0" Valid="1">
<Description Translatable="1">Admin area navigation for the agent interface.</Description>
<Navigation>Frontend::Admin::ModuleRegistration::AdminOverview</Navigation>
<Value>
<Hash>
<Item Key="Group">
<Array>
<Item>admin</Item>
</Array>
</Item>
<Item Key="GroupRo">
<Array>
</Array>
</Item>
<Item Key="Module">Kernel::Output::HTML::NavBar::ModuleAdmin</Item>
<Item Key="Name" Translatable="1">OIDC Profile Management</Item>
<Item Key="Block">Administration</Item>
<Item Key="Description" Translatable="1">Manage OpendID Connect OAuth2 Profiles.</Item>
<Item Key="IconBig">fa-circle-o</Item>
<Item Key="IconSmall"></Item>
</Hash>
</Value>
</Setting>

<Setting Name="Daemon::SchedulerCronTaskManager::Task###TokenStoreUpdater" Required="0" Valid="1" ConfigLevel="100">
<Description Translatable="1">Executes a custom command or module. Note: if module is used, function is required.</Description>
<Navigation>Daemon::SchedulerCronTaskManager::Task</Navigation>
<Value>
<Hash>
<Item Key="TaskName">TokenStoreUpdater</Item>
<Item Key="Schedule">0 * * * *</Item>
<Item Key="Module">Kernel::System::OpenIDConnect::TokenStoreUpdater</Item>
<Item Key="Function">Run</Item>
<Item Key="MaximumParallelInstances">1</Item>
<Item Key="Params">
<Array>
<Item>Interval</Item>
<Item>3600</Item>
</Array>
</Item>
</Hash>
</Value>
</Setting>

<!-- OIDC/mail-->

<Setting Name="SendmailModule::OAuth2FunctionalAccount" Required="0" Valid="0" ConfigLevel="200">
<Description Translatable="1">If 'XOAUTH2' or 'OAUTHBEARER' is selected in the 'SendmailModule::OAuth2Method' setting, then this setting needs to be enabled and set to a valid OIDC Functional Account. OIDC Accounts can be configured in the Admin UI 'OAuth Functional Accounts' Module.</Description>
<Navigation>Core::Email</Navigation>
<Value>
<Item ValueType="String" ValueRegex="">FunctionalAccount</Item>
</Value>
</Setting>
<Setting Name="SendmailModule::OAuth2Method" Required="0" Valid="1" ConfigLevel="200">
<Description Translatable="1">The authentication method to use for SMTP Authentication, defaults to 'Basic Auth'. If 'XOAUTH2' or 'OAUTHBEARER' is selected, then the '"SendmailModule::OAuth2FunctionalAccount' setting needs to be enabled and set to a valid OIDC Functional Account. OIDC Accounts can be configured in the Admin UI 'OAuth Functional Accounts' Module.</Description>
<Navigation>Core::Email</Navigation>
<Value>
<Item ValueType="Select" SelectedID="Basic">
<Item ValueType="Option" Value="Basic" Translatable="1">Basic Auth</Item>
<Item ValueType="Option" Value="XOAUTH2" Translatable="1">XOAUTH2</Item>
<Item ValueType="Option" Value="OAUTHBEARER" Translatable="1">OAUTHBEARER</Item>
</Item>
</Value>
</Setting>

</otobo_config>
40 changes: 40 additions & 0 deletions Kernel/GenericInterface/Operation/Session/Common.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ use strict;
use warnings;

use Kernel::System::VariableCheck qw(:all);
use Kernel::Language qw(Translatable);

our $ObjectManagerDisabled = 1;

Expand Down Expand Up @@ -55,6 +56,11 @@ sub CreateSessionID {
my %UserData;
my $UserType;

# special case for session creation based on OAuth Bearer token
if ( $Param{Data}->{BearerToken} ) {
return $Self->_CreateSessionIDFromBearerToken(%Param);
}

# get params
my $PostPw = $Param{Data}->{Password} || '';

Expand Down Expand Up @@ -107,4 +113,38 @@ sub CreateSessionID {
return;
}

sub _CreateSessionIDFromBearerToken {
my ( $Self, %Param ) = @_;

my $Authenticator = $Kernel::OM->Get('Kernel::System::OpenIDConnect::Authenticator');
my $Result = $Authenticator->Authenticate(
Token => $Param{Data}->{BearerToken},
);

if ( $Result->{Success} ) {

# report success!
$Param{DebuggerObject}->Debug(
Summary => 'Bearer Token decoded:',
Data => $Result->{TokenData},
);

# create new session id
my $NewSessionID = $Kernel::OM->Get('Kernel::System::AuthSession')->CreateSessionID(
$Result->{UserData}->%*,
UserLastRequest => $Kernel::OM->Create('Kernel::System::DateTime')->ToEpoch(),
UserType => 'User',
SessionSource => 'GenericInterface',
);

# if we have a valis session, we are done.
return $NewSessionID if ($NewSessionID);

# otherwise try next account
next ACCOUNTNAME;
}

return;
}

1;
11 changes: 7 additions & 4 deletions Kernel/GenericInterface/Operation/Session/SessionCreate.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,15 +103,18 @@ sub Run {
for my $Needed (qw( Password )) {
if ( !$Param{Data}->{$Needed} ) {

return $Self->ReturnError(
ErrorCode => 'SessionCreate.MissingParameter',
ErrorMessage => "SessionCreate: $Needed parameter is missing!",
);
if ( !$Param{Data}->{BearerToken} ) {
return $Self->ReturnError(
ErrorCode => 'SessionCreate.MissingParameter',
ErrorMessage => "SessionCreate: $Needed parameter is missing!",
);
}
}
}

my $SessionID = $Self->CreateSessionID(
%Param,
DebuggerObject => $Self->{DebuggerObject}
);

if ( !$SessionID ) {
Expand Down
Loading
Loading