Enable OIDC bearer token authentication

lib/AppInfo/Application.php

@@ -6,6 +6,7 @@
 
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OCA\OIDCLogin\OIDCLoginOption;
+use OCA\OIDCLogin\WebDAV\BearerAuthBackend;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
@@ -26,6 +27,7 @@ class Application extends App implements IBootstrap
     protected IConfig $config;
 
     private $appName = 'oidc_login';
+    private const TOKEN_LOGIN_KEY = 'is_oidc_token_login';
 
     public function __construct()
     {
@@ -34,8 +36,6 @@ public function __construct()
 
     public function register(IRegistrationContext $context): void
     {
-        $context->registerAlternativeLogin(OIDCLoginOption::class);
-
         $context->registerEventListener(
             'OCA\DAV\Connector\Sabre::authInit',
             \OCA\OIDCLogin\WebDAV\BearerAuthBackend::class
@@ -79,7 +79,23 @@ public function boot(IBootContext $context): void
         // Get logged in user's session
         $userSession = $container->get(IUserSession::class);
         $session = $container->get(ISession::class);
+        // If it is an OCS request, try to authenticate with bearer token if not logged in
+        $isBearerAuth = str_starts_with($request->getHeader('Authorization'), 'Bearer ');
+        if (!$userSession->isLoggedIn() 
+            && ($request->getHeader('OCS-APIREQUEST') === 'true')
+            && $isBearerAuth) {
+            $bearerAuthBackend = $container->get(BearerAuthBackend::class);
+            $this->loginWithBearerToken($request, $bearerAuthBackend, $session);
+        }
 
+        // For non-OCS routes, perform validation even if logged in via session
+        if ($isBearerAuth && $request->getHeader('OIDC-LOGIN-WITH-TOKEN') === 'true') {
+            // Invalidate existing session's oidc login
+            $session->remove(self::TOKEN_LOGIN_KEY);
+            $bearerAuthBackend = $container->get(BearerAuthBackend::class);
+            $this->loginWithBearerToken($request, $bearerAuthBackend, $session);
+        }
+
         // Check if the user is logged in
         if ($userSession->isLoggedIn()) {
             // Halt processing if not logged in with OIDC
@@ -155,4 +171,18 @@ public function boot(IBootContext $context): void
             }
         }
     }
+
+    private function loginWithBearerToken(IRequest $request, BearerAuthBackend $bearerAuthBackend, ISession $session) {
+        $authHeader = $request->getHeader('Authorization');
+		$bearerToken = substr($authHeader, 7);
+        if (empty($bearerToken)) {
+            return;
+        }
+        try {
+            $bearerAuthBackend->login($bearerToken);
+            $session->set(self::TOKEN_LOGIN_KEY, 1);
+        } catch (\Exception $e) {
+            $this->logger->debug("OIDC Bearer token validation failed with: {$e->getMessage()}", ['app' => $this->appName]);
+        }
+    }
 }

lib/OIDCLoginOption.php

@@ -49,7 +49,5 @@ public function getClass(): string
         return 'oidc-button';
     }
 
-    public function load(): void
-    {
-    }
+    public function load(): void {}
 }

lib/WebDAV/BearerAuthBackend.php

@@ -100,7 +100,7 @@ private function setupUserFs(string $userId)
      *
      * @param string $bearerToken an OIDC JWT bearer token
      */
-    private function login(string $bearerToken)
+    public function login(string $bearerToken)
     {
         $client = $this->loginService->createOIDCClient();
         if (null === $client) {