From 4580975f076fad5753aaee5e15428d4832dc5079 Mon Sep 17 00:00:00 2001
From: DominikIwanek <dominik.iwanek@hyland.com>
Date: Fri, 17 Nov 2023 08:31:40 +0100
Subject: [PATCH] [MNT-22836] - support PKCE code flow in SSO

---
 demo-shell/src/app.config.json                         | 1 +
 docker/docker-entrypoint.d/30-sed-on-appconfig.sh      | 5 +++++
 docker/run.sh                                          | 1 +
 lib/core/src/lib/auth/oidc/auth-config.service.spec.ts | 2 +-
 lib/core/src/lib/auth/oidc/auth-config.service.ts      | 4 ++--
 lib/core/src/lib/login/components/login.component.ts   | 6 +++---
 6 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/demo-shell/src/app.config.json b/demo-shell/src/app.config.json
index 4ae12ff8568..964314db783 100644
--- a/demo-shell/src/app.config.json
+++ b/demo-shell/src/app.config.json
@@ -20,6 +20,7 @@
     "clientId": "alfresco",
     "scope": "openid profile email",
     "secret": "",
+    "implicitFlow": false,
     "codeFlow": true,
     "silentLogin": true,
     "redirectSilentIframeUri": "{protocol}//{hostname}{:port}/assets/silent-refresh.html",
diff --git a/docker/docker-entrypoint.d/30-sed-on-appconfig.sh b/docker/docker-entrypoint.d/30-sed-on-appconfig.sh
index be10f51a00d..861edbbec22 100755
--- a/docker/docker-entrypoint.d/30-sed-on-appconfig.sh
+++ b/docker/docker-entrypoint.d/30-sed-on-appconfig.sh
@@ -28,6 +28,11 @@ if [ -n "${APP_CONFIG_OAUTH2_CLIENTID}" ]; then
     -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
 fi
 
+if [ -n "${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}" ]; then
+  sed -e "s/\"implicitFlow\": [^,]*/\"implicitFlow\": ${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}/g" \
+    -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
+fi
+
 if [ -n "${APP_CONFIG_OAUTH2_CODE_FLOW}" ]; then
   sed -e "s/\"codeFlow\": [^,]*/\"codeFlow\": ${APP_CONFIG_OAUTH2_CODE_FLOW}/g" \
     -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
diff --git a/docker/run.sh b/docker/run.sh
index 0c80245dc2a..96ea97253d8 100755
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -13,6 +13,7 @@ docker run --rm -it \
   --env APP_CONFIG_IDENTITY_HOST=$APP_CONFIG_IDENTITY_HOST \
   --env APP_CONFIG_OAUTH2_HOST=$APP_CONFIG_OAUTH2_HOST \
   --env APP_CONFIG_OAUTH2_CLIENTID=$APP_CONFIG_OAUTH2_CLIENTID \
+  --env APP_CONFIG_OAUTH2_IMPLICIT_FLOW=$APP_CONFIG_OAUTH2_IMPLICIT_FLOW \
   --env APP_CONFIG_OAUTH2_IMPLICIT_FLOW=$APP_CONFIG_OAUTH2_CODE_FLOW \
   --env APP_CONFIG_OAUTH2_SILENT_LOGIN=$APP_CONFIG_OAUTH2_SILENT_LOGIN \
   --env APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI=$APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI \
diff --git a/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts b/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts
index df3f89f9c4f..d9b69289094 100644
--- a/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts
+++ b/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts
@@ -150,7 +150,7 @@ describe('AuthConfigService', () => {
             const expectedConfig = {
                 oidc: true,
                 issuer: 'http://localhost:3000/auth/realms/alfresco',
-                redirectUri: 'http://localhost:3000/#/view/authentication-confirmation',
+                redirectUri: 'http://localhost:3000/#/view/authentication-confirmation/?',
                 silentRefreshRedirectUri: 'http://localhost:3000/assets/silent-refresh.html',
                 postLogoutRedirectUri: 'http://localhost:3000/#/logout',
                 clientId: 'fakeClientId',
diff --git a/lib/core/src/lib/auth/oidc/auth-config.service.ts b/lib/core/src/lib/auth/oidc/auth-config.service.ts
index 537c078db6c..a40dc3ef5aa 100644
--- a/lib/core/src/lib/auth/oidc/auth-config.service.ts
+++ b/lib/core/src/lib/auth/oidc/auth-config.service.ts
@@ -55,7 +55,7 @@ export class AuthConfigService {
         const redirectUri = this.getRedirectUri();
 
         const authConfig: AuthConfig = {
-            oidc: oauth2.codeFlow || false,
+            oidc: oauth2.implicitFlow || oauth2.codeFlow || false,
             issuer: oauth2.host,
             redirectUri,
             silentRefreshRedirectUri: oauth2.redirectSilentIframeUri,
@@ -85,7 +85,7 @@ export class AuthConfigService {
 
         // handle issue from the OIDC library with hashStrategy and implicitFlow, with would append &state to the url with would lead to error
         // `cannot match any routes`, and displaying the wildcard ** error page
-        return oauth2.codeFlow && useHash ? `${redirectUri}/?` : redirectUri;
+        return (oauth2.codeFlow || oauth2.implicitFlow) && useHash ? `${redirectUri}/?` : redirectUri;
     }
 
     private getLocationOrigin() {
diff --git a/lib/core/src/lib/login/components/login.component.ts b/lib/core/src/lib/login/components/login.component.ts
index 222d84bc869..55b5ecc1fd2 100644
--- a/lib/core/src/lib/login/components/login.component.ts
+++ b/lib/core/src/lib/login/components/login.component.ts
@@ -111,7 +111,7 @@ export class LoginComponent implements OnInit, OnDestroy {
     @Output()
     executeSubmit = new EventEmitter<LoginSubmitEvent>();
 
-    implicitFlow: boolean = false;
+    ssoLogin: boolean = false;
 
     form: UntypedFormGroup;
     isError: boolean = false;
@@ -155,8 +155,8 @@ export class LoginComponent implements OnInit, OnDestroy {
                 const oauth = this.appConfig.oauth2;
                 if (oauth?.silentLogin) {
                     this.redirectToImplicitLogin();
-                } else if (oauth?.implicitFlow) {
-                    this.implicitFlow = true;
+                } else if (oauth?.implicitFlow || oauth?.codeFlow) {
+                    this.ssoLogin = true;
                 }
             }