From 31df137d8a247e2a3be9041d5e55eb0e2a875cea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean=20Charles=20Del=C3=A9pine?= Date: Tue, 26 May 2026 22:13:29 +0200 Subject: [PATCH] feat: XOAUTH2 hook for Sieve/timsieved with OIDC authentication Adds a timsieved XOAUTH2 hook example to hooks.php.dist. When the user has logged in via an OIDC provider, the hook injects a Horde\ManageSieve\Password\Xoauth2 object for Sieve authentication instead of using the stored password. The hook code is commented out in the .dist file and must be explicitly activated by the administrator. Depends on: - horde/Core: OIDC integration (PR 160) --- config/hooks.php.dist | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/config/hooks.php.dist b/config/hooks.php.dist index 8a17917..01f14ae 100644 --- a/config/hooks.php.dist +++ b/config/hooks.php.dist @@ -45,6 +45,34 @@ class Ingo_Hooks // 'password' => $ob->getParam('password'), // 'username' => $ob->getParam('username') // ); +// +// case 'timsieved': +// // OIDC/XOAUTH2: if the user logged in via an OIDC provider +// // (e.g. Apereo CAS, Keycloak), use XOAUTH2 for timsieved. +// // Requires horde/Core >= 6.x with OAuthTokenService configured. +// global $injector; +// $username = $injector->getInstance('Horde_Registry')->getAuth(); +// if ($username) { +// $tokenService = $injector->getInstance(\Horde\Core\Service\OAuthTokenService::class); +// $providerConfig = $injector->getInstance(\Horde\Core\Service\OAuthProviderConfigRepository::class); +// $row = \Horde\Core\Service\OidcHookHelper::findProviderForUser( +// $username, $tokenService, $providerConfig +// ); +// if ($row !== null) { +// $accessToken = \Horde\Core\Service\OidcHookHelper::getValidAccessToken( +// $username, $row, $tokenService, $injector +// ); +// if ($accessToken !== null) { +// $xoauth2User = \Horde\Core\Service\OidcHookHelper::xoauth2Username($username, $row); +// return array( +// 'username' => $xoauth2User, +// 'xoauth2_token' => new \Horde\ManageSieve\Password\Xoauth2($xoauth2User, $accessToken), +// 'euser' => '', +// ); +// } +// } +// } +// break; // } // // // DEFAULT: Use hordeauth (identical to not defining hook at all).