Use webfinger for OIDC parameter discovery

[kaivol]

Closes #811.

Client side implementation of the changes described in https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0003-oidc-client-config-discovery.md.

Based on #776.

[RichardFevrier]

Did this PR worked for you @kulmann ?

Just tried it without success on my side, when both web + iOS are working perfectly.

I have tested the webfinger with:

curl -L cloud.mydomain.com/.well-known/webfinger?resource=https://cloud.opencloud.test&rel=http://openid.net/specs/connect/1.0/issuer&platform=desktop | jq
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
  0      0   0      0   0      0      0      0                              0
100    305 100    305   0      0   2324      0                              0
{
  "subject": "https://cloud.opencloud.test",
  "properties": {
    "http://opencloud.eu/ns/oidc/client_id": "OpenCloudDesktop",
    "http://opencloud.eu/ns/oidc/scopes": [
      "openid",
      "profile",
      "email",
      "groups",
      "offline_access"
    ]
  },
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://auth.mydomain.com"
    }
  ]
}

Which returns groups that is mandatory on my setup since Authelia groups binds to OpenCloud roles.

But when the Authelia page appears I can see that groups are not part of the request.

Edit:
debugged it further:

26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ OCC::OAuth::openBrowser ]:    opening browser
26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ isUrlValid ]: Checking URL for validity: QUrl("https://auth.mydomain.com/api/oidc/authorization?response_type=code&client_id=OpenCloudDesktop&redirect_uri=http://127.0.0.1:32979&code_challenge=Kgkj2cHF9MwXPDyTkZETDhc4Pv07hAXBxgSV8DfBhCI&code_challenge_method=S256&scope=openid offline_access email profile&prompt=consent select_account&state=c5bNXSEMgYIazaZ3aMqJjz3mI7SfpbP00YlzmVl-Q2w%3D")
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM

You can see that scopes (scope=openid offline_access email profile) doesn't contain groups.

[kaivol]

@RichardFevrier thanks for testing the PR!
I made some changes, so it should work now.

I also bumped the C++ standard version to 23, i hope this is fine.

[RichardFevrier]

Thanks for your work @kaivol I'll test that tomorrow! 🤩

[guruz]

@RichardFevrier Have you tested this PR? :)

[guruz]

@kaivol FYI CI ^ says this:

/Users/runner/work/desktop/desktop/src/libsync/creds/oauth.cpp:622:35: error: no member named 'join_with' in namespace 'std::__1::ranges::views'
  622 |                     | std::views::join_with(QStringLiteral(" "))
      |                       ~~~~~~~~~~~~^

Might be related to

I also bumped the C++ standard version to 23, i hope this is fine.

I can't say anything to this topic specifically, if it's easier to keep a lower C++ standard or check if all our platforms would support 23.
CC @TheOneRing

[kaivol]

@guruz Thanks for bringing that up.
I got rid of the join_with call and implemented the logic in a good ol' loop: diff

[guruz]

@kaivol one more failure :) ^

@TheOneRing FYI, i can't seem to be able to ask macos and windows to re-run if linux already failed ^

[kaivol]

I'm a little confused, the CI error seems to be in the OpenVFS plugin, not at all related to my changes 😕
A quick look at the CI overview shows that builds are failing for some time already.

[guruz]

@kaivol You're right, sorry!
Could you re-base on current main branch, it should be green now for Linux.
https://github.com/opencloud-eu/desktop/commits/main/

[guruz]

^ OAuth test fails

[kaivol]

Okay, I adjusted the OAuth test and added a response for the .well-known/webfinger request.

Let me know if you agree with the changes.