Custom TYPO3 12 backend Authentication Service problem with request token

Question

I am updating a custom TYPO3 backend Authentication Service to TYPO3 12. It uses OpenID Connect and after the login on the central server the user is redirected to the TYPO3 backend login form, but is not logged in. After some debugging I found it's because of the request token that was added to the backend login in TYPO3 12.

The first problem was that the request token check fails if the request is not POST, PUT or PATCH. Adding response_mode=form_post to the authentication URL fixed that. I've also added the request token to the return URL. Unfortunately this does not work. The request token is only fetched from a header or the request body, not the GET string.

Do I have to redirect the user with the correct header or is there a better way to do this?

Answer 1

Taking the OAauth 2.0 spec, there is no response_mode=form_post - so is this a custom/special implementation by OpenID ? Could not find anything with a quicksearch.

However, a general possible solution I could suggest, would be to implement a custom PSR-15 Middleware [1] and register it early in the stack (before the TYPO3 core handling / token validation take place. In this middleware, check if it is the OpenID response callback along with the query arguemtn (response_mode=query) as the fragement mode is not reasonable (fragments are only browser information, and not transfered to the server / webserver).

Following a example middleware to demonstrate in a pseudo way (not tested), put it into your extension my_ext/Classes/Middleware/CustomBackendMiddleware.php:

<?php

namespace MyVendor\MyExtension\Middleware;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use TYPO3\CMS\Core\Security\RequestToken;

final CustomBackendMiddleware implements MiddlewareInterface
{
  /**
   * Resolve the site information by checking the page ID
   * ("id" parameter) which is typically used in BE modules
   * of type "web".
   */
  public function process(
    ServerRequestInterface $request,
    RequestHandlerInterface $handler
  ): ResponseInterface {
    // @todo harden the check if it is the correct url/arguments
    // following is only example code for demonstration purpose
    $openIdResponseToken = $request
      ->getQueryParams()['openid_token_query_argument_name'] ?? null;

    if (openIdResponseToken === null) {
      // nothing to do, continue normal stack
      return $handler->handle($request);
    }

    $request = $request
      ->withMethod('POST')
      ->withHeader(RequestToken::HEADER_NAME, $openIdResponseToken)
    ;    
    // check/migrate/reset additonal headers, data or transform to
    // a valid post request etc if required.

    // NOTE: Depending where in the middleware stack this middleware will be
    //       registered, we need to update the global request.
    if (($GLOBALS['TYPO3_REQUEST'] ?? null) instanceof ServerRequestInterface) {
      $GLOBALS['TYPO3_REQUEST'] = $request;     
    }
    
    // continue stack with manipulated request
    return $handler->handle($request);
  }
}

Then, in youre extension Configuration/RequestMiddlewares.php you need to register the middleware:

return [
  'backend' => [
    'my-vendor/backend-oauth-service-request-transformator' => [
      'target' => \MyVendor\MyExtension\Middleware\CustomBackendMiddleware::class,
      'after' => [
        'typo3/cms-backend/locked-backend',
      ],
      'before' => [
         'typo3/cms-core/request-token-middleware',
      ],
    ],
  ],
];

But I guess, that you want to fully etablish the signin .-. which would involve more than that, I guess. TBH - I never messed araound with user authentication provides.

However, beside some extensions targeting FE user signing, there is also a extension targeting for backend openid signin - and that already for a long time. So, instead of implementing the stuff yourself, you may want to install and evaluate that extension first - or at least look into the code how they are doing it and adopt the parts you need and adjust it for your requirements. [1][2]

NOTE: This is not a suggestion of what to use or not - it's such some findings. Please search yourself the TYPO3 Extension Repository for alternative and suiting extension. [3]

• [1] TER Page of extension: https://extensions.typo3.org/extension/openid
• [2] GitHub Repository of the extension: https://github.com/FriendsOfTYPO3/openid
• [3] https://extensions.typo3.org/