Seafile API and webdav through SSO

Seafile Server
10

Note this thread: Authenticate to seafile APIs using Shibboleth, where daniel.pan sketched a way to access the API with Shibboleth. The same is possible with OIDC. However, OIDC does not have a specific success page in Seafile. Seafile’s OIDC callback (the page called by Keycloak upon successful login) is at /oauth/callback, and it displays your list of libraries (the usual Seafile home page).

One option is to include the below patch (based on 6.3.4) in seahub/seahub/templates/libraries.html. However, this is dangerous if you do not understand it! Make sure to set a very specific allowed origin in postMessage, because otherwise any site you open in your browser can steal your access token – simply by opening a new window with your Seafile instance while you are logged in.

--- libraries.html	2019-04-16 17:33:50.652115255 +0200
+++ libraries.html.modified	2019-04-16 17:33:00.622745013 +0200
@@ -313,6 +313,36 @@
     freezeItemHightlight: false
 };
 </script>
+
+<script>
+(function() {
+function getCookie(name) {
+    var cookieValue = null;
+    if (document.cookie && document.cookie != '') {
+        var cookies = document.cookie.split(';');
+        for (var i = 0; i < cookies.length; i++) {
+            var cookie = cookies[i].trim();
+            // Does this cookie string begin with the name we want?
+            if (cookie.substring(0, name.length + 1) == (name + '=')) {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
+            }
+        }
+    }
+    return cookieValue;
+}
+
+let seahub_auth_info = getCookie("seahub_auth");
+
+if (seahub_auth_info) {
+    window.parent.postMessage(seahub_auth_info, "https://www.example.com");
+    if (window.opener) {
+        window.opener.postMessage(seahub_auth_info, "https://www.example.com");
+    }
+}
+})();
+</script>
+
 {% if debug %}
 <script data-main="{% static "scripts/main.js" %}" src="{% static "scripts/lib/require.js" %}"></script>
 {% else %}

A “portal page” could then do something like this:

window.addEventListener("message", async (message) => {
	const data = JSON.parse(message.data).split("@");
	const token = data[data.length - 1];
	popup.close();

	let rawResponse = await fetch ("https://cloud.seafile.com/api2/account/info/", {
		headers: {authorization: "Token " + token}
	});
	let responseData = await rawResponse.json();
	console.log(responseData);
});
const popup = window.open("https://cloud.seafile.com/oauth/login/");