fix(Session): avoid password confirmation on SSO

SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.

Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

1 files changed, 4 insertions, 1 deletions

diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php
index e9093439125..d20665ccfea 100644
--- a/core/Controller/OCJSController.php
+++ b/core/Controller/OCJSController.php
@@ -29,6 +29,7 @@
 namespace OC\Core\Controller;
 
 use bantu\IniGetWrapper\IniGetWrapper;
+use OC\Authentication\Token\IProvider;
 use OC\CapabilitiesManager;
 use OC\Template\JSConfigHelper;
 use OCP\App\IAppManager;
@@ -64,6 +65,7 @@ class OCJSController extends Controller {
 		IURLGenerator $urlGenerator,
 		CapabilitiesManager $capabilitiesManager,
 		IInitialStateService $initialStateService,
+		IProvider $tokenProvider,
 	) {
 		parent::__construct($appName, $request);
 
@@ -78,7 +80,8 @@ class OCJSController extends Controller {
 			$iniWrapper,
 			$urlGenerator,
 			$capabilitiesManager,
-			$initialStateService
+			$initialStateService,
+			$tokenProvider
 		);
 	}