JWT Auth integration

classes/Conf/class.xoctConfFormGUI.php

@@ -557,6 +557,15 @@ protected function initGroupsRolesSection(): void
 
     protected function initSecuritySection(): void
     {
+        $strings = (object) [
+            'show' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_show_icon'),
+            'hide' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_hide_icon'),
+            'hidden_element_title' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_hidden_element_title')
+        ];
+        $strings = json_encode($strings);
+        $code = "il.Opencast.Form.passwordToggle.initTextarea('" . PluginConfig::F_JWT_SECURITY_PK . "', '" . $strings . "');";
+        $this->main_tpl->addOnLoadCode($code);
+
         $this->main_tpl->setOnScreenMessage('info', $this->getLocaleString('security_info'), true);
         $h = new ilFormSectionHeaderGUI();
         $h->setTitle($this->getLocaleString('security'));
@@ -658,6 +667,60 @@ protected function initSecuritySection(): void
         );
         $cb->setInfo($this->getLocaleString(PluginConfig::F_PRESIGN_LINKS . '_info'));
         $this->addItem($cb);
+
+        // JWT enabled.
+        $cb = new ilCheckboxInputGUI(
+            $this->getLocaleString(PluginConfig::F_JWT_SECURITY_ENABLED),
+            PluginConfig::F_JWT_SECURITY_ENABLED
+        );
+        $cb->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ENABLED . '_info'));
+        $this->addItem($cb);
+
+        // JWT Private Key.
+        $te_cb_sub = new ilTextAreaInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK), PluginConfig::F_JWT_SECURITY_PK);
+        $te_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_info'));
+        $te_cb_sub->setRequired(true);
+        $cb->addSubItem($te_cb_sub);
+
+        //JWT Expiration.
+        $nu_cb_sub = new ilNumberInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_EXP), PluginConfig::F_JWT_SECURITY_EXP);
+        $nu_cb_sub->setMinValue(1, true);
+        $nu_cb_sub->setValue((string) PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_EXP) ?? "15");
+        $nu_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_EXP . '_info'));
+        $cb->addSubItem($nu_cb_sub);
+
+        // JWT Algorithm.
+        $se_cb_sub = new ilSelectInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ALG), PluginConfig::F_JWT_SECURITY_ALG);
+        $se_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ALG . '_info'));
+        $algorithms = [];
+        foreach (array_keys(\OpencastApi\Auth\JWT\OcJwtHandler::SUPPORTED_ALGORITHMS) as $alg) {
+            $algorithms[$alg] = $alg;
+        }
+        $default = \OpencastApi\Auth\JWT\OcJwtHandler::DEFAULT_ALGORITHM;
+        $se_cb_sub->setOptions($algorithms);
+        $se_cb_sub->setValue(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ALG) ?? $default);
+        $cb->addSubItem($se_cb_sub);
+
+        // JWT Studio Roles.
+        $te_studio_cb_sub = new ilTextInputGUI($this->getLocaleString('jwt_security_studio_roles'), PluginConfig::F_JWT_SECURITY_STUDIO_ROLES);
+        $te_studio_cb_sub->setInfo($this->getLocaleString('jwt_security_studio_roles_info'));
+        $te_studio_cb_sub->setMulti(true);
+        $te_studio_cb_sub->setInlineStyle('min-width:250px');
+        $cb->addSubItem($te_studio_cb_sub);
+
+        // JWT Editor Roles.
+        $te_editor_cb_sub = new ilTextInputGUI($this->getLocaleString('jwt_security_editor_roles'), PluginConfig::F_JWT_SECURITY_EDITOR_ROLES);
+        $te_editor_cb_sub->setInfo($this->getLocaleString('jwt_security_editor_roles_info'));
+        $te_editor_cb_sub->setMulti(true);
+        $te_editor_cb_sub->setInlineStyle('min-width:250px');
+        $cb->addSubItem($te_editor_cb_sub);
+
+        // JWT Annotation-tool Roles.
+        $te_annotation_tool_cb_sub = new ilTextInputGUI($this->getLocaleString('jwt_security_annotation_tool_roles'), PluginConfig::F_JWT_SECURITY_ANNOTATION_TOOL_ROLES);
+        $te_annotation_tool_cb_sub->setInfo($this->getLocaleString('jwt_security_annotation_tool_roles_info'));
+        $te_annotation_tool_cb_sub->setMulti(true);
+        $te_annotation_tool_cb_sub->setInlineStyle('min-width:250px');
+        $cb->addSubItem($te_annotation_tool_cb_sub);
     }
 
     protected function initAdvancedSection(): void

classes/Event/class.xoctEventGUI.php

@@ -7,6 +7,7 @@
 use ILIAS\DI\Container;
 use ILIAS\UI\Component\Input\Field\UploadHandler;
 use ILIAS\UI\Renderer;
+use srag\Plugins\Opencast\API\OpencastAPI;
 use srag\Plugins\Opencast\Model\ACL\ACLUtils;
 use srag\Plugins\Opencast\Model\Config\PluginConfig;
 use srag\Plugins\Opencast\Model\Event\Event;
@@ -893,7 +894,22 @@ public function opencaststudio(): void
         // Append the query string to the studio link.
         $studio_link .= '?' . $combined_query_string;
 
-        $this->ctrl->redirectToURL($studio_link);
+        if (empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            $this->ctrl->redirectToURL($studio_link);
+            return;
+        }
+
+        $encoded_studio_link = $base . '/studio?' . http_build_query($query_params);
+
+        $jwt = $this->api->issueExternalServicesJwtFor(OpencastAPI::JWT_SERVICE_STUDIO);
+        if (empty($jwt)) {
+            throw new xoctException(
+                xoctException::INTERNAL_ERROR,
+                'Unable to provide a JWT for Studio service!'
+            );
+        }
+        $redirect_template_html = $this->getJwtRedirectHtml($jwt, $encoded_studio_link);
+        $this->main_tpl->setContent($redirect_template_html);
     }
 
 
@@ -912,7 +928,43 @@ public function cut(): void
 
         // redirect
         $cutting_link = $event->publications()->getCuttingLink();
-        $this->ctrl->redirectToURL($cutting_link);
+
+        if (empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            $this->ctrl->redirectToURL($cutting_link);
+            return;
+        }
+
+        $jwt = $this->api->issueExternalServicesJwtFor(OpencastAPI::JWT_SERVICE_EDITOR);
+        if (empty($jwt)) {
+            throw new xoctException(
+                xoctException::INTERNAL_ERROR,
+                'Unable to provide a JWT for Editor service!'
+            );
+        }
+        $redirect_template_html = $this->getJwtRedirectHtml( $jwt, $cutting_link);
+        $this->main_tpl->setContent($redirect_template_html);
+    }
+
+    /**
+     * Generates HTML for JWT-based redirect from the template.
+     *
+     * This method renders a redirect template by populating it with the provided redirect URL,
+     * JWT token, and target URL. The resulting HTML is used to automatically redirect the user
+     * to the target link using the JWT for authentication.
+     *
+     * @param string $jwt          The JWT token for authentication
+     * @param string $target_link  The final target URL to redirect to after JWT validation
+     * @return string The generated HTML string for the redirect page
+     */
+    private function getJwtRedirectHtml(string $jwt, string $target_link): string
+    {
+        $base = rtrim((string) PluginConfig::getConfig(PluginConfig::F_API_BASE), "/");
+        $redirect_url = str_replace('/api', '/redirect/get', $base);
+        $redirect_template = $this->plugin->getTemplate('default/tpl.jwt_redirect.html', false, false);
+        $redirect_template->setVariable('ACTION', $redirect_url);
+        $redirect_template->setVariable('JWT', $jwt);
+        $redirect_template->setVariable('TARGET_URL', $target_link);
+        return $redirect_template->get();
     }
 
     private function retrieveQuery(string $q): ?string
@@ -1007,7 +1059,21 @@ public function annotate(): void
         $annotation_link = $event->publications()->getAnnotationLink(
             $this->ref_id
         );
-        $this->ctrl->redirectToURL($annotation_link);
+
+        if (empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            $this->ctrl->redirectToURL($annotation_link);
+            return;
+        }
+
+        $jwt = $this->api->issueExternalServicesJwtFor(OpencastAPI::JWT_SERVICE_ANNOTATION_TOOL, $event->getIdentifier());
+        if (empty($jwt)) {
+            throw new xoctException(
+                xoctException::INTERNAL_ERROR,
+                'Unable to provide a JWT for Annotation-tool service!'
+            );
+        }
+        $redirect_template_html = $this->getJwtRedirectHtml($jwt, $annotation_link);
+        $this->main_tpl->setContent($redirect_template_html);
     }
 
     public function setOnline(): void

classes/Player/class.xoctPlayerGUI.php

@@ -16,7 +16,6 @@
 use srag\Plugins\Opencast\Util\Player\PlayerDataBuilderFactory;
 use srag\Plugins\Opencast\Util\FileTransfer\PaellaConfigStorageService;
 use srag\Plugins\Opencast\LegacyHelpers\TranslatorTrait;
-use ILIAS\DI\HTTPServices;
 use srag\Plugins\Opencast\Util\OutputResponse;
 
 /**
@@ -65,31 +64,54 @@ public function streamVideo(): void
         if ($this->identifier === null || empty($this->identifier)) {
             $this->sendReponse("Error: invalid identifier");
         }
+
+        $jwt_iframe_capable = false;
         $event = $this->event_repository->find($this->identifier);
-        if (!PluginConfig::getConfig(PluginConfig::F_INTERNAL_VIDEO_PLAYER) && !$event->isLiveEvent()) {
+        if (!$this->api->isJWTActivated() // We don't offer this redirect if JWT is activated.
+            && !PluginConfig::getConfig(PluginConfig::F_INTERNAL_VIDEO_PLAYER)
+            && !$event->isLiveEvent()) {
             // redirect to opencast
             header('Location: ' . $event->publications()->getPlayerLink());
             $this->closeResponse();
         }
 
         try {
-            $data = PlayerDataBuilderFactory::getInstance()->getBuilder($event)->buildStreamingData();
+            $player_data_builder = PlayerDataBuilderFactory::getInstance()->getBuilder($event);
+            $jwt_iframe_capable = $player_data_builder->shouldPlayInJWTIframe();
+            // For the data structure, we have now a new parameter "jwt", which contains the jwt related data and needs to extracted later on.
+            $data = $player_data_builder->buildStreamingData();
         } catch (xoctException $e) {
             xoctLog::getInstance()->logError((string) $e->getCode(), $e->getMessage());
             xoctLog::getInstance()->logStack($e->getTraceAsString());
             $this->sendReponse("Error: " . $e->getMessage());
         }
 
+        // We load different template for the JWT Iframe Player.
+        if ($this->api->isJWTActivated() && $jwt_iframe_capable) {
+            $tpl = $this->plugin->getTemplate("jwt_iframe_player.html", true, true);
+            $jwt_data = $data['jwt'] ?? [];
+            $tpl->setVariable("JWT_MODULE_CONFIG",
+                json_encode($this->buildJwtModuleConfig($event, $jwt_data)));
+        } else {
+            // The normal paella player.
+            $tpl = $this->plugin->getTemplate("paella_player.html", true, true);
+            // Clear the data from JWT specific data.
+            if (isset($data['jwt'])) {
+                unset($data['jwt']);
+            }
+            $tpl->setVariable("DATA", json_encode($data));
+            $tpl->setVariable("JS_CONFIG", json_encode($this->buildJSConfig($event)));
+        }
+
+        if (empty($tpl)) {
+            $this->sendReponse("Error: unable to render proper template!");
+        }
+
         $jquery_path = iljQueryUtil::getLocaljQueryPath();
         $ilias_basic_js_path = './Services/JavaScript/js/Basic.js';
-        $tpl = $this->plugin->getTemplate("paella_player.html", true, true);
-
         $tpl->setVariable("JQUERY_PATH", $jquery_path);
         $tpl->setVariable("ILIAS_BASIC_JS_PATH", $ilias_basic_js_path);
-
         $tpl->setVariable("TITLE", $event->getTitle());
-        $tpl->setVariable("DATA", json_encode($data));
-        $tpl->setVariable("JS_CONFIG", json_encode($this->buildJSConfig($event)));
 
         if ($event->isLiveEvent()) {
             $tpl->setVariable(
@@ -167,6 +189,42 @@ protected function buildJSConfig(Event $event): stdClass
         return $js_config;
     }
 
+    protected function buildJwtModuleConfig(Event $event, array $jwt_data): stdClass
+    {
+        $jwt_module_config = new stdClass();
+        $jwt_module_config->refresh_token_url = $this->getRefreshJwtAsyncUrl($event->getIdentifier(), $this->object_settings->getObjId());
+        $player_url = null;
+        if (!empty($jwt_data['jwt_iframe_urls'])) {
+            $player_url = reset($jwt_data['jwt_iframe_urls']); // We take the first one, no matter how many is there!
+        }
+        // We make the fallback here!
+        if (empty($player_url)) {
+            $base_url = PluginConfig::getConfig(PluginConfig::F_PRESENTATION_NODE)
+                ?? PluginConfig::getConfig(PluginConfig::F_API_BASE);
+            $player_url = $this->api->makeJwtIframeSourceUrl($base_url, $event->getIdentifier());
+        }
+        $jwt_module_config->player_url = $player_url;
+        $jwt_module_config->event_id = $event->getIdentifier();
+        $jwt_module_config->is_live_stream = $event->isLiveEvent();
+        if ($jwt_module_config->is_live_stream) {
+            $jwt_module_config->hls_source_urls = $jwt_data['urls'] ?? [];
+            $jwt_module_config->hls_check_script = ILIAS_HTTP_PATH . '/' . $this->plugin->getDirectory() . '/src/Util/check_hls_status.php';
+            $jwt_module_config->hls_source_format =
+                PluginConfig::getConfig(PluginConfig::F_LIVESTREAM_TYPE) ?? 'hls';
+            $start_utc_atom = $event->getScheduling()
+                                    ?->getStart()
+                                    ->setTimezone(new \DateTimeZone('UTC'))
+                                    ->format(\DateTime::ATOM) ?? null;
+            $end_utc_atom = $event->getScheduling()
+                                    ?->getEnd()
+                                    ->setTimezone(new \DateTimeZone('UTC'))
+                                    ->format(\DateTime::ATOM) ?? null;
+            $jwt_module_config->start_time_utc = $start_utc_atom;
+            $jwt_module_config->end_time_utc = $end_utc_atom;
+        }
+        return $jwt_module_config;
+    }
+
     /**
      * Function to check whether the chat must be provided to the user based on the following conditions:
      * - Event must be identified as Live or has chat records already (was live before)

classes/class.ilObjOpenCastAccess.php

@@ -347,6 +347,31 @@ public static function hasReadAccessOnEvent(Event $event, xoctUser $xoctUser, Ob
         return $invitations !== [];
     }
 
+
+    /**
+     * Checks if a user has read access on an event for JWT token refresh.
+     *
+     * This method verifies whether a user can access a specific event for the purpose of refreshing JWT tokens.
+     * It retrieves the user and object settings, then delegates to hasReadAccessOnEvent to perform the actual access check.
+     *
+     * @param Event  $event   The event to check access for
+     * @param int    $obj_id  The object ID of the OpenCast object
+     * @param int    $user_id The user ID (optional, defaults to current user)
+     * @return bool True if the user has read access, false otherwise
+     */
+    public static function hasReadAccessOnEventForRefreshJwt(Event $event, int $obj_id, ?int $user_id = null): bool
+    {
+        global $DIC;
+        if (empty($user_id)) {
+            $user_id = $DIC->user()->getId();
+        }
+
+        $xoctUser = xoctUser::getInstance($user_id);
+        $objectSettings = ObjectSettings::findOrGetInstance($obj_id);
+
+        return self::hasReadAccessOnEvent($event, $xoctUser, $objectSettings);
+    }
+
     protected static function initRoleMembers(): void
     {
         global $DIC;

classes/class.xoctException.php

@@ -16,6 +16,7 @@ class xoctException extends Exception
     public const NO_USER_MAPPING = 40;
     public const INTERNAL_ERROR = 50;
     public const NO_STREAMING_DATA = 60;
+    public const JWT_TOKEN_ISSUE_FAILED = 70;
     public const API_CALL_STATUS_500 = 500;
     public const API_CALL_STATUS_403 = 403;
     public const API_CALL_STATUS_404 = 404;
@@ -38,6 +39,7 @@ class xoctException extends Exception
         self::API_CALL_BAD_CREDENTIALS => 'The OpenCast-Server cannot be accessed at the moment.',
         self::INTERNAL_ERROR => 'A plugin-internal error occured.',
         self::NO_STREAMING_DATA => 'No streaming data found.',
+        self::JWT_TOKEN_ISSUE_FAILED => 'Opencast JWT: An error occurred while generating token',
     ];
 
     /**