blob: adfe9c9a4b092fa848b2fb7bdce4ecfae5e8331f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
<?php
/*
* StudipAuthOpenID.class.php - Stud.IP authentication using OpenID Connect
* Copyright (c) 2021 André Noack <noack@data-quest.de>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*/
use Jumbojett\OpenIDConnectClient;
use Jumbojett\OpenIDConnectClientException;
class StudipAuthOIDC extends StudipAuthSSO
{
/**
* @var OpenIDConnectClient
*/
private $oidc;
/**
* @var string
*/
public $provider_url;
/**
* @var string
*/
public $client_id;
/**
* @var string
*/
public $client_secret;
/**
* @param array $config
*/
public function __construct($config = [])
{
parent::__construct($config);
if (Request::get('sso') === $this->plugin_name) {
$this->oidc = new OpenIDConnectClient($this->provider_url, $this->client_id, $this->client_secret);
if (isset($this->ssl_options)) {
foreach ($this->ssl_options as $option_key => $option_value) {
if (isset($option_value)) {
$this->oidc->{'set' . $option_key}($option_value);
}
}
if (Config::get()->HTTP_PROXY) {
$this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
}
$return_url = URLHelper::getScriptURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes']);
$this->oidc->setRedirectURL($return_url);
$this->oidc->addScope(['openid', 'email', 'profile']);
}
}
}
/**
* Validate the username passed to the auth plugin.
*
* @param string $username
*
* @return string username openid attribute user_id@domain
*
* @throws OpenIDConnectClientException
*/
public function verifyUsername($username)
{
$this->oidc->authenticate();
$this->userdata = (array)$this->oidc->requestUserInfo();
if (isset($this->userdata['sub'])) {
return $this->userdata['username'] = $this->userdata['sub'] . '@' . $this->domain;
} else {
return null;
}
}
/**
* Return the current username of the pending authentication request.
*/
public function getUser()
{
return $this->userdata['username'];
}
/**
* Get the user domains to assign to the current user (if any).
*
* @return array array of user domain names
*/
public function getUserDomains()
{
return $this->domain ? [$this->domain] : null;
}
/**
* Callback that can be used in user_data_mapping array.
*
* @see https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
*
* @param string key
*
* @return string parameter value (null if not set)
*/
public function getUserData($key)
{
return $this->userdata[$key];
}
}
|
