blob: 153bd4346d53adfe96e85cb3a87d88ee22bbd546 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
<?php
/*
* StudipAuthOpenID.php - Stud.IP authentication using OpenID Connect
* Copyright (c) 2021 André Noack <noack@data-quest.de>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*/
use Jumbojett\OpenIDConnectClient;
use Jumbojett\OpenIDConnectClientException;
class StudipAuthOIDC extends StudipAuthSSO
{
/**
* @var OpenIDConnectClient
*/
private $oidc = null;
/**
* @var string
*/
public $provider_url;
/**
* @var string
*/
public $client_id;
/**
* @var string
*/
public $client_secret;
public ?string $redirect_uri = null;
/**
* @var string[]
*/
public $scopes = ['openid', 'email', 'profile'];
public function __construct($config = [])
{
parent::__construct($config);
if (!isset($this->redirect_uri)) {
$this->redirect_uri = URLHelper::getURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes'], true);
}
}
/**
* Returns the configured OpenID Connect client.
*/
protected function getClient(): OpenIDConnectClient
{
if ($this->oidc === null) {
$this->oidc = new OpenIDConnectClient($this->provider_url, $this->client_id, $this->client_secret);
if (isset($this->ssl_options)) {
foreach ($this->ssl_options as $option_key => $option_value) {
if (isset($option_value)) {
$this->oidc->{'set' . $option_key}($option_value);
}
}
}
if (Config::get()->HTTP_PROXY) {
$this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
}
$this->oidc->setRedirectURL($this->redirect_uri);
$this->oidc->addScope($this->scopes);
}
return $this->oidc;
}
/**
* Validate the username passed to the auth plugin.
*
* @param string $username
*
* @return string username openid attribute user_id@domain
*
* @throws OpenIDConnectClientException
*/
public function verifyUsername($username)
{
$this->getClient()->authenticate();
$this->userdata = (array) $this->getClient()->requestUserInfo();
if (isset($this->userdata['sub'], $this->domain)) {
return $this->userdata['username'] = $this->userdata['sub'] . '@' . $this->domain;
} else if (isset($this->userdata['sub'])) {
return $this->userdata['username'] = $this->userdata['sub'];
} else {
return null;
}
}
/**
* Return the current username of the pending authentication request.
*/
public function getUser()
{
return $this->getUserData('username');
}
/**
* Get the user domains to assign to the current user (if any).
*
* @return array array of user domain names
*/
public function getUserDomains()
{
return $this->domain ? [$this->domain] : null;
}
/**
* Callback that can be used in user_data_mapping array.
*
* @see https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
*
* @param string $key
* @return string parameter value (null if not set)
*/
public function getUserData($key)
{
return $this->userdata[$key];
}
public function logout(): void
{
$this->getClient()->signOut(
$this->getClient()->getIdToken(),
null
);
}
}
|
