Class ilAuthProviderOpenIdConnect. More...

Inheritance diagram for ilAuthProviderOpenIdConnect:

Collaboration diagram for ilAuthProviderOpenIdConnect:

Public Member Functions
	__construct (ilAuthCredentials $credentials)
	ilAuthProviderOpenIdConnect constructor. More...

	handleLogout ()
	Handle logout event. More...

	doAuthentication (\ilAuthStatus $status)
	Do authentication. More...

Public Member Functions inherited from ilAuthProvider
	__construct (ilAuthCredentials $credentials)
	Constructor. More...

	getLogger ()
	Get logger. More...

	getCredentials ()

Private Member Functions
	handleUpdate (ilAuthStatus $status, $user_info)

	initClient ()

Private Attributes
	$settings = null

Additional Inherited Members
Data Fields inherited from ilAuthProvider
const	STATUS_UNDEFINED = 0

const	STATUS_AUTHENTICATION_SUCCESS = 1

const	STATUS_AUTHENTICATION_FAILED = 2

const	STATUS_MIGRATION = 3

Protected Member Functions inherited from ilAuthProvider
	handleAuthenticationFail (ilAuthStatus $status, $a_reason)
	Handle failed authentication. More...

Detailed Description

Class ilAuthProviderOpenIdConnect.

Author: Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e

Definition at line 13 of file class.ilAuthProviderOpenIdConnect.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthProviderOpenIdConnect::__construct ( ilAuthCredentials $credentials )

ilAuthProviderOpenIdConnect constructor.

Parameters

ilAuthCredentials $credentials

Definition at line 25 of file class.ilAuthProviderOpenIdConnect.php.

References ilOpenIdConnectSettings\getInstance(), and settings().

     {
         parent::__construct($credentials);
         $this->settings = ilOpenIdConnectSettings::getInstance();
     }

Here is the call graph for this function:

Member Function Documentation

◆ doAuthentication()

ilAuthProviderOpenIdConnect::doAuthentication ( \ilAuthStatus $status )

Do authentication.

Parameters

\ilAuthStatus $status Authentication status

Returns: bool

Implements ilAuthProviderInterface.

Definition at line 58 of file class.ilAuthProviderOpenIdConnect.php.

References $_GET, $oidc, PHPMailer\PHPMailer\$token, ilLogLevel\DEBUG, ilAuthProvider\getCredentials(), ilAuthProvider\getLogger(), handleUpdate(), initClient(), ilOpenIdConnectSettings\LOGIN_ENFORCE, ilOpenIdConnectSettings\LOGOUT_SCOPE_GLOBAL, ilSession\set(), ilAuthStatus\setStatus(), settings(), ilAuthStatus\setTranslatedReason(), and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

     {
         try {
             $oidc = $this->initClient();
             $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
 
             $this->getLogger()->debug(
                 'Redirect url is: ' .
                 $oidc->getRedirectURL()
             );
 
             $oidc->setResponseTypes(
                 [
                     'id_token'
                 ]
             );
             $oidc->addScope(
                 [
                     'openid',
                     'profile',
                     'email',
                     'roles'
                 ]
             );
 
 
             $oidc->addAuthParam(['response_mode' => 'form_post']);
             switch ($this->settings->getLoginPromptType()) {
                 case ilOpenIdConnectSettings::LOGIN_ENFORCE:
                     $oidc->addAuthParam(['prompt' => 'login']);
                     break;
             }
             $oidc->setAllowImplicitFlow(true);
 
             $oidc->authenticate();
             // user is authenticated, otherwise redirected to authorization endpoint or exception
             $this->getLogger()->dump($_REQUEST, \ilLogLevel::DEBUG);
 
             $claims = $oidc->getVerifiedClaims(null);
             $this->getLogger()->dump($claims, \ilLogLevel::DEBUG);
             $status = $this->handleUpdate($status, $claims);
 
             // @todo : provide a general solution for all authentication methods
             $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
 
             if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
                 $token = $oidc->requestClientCredentialsToken();
                 ilSession::set('oidc_auth_token', $token->access_token);
             }
             return true;
         } catch (Exception $e) {
             $this->getLogger()->warning($e->getMessage());
             $this->getLogger()->warning($e->getCode());
             $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
             $status->setTranslatedReason($e->getMessage());
             return false;
         }
     }

Here is the call graph for this function:

◆ handleLogout()

ilAuthProviderOpenIdConnect::handleLogout ( )

Handle logout event.

Definition at line 34 of file class.ilAuthProviderOpenIdConnect.php.

References $oidc, ilSession\get(), ilAuthProvider\getLogger(), initClient(), ilOpenIdConnectSettings\LOGOUT_SCOPE_LOCAL, ilSession\set(), and settings().

     {
         if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
             return false;
         }
 
         $auth_token = ilSession::get('oidc_auth_token');
         $this->getLogger()->debug('Using token: ' . $auth_token);
 
         if (strlen($auth_token)) {
             ilSession::set('oidc_auth_token', '');
             $oidc = $this->initClient();
             $oidc->signOut(
                 $auth_token,
                 ILIAS_HTTP_PATH . '/logout.php'
             );
         }
     }

Here is the call graph for this function:

◆ handleUpdate()

ilAuthProviderOpenIdConnect::handleUpdate	(	ilAuthStatus	$status,
			$user_info
	)

private

Parameters

ilAuthStatus	$status
array	$user_info

Definition at line 122 of file class.ilAuthProviderOpenIdConnect.php.

References $_GET, ilAuthProvider\$status, $sync, ilAuthProvider\$user_id, ilObjUser\_checkExternalAuthAccount(), ilOpenIdConnectUserSync\AUTH_MODE, ilLogLevel\ERROR, ilAuthProvider\getCredentials(), ilAuthProvider\getLogger(), ilSession\set(), ilAuthStatus\setAuthenticatedUserId(), ilAuthStatus\setReason(), ilAuthStatus\setStatus(), settings(), ilAuthStatus\STATUS_AUTHENTICATED, and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

Referenced by doAuthentication().

     {
         if (!is_object($user_info)) {
             $this->getLogger()->error('Received invalid user credentials: ');
             $this->getLogger()->dump($user_info, ilLogLevel::ERROR);
             $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
             $status->setReason('err_wrong_login');
             return false;
         }
 
         $uid_field = $this->settings->getUidField();
         $ext_account = $user_info->$uid_field;
 
         $this->getLogger()->debug('Authenticated external account: ' . $ext_account);
 
 
         $int_account = ilObjUser::_checkExternalAuthAccount(
             ilOpenIdConnectUserSync::AUTH_MODE,
             $ext_account
         );
 
         try {
             $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
             if (!is_string($ext_account)) {
                 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
                 $status->setReason('err_wrong_login');
                 return $status;
             }
             $sync->setExternalAccount($ext_account);
             $sync->setInternalAccount($int_account);
             $sync->updateUser();
 
             $user_id = $sync->getUserId();
             ilSession::set('used_external_auth', true);
             $status->setAuthenticatedUserId($user_id);
             $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
 
             // @todo : provide a general solution for all authentication methods
             $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
         } catch (ilOpenIdConnectSyncForbiddenException $e) {
             $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
             $status->setReason('err_wrong_login');
         }
 
         return $status;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ initClient()

ilAuthProviderOpenIdConnect::initClient ( )

private

Returns: OpenIDConnectClient

Definition at line 172 of file class.ilAuthProviderOpenIdConnect.php.

References $oidc, and settings().

Referenced by doAuthentication(), and handleLogout().

                                   : OpenIDConnectClient
     {
         $oidc = new OpenIDConnectClient(
             $this->settings->getProvider(),
             $this->settings->getClientId(),
             $this->settings->getSecret()
         );
         return $oidc;
     }