da/d59/class_8ilAuthProviderOpenIdConnect_8php_source.html

<?php

/* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */


use Jumbojett\OpenIDConnectClient;


class ilAuthProviderOpenIdConnect extends ilAuthProvider implements ilAuthProviderInterface

{

    private $settings = null;


    public function __construct(ilAuthCredentials $credentials)

    {

        parent::__construct($credentials);

        $this->settings = ilOpenIdConnectSettings::getInstance();

    }


    public function handleLogout()

    {

        if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {

            return false;

        }


        $auth_token = ilSession::get('oidc_auth_token');

        $this->getLogger()->debug('Using token: ' . $auth_token);


        if (strlen($auth_token)) {

            ilSession::set('oidc_auth_token', '');

            $oidc = $this->initClient();

            $oidc->signOut(

                $auth_token,

                ILIAS_HTTP_PATH . '/logout.php'

            );

        }

    }


    public function doAuthentication(\ilAuthStatus $status)

    {

        try {

            $oidc = $this->initClient();

            $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');


            $this->getLogger()->debug(

                'Redirect url is: ' .

                $oidc->getRedirectURL()

            );


            $oidc->setResponseTypes(

                [

                    'id_token'

                ]

            );

            $oidc->addScope(

                [

                    'openid',

                    'profile',

                    'email',

                    'roles'

                ]

            );


            $oidc->addAuthParam(['response_mode' => 'form_post']);

            switch ($this->settings->getLoginPromptType()) {

                case ilOpenIdConnectSettings::LOGIN_ENFORCE:

                    $oidc->addAuthParam(['prompt' => 'login']);

                    break;

            }

            $oidc->setAllowImplicitFlow(true);


            $oidc->authenticate();

            // user is authenticated, otherwise redirected to authorization endpoint or exception

            $this->getLogger()->dump($_REQUEST, \ilLogLevel::DEBUG);


            $claims = $oidc->getVerifiedClaims(null);

            $this->getLogger()->dump($claims, \ilLogLevel::DEBUG);

            $status = $this->handleUpdate($status, $claims);


            // @todo : provide a general solution for all authentication methods

            $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();


            if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {

                $token = $oidc->requestClientCredentialsToken();

                ilSession::set('oidc_auth_token', $token->access_token);

            }

            return true;

        } catch (Exception $e) {

            $this->getLogger()->warning($e->getMessage());

            $this->getLogger()->warning($e->getCode());

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setTranslatedReason($e->getMessage());

            return false;

        }

    }


    private function handleUpdate(ilAuthStatus $status, $user_info)

    {

        if (!is_object($user_info)) {

            $this->getLogger()->error('Received invalid user credentials: ');

            $this->getLogger()->dump($user_info, ilLogLevel::ERROR);

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setReason('err_wrong_login');

            return false;

        }


        $uid_field = $this->settings->getUidField();

        $ext_account = $user_info->$uid_field;


        $this->getLogger()->debug('Authenticated external account: ' . $ext_account);


        $int_account = ilObjUser::_checkExternalAuthAccount(

            ilOpenIdConnectUserSync::AUTH_MODE,

            $ext_account

        );


        try {

            $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);

            if (!is_string($ext_account)) {

                $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

                $status->setReason('err_wrong_login');

                return $status;

            }

            $sync->setExternalAccount($ext_account);

            $sync->setInternalAccount($int_account);

            $sync->updateUser();


            $user_id = $sync->getUserId();

            ilSession::set('used_external_auth', true);

            $status->setAuthenticatedUserId($user_id);

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);


            // @todo : provide a general solution for all authentication methods

            $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();

        } catch (ilOpenIdConnectSyncForbiddenException $e) {

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setReason('err_wrong_login');

        }


        return $status;

    }


    private function initClient() : OpenIDConnectClient

    {

        $oidc = new OpenIDConnectClient(

            $this->settings->getProvider(),

            $this->settings->getClientId(),

            $this->settings->getSecret()

        );

        return $oidc;

    }

}

$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12

php
An exception for terminatinating execution or to throw for unit testing.

Jumbojett\OpenIDConnectClient
Require the CURL and JSON PHP extensions to be installed.
Definition: OpenIDConnectClient.php:90

ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:14

ilAuthProviderOpenIdConnect\initClient
initClient()
Definition: class.ilAuthProviderOpenIdConnect.php:172

ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:122

ilAuthProviderOpenIdConnect\$settings
$settings
Definition: class.ilAuthProviderOpenIdConnect.php:18

ilAuthProviderOpenIdConnect\handleLogout
handleLogout()
Handle logout event.
Definition: class.ilAuthProviderOpenIdConnect.php:34

ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
ilAuthProviderOpenIdConnect constructor.
Definition: class.ilAuthProviderOpenIdConnect.php:25

ilAuthProviderOpenIdConnect\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderOpenIdConnect.php:58

ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:12

ilAuthProvider\$user_id
$user_id
Definition: class.ilAuthProvider.php:24

ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38

ilAuthProvider\$status
$status
Definition: class.ilAuthProvider.php:23

ilAuthProvider\getCredentials
getCredentials()
Definition: class.ilAuthProvider.php:46

ilAuthProvider\$credentials
$credentials
Definition: class.ilAuthProvider.php:21

ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12

ilAuthStatus\STATUS_AUTHENTICATED
const STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:18

ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19

ilLogLevel\ERROR
const ERROR
Definition: class.ilLogLevel.php:21

ilLogLevel\DEBUG
const DEBUG
Definition: class.ilLogLevel.php:17

ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3909

ilOpenIdConnectSettings\LOGIN_ENFORCE
const LOGIN_ENFORCE
Definition: class.ilOpenIdConnectSettings.php:19

ilOpenIdConnectSettings\getInstance
static getInstance()
Get singleton instance.
Definition: class.ilOpenIdConnectSettings.php:146

ilOpenIdConnectSettings\LOGOUT_SCOPE_GLOBAL
const LOGOUT_SCOPE_GLOBAL
Definition: class.ilOpenIdConnectSettings.php:22

ilOpenIdConnectSettings\LOGOUT_SCOPE_LOCAL
const LOGOUT_SCOPE_LOCAL
Definition: class.ilOpenIdConnectSettings.php:23

ilOpenIdConnectSyncForbiddenException
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectSyncForbiddenException.php:11

ilOpenIdConnectUserSync
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectUserSync.php:11

ilOpenIdConnectUserSync\AUTH_MODE
const AUTH_MODE
Definition: class.ilOpenIdConnectUserSync.php:12

ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:430

ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:441

$oidc
$oidc
Definition: client_example.php:28

ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12

ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12

$sync
$sync
Definition: memcacheSync.php:62

PHPMailer\PHPMailer\$token
$token
Definition: get_oauth_token.php:135

settings
settings()
Definition: settings.php:2