ILIAS  release_6 Revision v6.24-5-g0c8bfefb3b8
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 use Jumbojett\OpenIDConnectClient;
5 
13 class ilAuthProviderOpenIdConnect extends ilAuthProvider implements ilAuthProviderInterface
14 {
18  private $settings = null;
19 
20  private $lng = null;
21 
22 
27  public function __construct(ilAuthCredentials $credentials)
28  {
29  global $DIC;
30  parent::__construct($credentials);
31  $this->settings = ilOpenIdConnectSettings::getInstance();
32  $this->lng = $DIC->language();
33  }
34 
38  public function handleLogout()
39  {
40  if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
41  return false;
42  }
43 
44  $auth_token = ilSession::get('oidc_auth_token');
45  $this->getLogger()->debug('Using token: ' . $auth_token);
46 
47  if (strlen($auth_token)) {
48  ilSession::set('oidc_auth_token', '');
49  $oidc = $this->initClient();
50  $oidc->signOut(
51  $auth_token,
52  ILIAS_HTTP_PATH . '/logout.php'
53  );
54  }
55  }
56 
62  public function doAuthentication(\ilAuthStatus $status)
63  {
64  try {
65  $oidc = $this->initClient();
66  $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
67 
68  $this->getLogger()->debug(
69  'Redirect url is: ' .
70  $oidc->getRedirectURL()
71  );
72 
73  $oidc->setResponseTypes(
74  [
75  'id_token'
76  ]
77  );
78  $oidc->addScope(
79  [
80  'openid',
81  'profile',
82  'email',
83  'roles'
84  ]
85  );
86 
87 
88  $oidc->addAuthParam(['response_mode' => 'form_post']);
89  switch ($this->settings->getLoginPromptType()) {
90  case ilOpenIdConnectSettings::LOGIN_ENFORCE:
91  $oidc->addAuthParam(['prompt' => 'login']);
92  break;
93  }
94  $oidc->setAllowImplicitFlow(true);
95 
96  $oidc->authenticate();
97  // user is authenticated, otherwise redirected to authorization endpoint or exception
98  $this->getLogger()->dump($_REQUEST, \ilLogLevel::DEBUG);
99 
100  $claims = $oidc->getVerifiedClaims(null);
101  $this->getLogger()->dump($claims, \ilLogLevel::DEBUG);
102  $status = $this->handleUpdate($status, $claims);
103 
104  // @todo : provide a general solution for all authentication methods
105  $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
106 
107  if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
108  $token = $oidc->requestClientCredentialsToken();
109  ilSession::set('oidc_auth_token', $token->access_token);
110  }
111  return true;
112  } catch (Exception $e) {
113  $this->getLogger()->warning($e->getMessage());
114  $this->getLogger()->warning($e->getCode());
115  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
116  $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
117  return false;
118  }
119  }
120 
121 
126  private function handleUpdate(ilAuthStatus $status, $user_info)
127  {
128  if (!is_object($user_info)) {
129  $this->getLogger()->error('Received invalid user credentials: ');
130  $this->getLogger()->dump($user_info, ilLogLevel::ERROR);
131  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
132  $status->setReason('err_wrong_login');
133  return false;
134  }
135 
136  $uid_field = $this->settings->getUidField();
137  $ext_account = $user_info->$uid_field;
138 
139  $this->getLogger()->debug('Authenticated external account: ' . $ext_account);
140 
141 
142  $int_account = ilObjUser::_checkExternalAuthAccount(
143  ilOpenIdConnectUserSync::AUTH_MODE,
144  $ext_account
145  );
146 
147  try {
148  $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
149  if (!is_string($ext_account)) {
150  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
151  $status->setReason('err_wrong_login');
152  return $status;
153  }
154  $sync->setExternalAccount($ext_account);
155  $sync->setInternalAccount($int_account);
156  $sync->updateUser();
157 
158  $user_id = $sync->getUserId();
159  ilSession::set('used_external_auth', true);
160  $status->setAuthenticatedUserId($user_id);
161  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
162 
163  // @todo : provide a general solution for all authentication methods
164  $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
165  } catch (ilOpenIdConnectSyncForbiddenException $e) {
166  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
167  $status->setReason('err_wrong_login');
168  }
169 
170  return $status;
171  }
172 
176  private function initClient() : OpenIDConnectClient
177  {
178  $oidc = new OpenIDConnectClient(
179  $this->settings->getProvider(),
180  $this->settings->getClientId(),
181  $this->settings->getSecret()
182  );
183  return $oidc;
184  }
185 }
ilAuthProviderOpenIdConnect\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderOpenIdConnect.php:62
settings
settings()
Definition: settings.php:2
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:11
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19
ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:441
ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:430
ilAuthStatus\setTranslatedReason
setTranslatedReason($a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:90
ilOpenIdConnectSettings\getInstance
static getInstance()
Get singleton instance.
Definition: class.ilOpenIdConnectSettings.php:146
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId($a_id)
Definition: class.ilAuthStatus.php:116
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:11
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:11
ilAuthStatus\setStatus
setStatus($a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:13
$token
$token
Definition: xapitoken.php:57
ilAuthStatus\setReason
setReason($a_reason)
Set reason.
Definition: class.ilAuthStatus.php:81
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3600
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilOpenIdConnectUserSync
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectUserSync.php:10
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:30
$DIC
$DIC
Definition: xapitoken.php:46
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:126
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:11
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
ilAuthProviderOpenIdConnect constructor.
Definition: class.ilAuthProviderOpenIdConnect.php:27