da/d59/class_8ilAuthProviderOpenIdConnect_8php_source.html

<?php

/* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */


use Jumbojett\OpenIDConnectClient;


class ilAuthProviderOpenIdConnect extends ilAuthProvider implements ilAuthProviderInterface

{

    private $settings = null;


    private $lng = null;


    public function __construct(ilAuthCredentials $credentials)

    {

        global $DIC;

        parent::__construct($credentials);

        $this->settings = ilOpenIdConnectSettings::getInstance();

        $this->lng = $DIC->language();

    }


    public function handleLogout()

    {

        if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {

            return false;

        }


        $auth_token = ilSession::get('oidc_auth_token');

        $this->getLogger()->debug('Using token: ' . $auth_token);


        if (strlen($auth_token)) {

            ilSession::set('oidc_auth_token', '');

            $oidc = $this->initClient();

            $oidc->signOut(

                $auth_token,

                ILIAS_HTTP_PATH . '/logout.php'

            );

        }

    }


    public function doAuthentication(\ilAuthStatus $status)

    {

        try {

            $oidc = $this->initClient();

            $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');


            $this->getLogger()->debug(

                'Redirect url is: ' .

                $oidc->getRedirectURL()

            );


            $oidc->setResponseTypes(

                [

                    'id_token'

                ]

            );

            $oidc->addScope(

                [

                    'openid',

                    'profile',

                    'email',

                    'roles'

                ]

            );


            $oidc->addAuthParam(['response_mode' => 'form_post']);

            switch ($this->settings->getLoginPromptType()) {

                case ilOpenIdConnectSettings::LOGIN_ENFORCE:

                    $oidc->addAuthParam(['prompt' => 'login']);

                    break;

            }

            $oidc->setAllowImplicitFlow(true);


            $oidc->authenticate();

            // user is authenticated, otherwise redirected to authorization endpoint or exception

            $this->getLogger()->dump($_REQUEST, \ilLogLevel::DEBUG);


            $claims = $oidc->getVerifiedClaims(null);

            $this->getLogger()->dump($claims, \ilLogLevel::DEBUG);

            $status = $this->handleUpdate($status, $claims);


            // @todo : provide a general solution for all authentication methods

            $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();


            if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {

                $token = $oidc->requestClientCredentialsToken();

                ilSession::set('oidc_auth_token', $token->access_token);

            }

            return true;

        } catch (Exception $e) {

            $this->getLogger()->warning($e->getMessage());

            $this->getLogger()->warning($e->getCode());

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));

            return false;

        }

    }


    private function handleUpdate(ilAuthStatus $status, $user_info)

    {

        if (!is_object($user_info)) {

            $this->getLogger()->error('Received invalid user credentials: ');

            $this->getLogger()->dump($user_info, ilLogLevel::ERROR);

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setReason('err_wrong_login');

            return false;

        }


        $uid_field = $this->settings->getUidField();

        $ext_account = $user_info->$uid_field;


        $this->getLogger()->debug('Authenticated external account: ' . $ext_account);


        $int_account = ilObjUser::_checkExternalAuthAccount(

            ilOpenIdConnectUserSync::AUTH_MODE,

            $ext_account

        );


        try {

            $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);

            if (!is_string($ext_account)) {

                $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

                $status->setReason('err_wrong_login');

                return $status;

            }

            $sync->setExternalAccount($ext_account);

            $sync->setInternalAccount($int_account);

            $sync->updateUser();


            $user_id = $sync->getUserId();

            ilSession::set('used_external_auth', true);

            $status->setAuthenticatedUserId($user_id);

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);


            // @todo : provide a general solution for all authentication methods

            $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();

        } catch (ilOpenIdConnectSyncForbiddenException $e) {

            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);

            $status->setReason('err_wrong_login');

        }


        return $status;

    }


    private function initClient() : OpenIDConnectClient

    {

        $oidc = new OpenIDConnectClient(

            $this->settings->getProvider(),

            $this->settings->getClientId(),

            $this->settings->getSecret()

        );

        return $oidc;

    }

}

ILIAS_HTTP_PATH
const ILIAS_HTTP_PATH
Definition: StandardNotificationRendererTest.php:7

$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12

php
An exception for terminatinating execution or to throw for unit testing.

ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:14

ilAuthProviderOpenIdConnect\initClient
initClient()
Definition: class.ilAuthProviderOpenIdConnect.php:176

ilAuthProviderOpenIdConnect\$lng
$lng
Definition: class.ilAuthProviderOpenIdConnect.php:20

ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:126

ilAuthProviderOpenIdConnect\$settings
$settings
Definition: class.ilAuthProviderOpenIdConnect.php:18

ilAuthProviderOpenIdConnect\handleLogout
handleLogout()
Handle logout event.
Definition: class.ilAuthProviderOpenIdConnect.php:38

ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
ilAuthProviderOpenIdConnect constructor.
Definition: class.ilAuthProviderOpenIdConnect.php:27

ilAuthProviderOpenIdConnect\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderOpenIdConnect.php:62

ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:12

ilAuthProvider\$user_id
$user_id
Definition: class.ilAuthProvider.php:24

ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38

ilAuthProvider\$status
$status
Definition: class.ilAuthProvider.php:23

ilAuthProvider\getCredentials
getCredentials()
Definition: class.ilAuthProvider.php:46

ilAuthProvider\$credentials
$credentials
Definition: class.ilAuthProvider.php:21

ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:12

ilAuthStatus\STATUS_AUTHENTICATED
const STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:18

ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19

ilLogLevel\ERROR
const ERROR
Definition: class.ilLogLevel.php:21

ilLogLevel\DEBUG
const DEBUG
Definition: class.ilLogLevel.php:17

ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3600

ilOpenIdConnectSettings\LOGIN_ENFORCE
const LOGIN_ENFORCE
Definition: class.ilOpenIdConnectSettings.php:19

ilOpenIdConnectSettings\getInstance
static getInstance()
Get singleton instance.
Definition: class.ilOpenIdConnectSettings.php:146

ilOpenIdConnectSettings\LOGOUT_SCOPE_GLOBAL
const LOGOUT_SCOPE_GLOBAL
Definition: class.ilOpenIdConnectSettings.php:22

ilOpenIdConnectSettings\LOGOUT_SCOPE_LOCAL
const LOGOUT_SCOPE_LOCAL
Definition: class.ilOpenIdConnectSettings.php:23

ilOpenIdConnectSyncForbiddenException
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectSyncForbiddenException.php:11

ilOpenIdConnectUserSync
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectUserSync.php:11

ilOpenIdConnectUserSync\AUTH_MODE
const AUTH_MODE
Definition: class.ilOpenIdConnectUserSync.php:12

ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:430

ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:441

ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:12

ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:12

ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:30

Vendor\Package\$e
$e
Definition: example_cleaned.php:31

settings
settings()
Definition: settings.php:2

$token
$token
Definition: xapitoken.php:57

$DIC
$DIC
Definition: xapitoken.php:46