ILIAS  release_7 Revision v7.30-3-g800a261c036
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1 <?php
2 /* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */
3 
4 use Jumbojett\OpenIDConnectClient;
5 
13 class ilAuthProviderOpenIdConnect extends ilAuthProvider implements ilAuthProviderInterface
14 {
15  const OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken";
19  private $settings = null;
20 
21  private $lng = null;
22 
23 
28  public function __construct(ilAuthCredentials $credentials)
29  {
30  global $DIC;
31  parent::__construct($credentials);
32  $this->settings = ilOpenIdConnectSettings::getInstance();
33  $this->lng = $DIC->language();
34  }
35 
39  public function handleLogout()
40  {
41  if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
42  return false;
43  }
44 
45  $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
46  $this->getLogger()->debug('Logging out with token: ' . $id_token);
47 
48 
49  if (is_string($id_token) && $id_token !== '') {
50  ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
51  $oidc = $this->initClient();
52  try {
53  $oidc->signOut(
54  $id_token,
55  ILIAS_HTTP_PATH . '/logout.php'
56  );
57  } catch (\Jumbojett\OpenIDConnectClientException $e) {
58  $this->getLogger()->warning("Logging out of OIDC provider failed with: " . $e->getMessage());
59  }
60  }
61  }
62 
68  public function doAuthentication(\ilAuthStatus $status)
69  {
70  try {
71  $oidc = $this->initClient();
72  $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
73 
74  $proxy = ilProxySettings::_getInstance();
75  if ($proxy->isActive()) {
76  $host = $proxy->getHost();
77  $port = $proxy->getPort();
78  if ($port) {
79  $host .= ":" . $port;
80  }
81  $oidc->setHttpProxy($host);
82  }
83 
84  $this->getLogger()->debug(
85  'Redirect url is: ' .
86  $oidc->getRedirectURL()
87  );
88 
89  $oidc->addScope($this->settings->getAllScopes());
90  switch ($this->settings->getLoginPromptType()) {
91  case ilOpenIdConnectSettings::LOGIN_ENFORCE:
92  $oidc->addAuthParam(['prompt' => 'login']);
93  break;
94  }
95 
96  $oidc->authenticate();
97  // user is authenticated, otherwise redirected to authorization endpoint or exception
98  $this->getLogger()->dump($_REQUEST, \ilLogLevel::DEBUG);
99 
100  $claims = $oidc->getVerifiedClaims(null);
101  $this->getLogger()->dump($claims, \ilLogLevel::DEBUG);
102  $status = $this->handleUpdate($status, $claims);
103 
104  // @todo : provide a general solution for all authentication methods
105  $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
106 
107  if ($this->settings->getLogoutScope() == ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
108  $token = $oidc->requestUserInfo();
109  ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
110  }
111  return true;
112  } catch (Exception $e) {
113  $this->getLogger()->warning($e->getMessage());
114  $this->getLogger()->warning($e->getCode());
115  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
116  $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
117  return false;
118  }
119  }
120 
121 
126  private function handleUpdate(ilAuthStatus $status, $user_info)
127  {
128  if (!is_object($user_info)) {
129  $this->getLogger()->error('Received invalid user credentials: ');
130  $this->getLogger()->dump($user_info, ilLogLevel::ERROR);
131  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
132  $status->setReason('err_wrong_login');
133  return false;
134  }
135 
136  $uid_field = $this->settings->getUidField();
137  $ext_account = $user_info->$uid_field;
138 
139  $this->getLogger()->debug('Authenticated external account: ' . $ext_account);
140 
141 
142  $int_account = ilObjUser::_checkExternalAuthAccount(
143  ilOpenIdConnectUserSync::AUTH_MODE,
144  $ext_account
145  );
146 
147  try {
148  $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
149  if (!is_string($ext_account)) {
150  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
151  $status->setReason('err_wrong_login');
152  return $status;
153  }
154  $sync->setExternalAccount($ext_account);
155  $sync->setInternalAccount($int_account);
156  $sync->updateUser();
157 
158  $user_id = $sync->getUserId();
159  ilSession::set('used_external_auth', true);
160  $status->setAuthenticatedUserId($user_id);
161  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
162 
163  // @todo : provide a general solution for all authentication methods
164  $_GET['target'] = (string) $this->getCredentials()->getRedirectionTarget();
165  } catch (ilOpenIdConnectSyncForbiddenException $e) {
166  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
167  $status->setReason('err_wrong_login');
168  }
169 
170  return $status;
171  }
172 
176  private function initClient() : OpenIDConnectClient
177  {
178  $oidc = new OpenIDConnectClient(
179  $this->settings->getProvider(),
180  $this->settings->getClientId(),
181  $this->settings->getSecret()
182  );
183  return $oidc;
184  }
185 }
ilAuthProviderOpenIdConnect\doAuthentication
doAuthentication(\ilAuthStatus $status)
Do authentication.
Definition: class.ilAuthProviderOpenIdConnect.php:68
settings
settings()
Definition: settings.php:2
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:11
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:19
ilSession\get
static get($a_var)
Get a value.
Definition: class.ilSession.php:451
ilSession\set
static set($a_var, $a_val)
Set a value.
Definition: class.ilSession.php:440
ilAuthStatus\setTranslatedReason
setTranslatedReason($a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:90
ilOpenIdConnectSettings\getInstance
static getInstance()
Get singleton instance.
Definition: class.ilOpenIdConnectSettings.php:163
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId($a_id)
Definition: class.ilAuthStatus.php:116
ilAuthProvider
Base class for authentication providers (radius, ldap, apache, ...)
Definition: class.ilAuthProvider.php:11
ilAuthProviderInterface
Standard interface for auth provider implementations.
Definition: interface.ilAuthProviderInterface.php:11
ilAuthStatus\setStatus
setStatus($a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:13
$token
$token
Definition: xapitoken.php:52
$DIC
global $DIC
Definition: goto.php:24
ilAuthStatus\setReason
setReason($a_reason)
Set reason.
Definition: class.ilAuthStatus.php:81
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount($a_auth, $a_account, $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:3568
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:38
ilOpenIdConnectUserSync
Class ilOpenIdConnectSettingsGUI.
Definition: class.ilOpenIdConnectUserSync.php:10
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:40
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:126
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:11
ilProxySettings\_getInstance
static _getInstance()
Getter for unique instance.
Definition: class.ilProxySettings.php:93
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
ilAuthProviderOpenIdConnect constructor.
Definition: class.ilAuthProviderOpenIdConnect.php:28