ilAuthProviderOpenIdConnect Class Reference

Class ilAuthProviderOpenIdConnect. More...

Inheritance diagram for ilAuthProviderOpenIdConnect:

Collaboration diagram for ilAuthProviderOpenIdConnect:

Public Member Functions
	__construct (ilAuthCredentials $credentials)
	Constructor. More...
	handleLogout ()
	doAuthentication (ilAuthStatus $status)
Public Member Functions inherited from ilAuthProvider
	__construct (ilAuthCredentials $credentials)
	Constructor. More...
	getLogger ()
	Get logger. More...
	getCredentials ()
Public Member Functions inherited from ilAuthProviderInterface
	doAuthentication (\ilAuthStatus $status)
	Do authentication. More...

Private Member Functions
	handleUpdate (ilAuthStatus $status, $user_info)
	initClient ()

Private Attributes
const	OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken"
ilOpenIdConnectSettings	$settings
	$body
ilLogger	$logger
ilLanguage	$lng

Additional Inherited Members
Protected Member Functions inherited from ilAuthProvider
	handleAuthenticationFail (ilAuthStatus $status, string $a_reason)
	Handle failed authentication. More...

Detailed Description

Class ilAuthProviderOpenIdConnect.

Author

Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e

Definition at line 27 of file class.ilAuthProviderOpenIdConnect.php.

Constructor & Destructor Documentation

__construct()

ilAuthProviderOpenIdConnect::__construct

(

ilAuthCredentials

$credentials

)

Constructor.

Reimplemented from ilAuthProvider.

Definition at line 36 of file class.ilAuthProviderOpenIdConnect.php.

    {
        global $DIC;
        parent::__construct($credentials);
 
        $this->logger = $DIC->logger()->auth();
        $this->settings = ilOpenIdConnectSettings::getInstance();
        $this->body = $DIC->http()->request()->getParsedBody();
        $this->lng = $DIC->language();
        $this->lng->loadLanguageModule('auth');
    }

References ilAuthProvider\$credentials, $DIC, ILIAS\GlobalScreen\Provider\__construct(), ilOpenIdConnectSettings\getInstance(), ILIAS\Repository\lng(), ILIAS\Repository\logger(), and ILIAS\Repository\settings().

Here is the call graph for this function:

Member Function Documentation

doAuthentication()

ilAuthProviderOpenIdConnect::doAuthentication

(

ilAuthStatus

$status

)

Definition at line 72 of file class.ilAuthProviderOpenIdConnect.php.

                                                          : bool
    {
        try {
            $oidc = $this->initClient();
            $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
 
            $proxy = ilProxySettings::_getInstance();
            if ($proxy->isActive()) {
                $host = $proxy->getHost();
                $port = $proxy->getPort();
                if ($port) {
                    $host .= ":" . $port;
                }
                $oidc->setHttpProxy($host);
            }
 
            $this->logger->debug(
                'Redirect url is: ' .
                $oidc->getRedirectURL()
            );
 
            $oidc->addScope($this->settings->getAllScopes());
            if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
                $oidc->addAuthParam(['prompt' => 'login']);
            }
 
            $oidc->authenticate();
            // user is authenticated, otherwise redirected to authorization endpoint or exception
            $this->logger->dump($this->body, ilLogLevel::DEBUG);
 
            $claims = $oidc->getVerifiedClaims();
            $this->logger->dump($claims, ilLogLevel::DEBUG);
            $status = $this->handleUpdate($status, $claims);
 
            // @todo : provide a general solution for all authentication methods
            //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
 
            if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
                ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
            }
            return true;
        } catch (Exception $e) {
            $this->logger->warning($e->getMessage());
            $this->logger->warning((string) $e->getCode());
            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
            $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
            return false;
        }
    }

References $claims, Vendor\Package\$e, ilAuthProvider\$status, ilProxySettings\_getInstance(), ilLogLevel\DEBUG, handleUpdate(), initClient(), ILIAS\Repository\lng(), ILIAS\Repository\logger(), ilOpenIdConnectSettings\LOGIN_ENFORCE, ilOpenIdConnectSettings\LOGOUT_SCOPE_GLOBAL, ilSession\set(), ILIAS\Repository\settings(), and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

Here is the call graph for this function:

handleLogout()

ilAuthProviderOpenIdConnect::handleLogout

(

)

Definition at line 48 of file class.ilAuthProviderOpenIdConnect.php.

                                  : void
    {
        if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
            return;
        }
 
        $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
        $this->logger->debug('Logging out with token: ' . $id_token);
 
        if (isset($id_token) && $id_token !== '') {
            ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
            $oidc = $this->initClient();
            try {
                $oidc->signOut(
                    $id_token,
                    ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
                );
            } catch (\Jumbojett\OpenIDConnectClientException $e) {
                $this->logger->warning("Logging out of OIDC provider failed with: " . $e->getMessage());
            }
 
        }
    }

References Vendor\Package\$e, ilSession\get(), initClient(), ILIAS\Repository\logger(), ilOpenIdConnectSettings\LOGOUT_SCOPE_LOCAL, ilStartUpGUI\logoutUrl(), ilSession\set(), and ILIAS\Repository\settings().

Here is the call graph for this function:

handleUpdate()

ilAuthProviderOpenIdConnect::handleUpdate ( ilAuthStatus  $status,   $user_info  )

private

Parameters

ilAuthStatus	$status
stdClass	$user_info

Returns

ilAuthStatus

Definition at line 128 of file class.ilAuthProviderOpenIdConnect.php.

                                                                   : ilAuthStatus
    {
        if (!is_object($user_info)) {
            $this->logger->error('Received invalid user credentials: ');
            $this->logger->dump($user_info, ilLogLevel::ERROR);
            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
            $status->setReason('err_wrong_login');
            return $status;
        }
 
        $uid_field = $this->settings->getUidField();
        $ext_account = $user_info->{$uid_field};
 
        $this->logger->debug('Authenticated external account: ' . $ext_account);
 
 
        $int_account = ilObjUser::_checkExternalAuthAccount(
            ilOpenIdConnectUserSync::AUTH_MODE,
            $ext_account
        );
 
        try {
            $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
            if (!is_string($ext_account)) {
                $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
                $status->setReason('err_wrong_login');
                return $status;
            }
            $sync->setExternalAccount($ext_account);
            $sync->setInternalAccount((string) $int_account);
            $sync->updateUser();
 
            $user_id = $sync->getUserId();
            ilSession::set('used_external_auth', true);
            $status->setAuthenticatedUserId($user_id);
            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
 
            //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
        } catch (ilOpenIdConnectSyncForbiddenException $e) {
            $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
            $status->setReason('err_wrong_login');
        }
 
        return $status;
    }

References ilAuthProvider\$status, ilLogLevel\ERROR, ILIAS\Repository\logger(), ILIAS\Repository\settings(), and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

Referenced by doAuthentication().

Here is the call graph for this function:

Here is the caller graph for this function:

initClient()

ilAuthProviderOpenIdConnect::initClient ( )

private

Definition at line 174 of file class.ilAuthProviderOpenIdConnect.php.

                                 : OpenIDConnectClient
    {
        $oidc = new OpenIDConnectClient(
            $this->settings->getProvider(),
            $this->settings->getClientId(),
            $this->settings->getSecret()
        );
 
        return $oidc;
    }

References ILIAS\Repository\settings().

Referenced by doAuthentication(), and handleLogout().

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

$body

array ilAuthProviderOpenIdConnect::$body

private

Definition at line 32 of file class.ilAuthProviderOpenIdConnect.php.

$lng

ilLanguage ilAuthProviderOpenIdConnect::$lng

private

Definition at line 34 of file class.ilAuthProviderOpenIdConnect.php.

$logger

ilLogger ilAuthProviderOpenIdConnect::$logger

private

Definition at line 33 of file class.ilAuthProviderOpenIdConnect.php.

$settings

ilOpenIdConnectSettings ilAuthProviderOpenIdConnect::$settings

private

Definition at line 30 of file class.ilAuthProviderOpenIdConnect.php.

OIDC_AUTH_IDTOKEN

const ilAuthProviderOpenIdConnect::OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken"

private

Definition at line 29 of file class.ilAuthProviderOpenIdConnect.php.

---

The documentation for this class was generated from the following file:

• Services/OpenIdConnect/classes/class.ilAuthProviderOpenIdConnect.php