ILIAS  release_8 Revision v8.19
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 use Jumbojett\OpenIDConnectClient;
22 
27 class ilAuthProviderOpenIdConnect extends ilAuthProvider
28 {
29  private const OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken";
30  private ilOpenIdConnectSettings $settings;
32  private $body;
33  private ilLogger $logger;
34  private ilLanguage $lng;
35 
36  public function __construct(ilAuthCredentials $credentials)
37  {
38  global $DIC;
39  parent::__construct($credentials);
40 
41  $this->logger = $DIC->logger()->auth();
42  $this->settings = ilOpenIdConnectSettings::getInstance();
43  $this->body = $DIC->http()->request()->getParsedBody();
44  $this->lng = $DIC->language();
45  $this->lng->loadLanguageModule('auth');
46  }
47 
48  public function handleLogout(): void
49  {
50  if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
51  return;
52  }
53 
54  $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
55  $this->logger->debug('Logging out with token: ' . $id_token);
56 
57  if (isset($id_token) && $id_token !== '') {
58  ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
59  $oidc = $this->initClient();
60  try {
61  $oidc->signOut(
62  $id_token,
63  ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
64  );
65  } catch (\Jumbojett\OpenIDConnectClientException $e) {
66  $this->logger->warning("Logging out of OIDC provider failed with: " . $e->getMessage());
67  }
68 
69  }
70  }
71 
72  public function doAuthentication(ilAuthStatus $status): bool
73  {
74  try {
75  $oidc = $this->initClient();
76  $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
77 
78  $proxy = ilProxySettings::_getInstance();
79  if ($proxy->isActive()) {
80  $host = $proxy->getHost();
81  $port = $proxy->getPort();
82  if ($port) {
83  $host .= ":" . $port;
84  }
85  $oidc->setHttpProxy($host);
86  }
87 
88  $this->logger->debug(
89  'Redirect url is: ' .
90  $oidc->getRedirectURL()
91  );
92 
93  $oidc->addScope($this->settings->getAllScopes());
94  if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
95  $oidc->addAuthParam(['prompt' => 'login']);
96  }
97 
98  $oidc->authenticate();
99  // user is authenticated, otherwise redirected to authorization endpoint or exception
100  $this->logger->dump($this->body, ilLogLevel::DEBUG);
101 
102  $claims = $oidc->getVerifiedClaims();
103  $this->logger->dump($claims, ilLogLevel::DEBUG);
104  $status = $this->handleUpdate($status, $claims);
105 
106  // @todo : provide a general solution for all authentication methods
107  //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
108 
109  if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
110  ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
111  }
112  return true;
113  } catch (Exception $e) {
114  $this->logger->warning($e->getMessage());
115  $this->logger->warning((string) $e->getCode());
116  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
117  $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
118  return false;
119  }
120  }
121 
128  private function handleUpdate(ilAuthStatus $status, $user_info): ilAuthStatus
129  {
130  if (!is_object($user_info)) {
131  $this->logger->error('Received invalid user credentials: ');
132  $this->logger->dump($user_info, ilLogLevel::ERROR);
133  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
134  $status->setReason('err_wrong_login');
135  return $status;
136  }
137 
138  $uid_field = $this->settings->getUidField();
139  $ext_account = $user_info->{$uid_field};
140 
141  $this->logger->debug('Authenticated external account: ' . $ext_account);
142 
143 
144  $int_account = ilObjUser::_checkExternalAuthAccount(
145  ilOpenIdConnectUserSync::AUTH_MODE,
146  $ext_account
147  );
148 
149  try {
150  $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
151  if (!is_string($ext_account)) {
152  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
153  $status->setReason('err_wrong_login');
154  return $status;
155  }
156  $sync->setExternalAccount($ext_account);
157  $sync->setInternalAccount((string) $int_account);
158  $sync->updateUser();
159 
160  $user_id = $sync->getUserId();
161  ilSession::set('used_external_auth', true);
162  $status->setAuthenticatedUserId($user_id);
163  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
164 
165  //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
166  } catch (ilOpenIdConnectSyncForbiddenException $e) {
167  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
168  $status->setReason('err_wrong_login');
169  }
170 
171  return $status;
172  }
173 
174  private function initClient(): OpenIDConnectClient
175  {
176  $oidc = new OpenIDConnectClient(
177  $this->settings->getProvider(),
178  $this->settings->getClientId(),
179  $this->settings->getSecret()
180  );
181 
182  return $oidc;
183  }
184 }
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:459
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:27
ilOpenIdConnectSyncForbiddenException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOpenIdConnectSyncForbiddenException.php:27
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:35
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2700
$claims
$claims
Definition: ltitoken.php:71
$DIC
global $DIC
Definition: feed.php:28
ilAuthProvider
Base class for authentication providers (ldap, apache, ...)
Definition: class.ilAuthProvider.php:27
ilStartUpGUI\logoutUrl
static logoutUrl(array $parameters=[])
Return the logout URL with a valid CSRF token.
Definition: class.ilStartUpGUI.php:2226
ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:27
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:128
ilAuthStatus\setTranslatedReason
setTranslatedReason(string $a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:95
ilAuthStatus\setReason
setReason(string $a_reason)
Set reason.
Definition: class.ilAuthStatus.php:87
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:27
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderOpenIdConnect.php:36
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:451