ILIAS  release_8 Revision v8.24
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21use Jumbojett\OpenIDConnectClient;
22
27class ilAuthProviderOpenIdConnect extends ilAuthProvider
28{
29 private const OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken";
30 private ilOpenIdConnectSettings $settings;
32 private $body;
33 private ilLogger $logger;
34 private ilLanguage $lng;
35
36 public function __construct(ilAuthCredentials $credentials)
37 {
38 global $DIC;
39 parent::__construct($credentials);
40
41 $this->logger = $DIC->logger()->auth();
42 $this->settings = ilOpenIdConnectSettings::getInstance();
43 $this->body = $DIC->http()->request()->getParsedBody();
44 $this->lng = $DIC->language();
45 $this->lng->loadLanguageModule('auth');
46 }
47
48 public function handleLogout(): void
49 {
50 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
51 return;
52 }
53
54 $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
55 $this->logger->debug('Logging out with token: ' . $id_token);
56
57 if (isset($id_token) && $id_token !== '') {
58 ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
59 $oidc = $this->initClient();
60 try {
61 $oidc->signOut(
62 $id_token,
63 ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
64 );
65 } catch (\Jumbojett\OpenIDConnectClientException $e) {
66 $this->logger->warning("Logging out of OIDC provider failed with: " . $e->getMessage());
67 }
68
69 }
70 }
71
72 public function doAuthentication(ilAuthStatus $status): bool
73 {
74 try {
75 $oidc = $this->initClient();
76 $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
77
78 $proxy = ilProxySettings::_getInstance();
79 if ($proxy->isActive()) {
80 $host = $proxy->getHost();
81 $port = $proxy->getPort();
82 if ($port) {
83 $host .= ":" . $port;
84 }
85 $oidc->setHttpProxy($host);
86 }
87
88 $this->logger->debug(
89 'Redirect url is: ' .
90 $oidc->getRedirectURL()
91 );
92
93 $oidc->addScope($this->settings->getAllScopes());
94 if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
95 $oidc->addAuthParam(['prompt' => 'login']);
96 }
97
98 $oidc->authenticate();
99 // user is authenticated, otherwise redirected to authorization endpoint or exception
100 $this->logger->dump($this->body, ilLogLevel::DEBUG);
101
102 $claims = $oidc->getVerifiedClaims();
103 $this->logger->dump($claims, ilLogLevel::DEBUG);
104 $status = $this->handleUpdate($status, $claims);
105
106 // @todo : provide a general solution for all authentication methods
107 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
108
109 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
110 ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
111 }
112 return true;
113 } catch (Exception $e) {
114 $this->logger->warning($e->getMessage());
115 $this->logger->warning((string) $e->getCode());
116 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
117 $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
118 return false;
119 }
120 }
121
128 private function handleUpdate(ilAuthStatus $status, $user_info): ilAuthStatus
129 {
130 if (!is_object($user_info)) {
131 $this->logger->error('Received invalid user credentials: ');
132 $this->logger->dump($user_info, ilLogLevel::ERROR);
133 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
134 $status->setReason('err_wrong_login');
135 return $status;
136 }
137
138 $uid_field = $this->settings->getUidField();
139 $ext_account = $user_info->{$uid_field};
140
141 $this->logger->debug('Authenticated external account: ' . $ext_account);
142
143
144 $int_account = ilObjUser::_checkExternalAuthAccount(
145 ilOpenIdConnectUserSync::AUTH_MODE,
146 $ext_account
147 );
148
149 try {
150 $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
151 if (!is_string($ext_account)) {
152 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
153 $status->setReason('err_wrong_login');
154 return $status;
155 }
156 $sync->setExternalAccount($ext_account);
157 $sync->setInternalAccount((string) $int_account);
158 $sync->updateUser();
159
160 $user_id = $sync->getUserId();
161 ilSession::set('used_external_auth', true);
162 $status->setAuthenticatedUserId($user_id);
163 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
164
165 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
166 } catch (ilOpenIdConnectSyncForbiddenException $e) {
167 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
168 $status->setReason('err_wrong_login');
169 }
170
171 return $status;
172 }
173
174 private function initClient(): OpenIDConnectClient
175 {
176 $oidc = new OpenIDConnectClient(
177 $this->settings->getProvider(),
178 $this->settings->getClientId(),
179 $this->settings->getSecret()
180 );
181
182 return $oidc;
183 }
184}
ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:28
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:128
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
Constructor.
Definition: class.ilAuthProviderOpenIdConnect.php:36
ilAuthProvider
Base class for authentication providers (ldap, apache, ...)
Definition: class.ilAuthProvider.php:28
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:28
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:35
ilLanguage
language handling
Definition: class.ilLanguage.php:44
ilLogger
Component logger with individual log levels by component id.
Definition: class.ilLogger.php:17
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2700
ilOpenIdConnectSyncForbiddenException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOpenIdConnectSyncForbiddenException.php:28
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:459
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:451
ilStartUpGUI\logoutUrl
static logoutUrl(array $parameters=[])
Return the logout URL with a valid CSRF token.
Definition: class.ilStartUpGUI.php:2226
$DIC
global $DIC
Definition: feed.php:28
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:28
$claims
$claims
Definition: ltitoken.php:71
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:37