ILIAS  release_9 Revision v9.13-25-g2c18ec4c24f
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 use Jumbojett\OpenIDConnectClient;
22 
27 class ilAuthProviderOpenIdConnect extends ilAuthProvider
28 {
29  private const OIDC_AUTH_IDTOKEN = "oidc_auth_idtoken";
30  private ilOpenIdConnectSettings $settings;
32  private ilLogger $logger;
33  private ilLanguage $lng;
34 
35  public function __construct(ilAuthCredentials $credentials)
36  {
37  global $DIC;
38  parent::__construct($credentials);
39 
40  $this->logger = $DIC->logger()->auth();
41  $this->settings = ilOpenIdConnectSettings::getInstance();
42  $this->lng = $DIC->language();
43  $this->lng->loadLanguageModule('auth');
44  }
45 
46  public function handleLogout(): void
47  {
48  if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
49  return;
50  }
51 
52  $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
53  $this->logger->debug('Logging out with token: ' . $id_token);
54 
55  if (isset($id_token) && $id_token !== '') {
56  ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
57  $oidc = $this->initClient();
58  try {
59  $oidc->signOut(
60  $id_token,
61  ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
62  );
63  } catch (\Jumbojett\OpenIDConnectClientException $e) {
64  $this->logger->warning("Logging out of OIDC provider failed with: " . $e->getMessage());
65  }
66 
67  }
68  }
69 
70  public function doAuthentication(ilAuthStatus $status): bool
71  {
72  try {
73  $oidc = $this->initClient();
74  $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
75 
76  $proxy = ilProxySettings::_getInstance();
77  if ($proxy->isActive()) {
78  $host = $proxy->getHost();
79  $port = $proxy->getPort();
80  if ($port) {
81  $host .= ":" . $port;
82  }
83  $oidc->setHttpProxy($host);
84  }
85 
86  $this->logger->debug(
87  'Redirect url is: ' .
88  $oidc->getRedirectURL()
89  );
90 
91  $oidc->addScope($this->settings->getAllScopes());
92  if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
93  $oidc->addAuthParam(['prompt' => 'login']);
94  }
95 
96  $oidc->authenticate();
97  // user is authenticated, otherwise redirected to authorization endpoint or exception
98 
99  $claims = $oidc->getVerifiedClaims();
100  $this->logger->dump($claims, ilLogLevel::DEBUG);
101  $status = $this->handleUpdate($status, $claims);
102 
103  // @todo : provide a general solution for all authentication methods
104  //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
105 
106  if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
107  ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
108  }
109  return true;
110  } catch (Exception $e) {
111  $this->logger->warning($e->getMessage());
112  $this->logger->warning((string) $e->getCode());
113  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
114  $status->setTranslatedReason($this->lng->txt("auth_oidc_failed"));
115  return false;
116  }
117  }
118 
125  private function handleUpdate(ilAuthStatus $status, $user_info): ilAuthStatus
126  {
127  if (!is_object($user_info)) {
128  $this->logger->error('Received invalid user credentials: ');
129  $this->logger->dump($user_info, ilLogLevel::ERROR);
130  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
131  $status->setReason('err_wrong_login');
132  return $status;
133  }
134 
135  $uid_field = $this->settings->getUidField();
136  $ext_account = $user_info->{$uid_field} ?? '';
137 
138  if (!is_string($ext_account) || $ext_account === '') {
139  $this->logger->error('Could not determine valid external account, value is empty or not a string.');
140  $this->logger->dump($user_info, ilLogLevel::ERROR);
141  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
142  $status->setReason('err_wrong_login');
143  return $status;
144  }
145 
146  $this->logger->debug('Authenticated external account: ' . $ext_account);
147 
148  $int_account = ilObjUser::_checkExternalAuthAccount(
149  ilOpenIdConnectUserSync::AUTH_MODE,
150  $ext_account
151  );
152 
153  try {
154  $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
155  $sync->setExternalAccount($ext_account);
156  $sync->setInternalAccount((string) $int_account);
157  $sync->updateUser();
158 
159  $user_id = $sync->getUserId();
160  ilSession::set('used_external_auth_mode', ilAuthUtils::AUTH_OPENID_CONNECT);
161  $status->setAuthenticatedUserId($user_id);
162  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
163 
164  //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
165  } catch (ilOpenIdConnectSyncForbiddenException $e) {
166  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
167  $status->setReason('err_wrong_login');
168  }
169 
170  return $status;
171  }
172 
173  private function initClient(): OpenIDConnectClient
174  {
175  $oidc = new OpenIDConnectClient(
176  $this->settings->getProvider(),
177  $this->settings->getClientId(),
178  $this->settings->getSecret()
179  );
180 
181  return $oidc;
182  }
183 }
ilAuthUtils\AUTH_OPENID_CONNECT
const AUTH_OPENID_CONNECT
Definition: class.ilAuthUtils.php:45
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:465
ilAuthCredentials
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: interface.ilAuthCredentials.php:27
ilOpenIdConnectSyncForbiddenException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilOpenIdConnectSyncForbiddenException.php:27
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:35
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2737
$claims
$claims
Definition: ltitoken.php:71
$DIC
global $DIC
Definition: feed.php:28
ilAuthProvider
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilAuthProvider.php:27
ILIAS\MetaData\Repository\Validation\Data\__construct
__construct(VocabulariesInterface $vocabularies)
Definition: VocabularyBridge.php:31
ilStartUpGUI\logoutUrl
static logoutUrl(array $parameters=[])
Return the logout URL with a valid CSRF token.
Definition: class.ilStartUpGUI.php:1960
ilAuthProviderOpenIdConnect
Class ilAuthProviderOpenIdConnect.
Definition: class.ilAuthProviderOpenIdConnect.php:27
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:125
ilAuthStatus\setTranslatedReason
setTranslatedReason(string $a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:95
ilAuthStatus\setReason
setReason(string $a_reason)
Set reason.
Definition: class.ilAuthStatus.php:87
ilAuthStatus
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilAuthStatus.php:27
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderOpenIdConnect.php:35
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:457