ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
Public Member Functions | Private Member Functions | Private Attributes
ilAuthProviderOpenIdConnect Class Reference
+ Inheritance diagram for ilAuthProviderOpenIdConnect:
+ Collaboration diagram for ilAuthProviderOpenIdConnect:

Public Member Functions

 __construct (ilAuthCredentials $credentials)
 
 handleLogout ()
 
 doAuthentication (ilAuthStatus $status)
 
- Public Member Functions inherited from ilAuthProvider
 __construct (ilAuthCredentials $credentials)
 
 getLogger ()
 
 getCredentials ()
 
 doAuthentication (ilAuthStatus $status)
 

Private Member Functions

 handleUpdate (ilAuthStatus $status, $user_info)
 
 initClient ()
 

Private Attributes

const OIDC_AUTH_IDTOKEN = 'oidc_auth_idtoken'
 
readonly ilOpenIdConnectSettings $settings
 
readonly ilLogger $logger
 
readonly ilLanguage $lng
 

Additional Inherited Members

- Protected Member Functions inherited from ilAuthProvider
 handleAuthenticationFail (ilAuthStatus $status, string $a_reason)
 

Detailed Description

Definition at line 23 of file class.ilAuthProviderOpenIdConnect.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthProviderOpenIdConnect::__construct ( ilAuthCredentials  $credentials)

Reimplemented from ilAuthProvider.

Definition at line 32 of file class.ilAuthProviderOpenIdConnect.php.

33 {
34 global $DIC;
35 parent::__construct($credentials);
36
37 $this->logger = $DIC->logger()->auth();
38 $this->settings = ilOpenIdConnectSettings::getInstance();
39 $this->lng = $DIC->language();
40 $this->lng->loadLanguageModule('auth');
41 }
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:24
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$DIC
global $DIC
Definition: shib_login.php:26

References ilAuthProvider\$credentials, $DIC, ILIAS\GlobalScreen\Provider\__construct(), ilOpenIdConnectSettings\getInstance(), ILIAS\Repository\lng(), ILIAS\Repository\logger(), and ILIAS\Repository\settings().

+ Here is the call graph for this function:

Member Function Documentation

◆ doAuthentication()

ilAuthProviderOpenIdConnect::doAuthentication ( ilAuthStatus  $status)

Implements ilAuthProviderInterface.

Definition at line 66 of file class.ilAuthProviderOpenIdConnect.php.

66 : bool
67 {
68 try {
69 $oidc = $this->initClient();
70 $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
71
72 $proxy = ilProxySettings::_getInstance();
73 if ($proxy->isActive()) {
74 $host = $proxy->getHost();
75 $port = $proxy->getPort();
76 if ($port) {
77 $host .= ':' . $port;
78 }
79 $oidc->setHttpProxy($host);
80 }
81
82 $this->logger->debug(
83 'Redirect url is: ' .
84 $oidc->getRedirectURL()
85 );
86
87 $oidc->addScope($this->settings->getAllScopes());
88 if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
89 $oidc->addAuthParam(['prompt' => 'login']);
90 }
91
92 $oidc->authenticate();
93 // user is authenticated, otherwise redirected to authorization endpoint or exception
94
95 $claims = $oidc->getVerifiedClaims();
96 $this->logger->dump($claims, ilLogLevel::DEBUG);
97 $status = $this->handleUpdate($status, $claims);
98
99 // @todo : provide a general solution for all authentication methods
100 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
101
102 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
103 ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
104 }
105 return true;
106 } catch (Exception $e) {
107 $this->logger->warning($e->getMessage());
108 $this->logger->warning((string) $e->getCode());
109 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
110 $status->setTranslatedReason($this->lng->txt('auth_oidc_failed'));
111 return false;
112 }
113 }
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:118
ilAuthStatus\setTranslatedReason
setTranslatedReason(string $a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:89
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const int STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:29
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:380
$claims
$claims
Definition: ltitoken.php:68

References $claims, Vendor\Package\$e, ilProxySettings\_getInstance(), ilLogLevel\DEBUG, handleUpdate(), initClient(), ILIAS\Repository\lng(), ILIAS\Repository\logger(), ilOpenIdConnectSettings\LOGIN_ENFORCE, ilOpenIdConnectSettings\LOGOUT_SCOPE_GLOBAL, ilSession\set(), ilAuthStatus\setStatus(), ILIAS\Repository\settings(), ilAuthStatus\setTranslatedReason(), and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

+ Here is the call graph for this function:

◆ handleLogout()

ilAuthProviderOpenIdConnect::handleLogout ( )

Definition at line 43 of file class.ilAuthProviderOpenIdConnect.php.

43 : void
44 {
45 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
46 return;
47 }
48
49 $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
50 $this->logger->debug('Logging out with token: ' . $id_token);
51
52 if (isset($id_token) && $id_token !== '') {
53 ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
54 $oidc = $this->initClient();
55 try {
56 $oidc->signOut(
57 $id_token,
58 ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
59 );
60 } catch (\Jumbojett\OpenIDConnectClientException $e) {
61 $this->logger->warning('Logging out of OIDC provider failed with: ' . $e->getMessage());
62 }
63 }
64 }
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:388
ilStartUpGUI\logoutUrl
static logoutUrl(array $parameters=[])
Return the logout URL with a valid CSRF token.
Definition: class.ilStartUpGUI.php:1952

References Vendor\Package\$e, ilSession\get(), initClient(), ILIAS\Repository\logger(), ilOpenIdConnectSettings\LOGOUT_SCOPE_LOCAL, ilStartUpGUI\logoutUrl(), ilSession\set(), and ILIAS\Repository\settings().

+ Here is the call graph for this function:

◆ handleUpdate()

ilAuthProviderOpenIdConnect::handleUpdate ( ilAuthStatus  $status,
  $user_info 
)
private
Parameters
stdClass$user_info

Definition at line 118 of file class.ilAuthProviderOpenIdConnect.php.

118 : ilAuthStatus
119 {
120 if (!is_object($user_info)) {
121 $this->logger->error('Received invalid user credentials: ');
122 $this->logger->dump($user_info, ilLogLevel::ERROR);
123 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
124 $status->setReason('err_wrong_login');
125 return $status;
126 }
127
128 $uid_field = $this->settings->getUidField();
129 $ext_account = $user_info->{$uid_field} ?? '';
130
131 if (!is_string($ext_account) || $ext_account === '') {
132 $this->logger->error('Could not determine valid external account, value is empty or not a string.');
133 $this->logger->dump($user_info, ilLogLevel::ERROR);
134 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
135 $status->setReason('err_wrong_login');
136 return $status;
137 }
138
139 $this->logger->debug('Authenticated external account: ' . $ext_account);
140
141 $int_account = ilObjUser::_checkExternalAuthAccount(
142 ilOpenIdConnectUserSync::AUTH_MODE,
143 $ext_account
144 );
145
146 try {
147 $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
148 $sync->setExternalAccount($ext_account);
149 $sync->setInternalAccount((string) $int_account);
150 $sync->updateUser();
151
152 $user_id = $sync->getUserId();
153 ilSession::set('used_external_auth_mode', ilAuthUtils::AUTH_OPENID_CONNECT);
154 $status->setAuthenticatedUserId($user_id);
155 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
156 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
157 } catch (ilOpenIdConnectSyncForbiddenException) {
158 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
159 $status->setReason('err_wrong_login');
160 }
161
162 return $status;
163 }
ilAuthStatus\setReason
setReason(string $a_reason)
Set reason.
Definition: class.ilAuthStatus.php:81
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:114
ilAuthStatus\STATUS_AUTHENTICATED
const int STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:28
ilAuthUtils\AUTH_OPENID_CONNECT
const int AUTH_OPENID_CONNECT
Definition: class.ilAuthUtils.php:38
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2813

References ilLogLevel\ERROR, ILIAS\Repository\logger(), ilAuthStatus\setReason(), ilAuthStatus\setStatus(), ILIAS\Repository\settings(), and ilAuthStatus\STATUS_AUTHENTICATION_FAILED.

Referenced by doAuthentication().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ initClient()

ilAuthProviderOpenIdConnect::initClient ( )
private

Definition at line 165 of file class.ilAuthProviderOpenIdConnect.php.

165 : OpenIDConnectClient
166 {
167 $oidc = new OpenIDConnectClient(
168 $this->settings->getProvider(),
169 $this->settings->getClientId(),
170 $this->settings->getSecret()
171 );
172
173 $oidc->setCodeChallengeMethod('S256');
174
175 return $oidc;
176 }

References ILIAS\Repository\settings().

Referenced by doAuthentication(), and handleLogout().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $lng

readonly ilLanguage ilAuthProviderOpenIdConnect::$lng
private

Definition at line 30 of file class.ilAuthProviderOpenIdConnect.php.

◆ $logger

readonly ilLogger ilAuthProviderOpenIdConnect::$logger
private

Definition at line 29 of file class.ilAuthProviderOpenIdConnect.php.

◆ $settings

readonly ilOpenIdConnectSettings ilAuthProviderOpenIdConnect::$settings
private

Definition at line 27 of file class.ilAuthProviderOpenIdConnect.php.

◆ OIDC_AUTH_IDTOKEN

const ilAuthProviderOpenIdConnect::OIDC_AUTH_IDTOKEN = 'oidc_auth_idtoken'
private

Definition at line 25 of file class.ilAuthProviderOpenIdConnect.php.

The documentation for this class was generated from the following file: