ILIAS  trunk Revision v12.0_alpha-1221-g4e438232683
class.ilAuthProviderOpenIdConnect.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21use Jumbojett\OpenIDConnectClient;
22
23class ilAuthProviderOpenIdConnect extends ilAuthProvider
24{
25 private const OIDC_AUTH_IDTOKEN = 'oidc_auth_idtoken';
26
27 private const ERR_AUTH_FAILED = 'auth_oidc_failed';
28 private const ERR_AUTH_WRONG_LOGIN = 'err_wrong_login';
29
30 private readonly ilOpenIdConnectSettings $settings;
32 private readonly ilLogger $logger;
33 private readonly ilLanguage $lng;
34
35 public function __construct(ilAuthCredentials $credentials)
36 {
37 global $DIC;
38 parent::__construct($credentials);
39
40 $this->logger = $DIC->logger()->auth();
41 $this->settings = ilOpenIdConnectSettings::getInstance();
42 $this->lng = $DIC->language();
43 $this->lng->loadLanguageModule('auth');
44 }
45
46 public function handleLogout(): void
47 {
48 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_LOCAL) {
49 return;
50 }
51
52 $id_token = ilSession::get(self::OIDC_AUTH_IDTOKEN);
53 $this->logger->debug('Logging out with token: ' . $id_token);
54
55 if (isset($id_token) && $id_token !== '') {
56 ilSession::set(self::OIDC_AUTH_IDTOKEN, '');
57 $oidc = $this->initClient();
58 try {
59 $oidc->signOut(
60 $id_token,
61 ILIAS_HTTP_PATH . '/' . ilStartUpGUI::logoutUrl()
62 );
63 } catch (\Jumbojett\OpenIDConnectClientException $e) {
64 $this->logger->warning('Logging out of OIDC provider failed with: ' . $e->getMessage());
65 }
66 }
67 }
68
69 public function doAuthentication(ilAuthStatus $status): bool
70 {
71 if (!$this->settings->getActive()) {
72 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
73 $status->setTranslatedReason($this->lng->txt(self::ERR_AUTH_FAILED));
74 $this->logger->info('Authentication aborted, OIDC authentication is disabled');
75 return false;
76 }
77
78 try {
79 $oidc = $this->initClient();
80 $oidc->setRedirectURL(ILIAS_HTTP_PATH . '/openidconnect.php');
81
82 $proxy = ilProxySettings::_getInstance();
83 if ($proxy->isActive()) {
84 $host = $proxy->getHost();
85 $port = $proxy->getPort();
86 if ($port) {
87 $host .= ':' . $port;
88 }
89 $oidc->setHttpProxy($host);
90 }
91
92 $this->logger->debug(
93 'Redirect url is: ' .
94 $oidc->getRedirectURL()
95 );
96
97 $oidc->addScope($this->settings->getAllScopes());
98 if ($this->settings->getLoginPromptType() === ilOpenIdConnectSettings::LOGIN_ENFORCE) {
99 $oidc->addAuthParam(['prompt' => 'login']);
100 }
101
102 $oidc->authenticate();
103 // user is authenticated, otherwise redirected to authorization endpoint or exception
104
105 $claims = $oidc->getVerifiedClaims();
106 $this->logger->dump($claims, ilLogLevel::DEBUG);
107 $status = $this->handleUpdate($status, $claims);
108
109 // @todo : provide a general solution for all authentication methods
110 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
111
112 if ($this->settings->getLogoutScope() === ilOpenIdConnectSettings::LOGOUT_SCOPE_GLOBAL) {
113 ilSession::set(self::OIDC_AUTH_IDTOKEN, $oidc->getIdToken());
114 }
115 return true;
116 } catch (Exception $e) {
117 $this->logger->warning($e->getMessage());
118 $this->logger->warning((string) $e->getCode());
119 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
120 $status->setTranslatedReason($this->lng->txt(self::ERR_AUTH_FAILED));
121 return false;
122 }
123 }
124
128 private function handleUpdate(ilAuthStatus $status, $user_info): ilAuthStatus
129 {
130 if (!is_object($user_info)) {
131 $this->logger->error('Received invalid user credentials: ');
132 $this->logger->dump($user_info, ilLogLevel::ERROR);
133 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
134 $status->setReason(self::ERR_AUTH_WRONG_LOGIN);
135 return $status;
136 }
137
138 $uid_field = $this->settings->getUidField();
139 $ext_account = $user_info->{$uid_field} ?? '';
140
141 if (!is_string($ext_account) || $ext_account === '') {
142 $this->logger->error('Could not determine valid external account, value is empty or not a string.');
143 $this->logger->dump($user_info, ilLogLevel::ERROR);
144 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
145 $status->setReason(self::ERR_AUTH_WRONG_LOGIN);
146 return $status;
147 }
148
149 $this->logger->debug('Authenticated external account: ' . $ext_account);
150
151 $int_account = ilObjUser::_checkExternalAuthAccount(
152 ilOpenIdConnectUserSync::AUTH_MODE,
153 $ext_account
154 );
155
156 try {
157 $sync = new ilOpenIdConnectUserSync($this->settings, $user_info);
158 $sync->setExternalAccount($ext_account);
159 $sync->setInternalAccount((string) $int_account);
160 $sync->updateUser();
161
162 $user_id = $sync->getUserId();
163 ilSession::set('used_external_auth_mode', ilAuthUtils::AUTH_OPENID_CONNECT);
164 $status->setAuthenticatedUserId($user_id);
165 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
166 //$_GET['target'] = $this->getCredentials()->getRedirectionTarget();// TODO PHP8-REVIEW Please eliminate this. Mutating the request is not allowed and will not work in ILIAS 8.
167 } catch (ilOpenIdConnectSyncForbiddenException) {
168 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATION_FAILED);
169 $status->setReason(self::ERR_AUTH_WRONG_LOGIN);
170 }
171
172 return $status;
173 }
174
175 private function initClient(): OpenIDConnectClient
176 {
177 $oidc = new OpenIDConnectClient(
178 $this->settings->getProvider(),
179 $this->settings->getClientId(),
180 $this->settings->getSecret()
181 );
182
183 $oidc->setCodeChallengeMethod('S256');
184
185 return $oidc;
186 }
187}
ilAuthProviderOpenIdConnect\$settings
readonly ilOpenIdConnectSettings $settings
Definition: class.ilAuthProviderOpenIdConnect.php:30
ilAuthProviderOpenIdConnect\handleUpdate
handleUpdate(ilAuthStatus $status, $user_info)
Definition: class.ilAuthProviderOpenIdConnect.php:128
ilAuthProviderOpenIdConnect\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderOpenIdConnect.php:35
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:24
ilAuthStatus\setTranslatedReason
setTranslatedReason(string $a_reason)
Set translated reason.
Definition: class.ilAuthStatus.php:89
ilAuthStatus\STATUS_AUTHENTICATION_FAILED
const int STATUS_AUTHENTICATION_FAILED
Definition: class.ilAuthStatus.php:29
ilAuthStatus\setReason
setReason(string $a_reason)
Set reason.
Definition: class.ilAuthStatus.php:81
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthStatus\STATUS_AUTHENTICATED
const int STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:28
ilAuthUtils\AUTH_OPENID_CONNECT
const int AUTH_OPENID_CONNECT
Definition: class.ilAuthUtils.php:38
ilLanguage
language handling
Definition: class.ilLanguage.php:43
ilLogger
Component logger with individual log levels by component id.
Definition: class.ilLogger.php:29
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2721
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:394
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:386
ilStartUpGUI\logoutUrl
static logoutUrl(array $parameters=[])
Return the logout URL with a valid CSRF token.
Definition: class.ilStartUpGUI.php:1936
$claims
$claims
Definition: ltitoken.php:68
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$DIC
global $DIC
Definition: shib_login.php:26