private/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth

Browse Source
This commit is contained in:
Lars Gebhardt-Kusche
2026-03-04 02:02:34 +01:00
parent c360663603
commit a61ac8de0c
5 changed files with 40 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/prod/settings.php
View File

@@ -19,6 +19,7 @@
define('APP_OIDC_CLIENT_ID', 'nexus');
define('APP_OIDC_CLIENT_SECRET', 'c0swC5wjBV4yimJHf2p3R9OjHOr7rhHs');
define('APP_OIDC_REDIRECT_URI', 'https://nexus.int.kusche.berlin/auth/callback');
define('APP_OIDC_POST_LOGOUT_REDIRECT_URI', 'https://nexus.int.kusche.berlin/');
define('APP_OIDC_GROUP_CLAIM', 'groups');
define('APP_OIDC_ADMIN_GROUP', 'admin');
define('APP_OIDC_USER_GROUP', 'family');

1
config/staging/settings.php
View File

@@ -19,6 +19,7 @@
define('APP_OIDC_CLIENT_ID', 'nexus');
define('APP_OIDC_CLIENT_SECRET', 'c0swC5wjBV4yimJHf2p3R9OjHOr7rhHs');
define('APP_OIDC_REDIRECT_URI', 'https://staging.nexus.int.kusche.berlin/auth/callback');
define('APP_OIDC_POST_LOGOUT_REDIRECT_URI', 'https://staging.nexus.int.kusche.berlin/');
define('APP_OIDC_GROUP_CLAIM', 'groups');
define('APP_OIDC_ADMIN_GROUP', 'admin');
define('APP_OIDC_USER_GROUP', 'family');

2
src/App/Config.php
View File

@@ -21,6 +21,7 @@ class Config
public string $oidcTokenEndpoint;
public string $oidcUserinfoEndpoint;
public string $oidcLogoutEndpoint;
public string $oidcPostLogoutRedirectUri;
public string $oidcGroupClaim;
public string $oidcAdminGroup;
public string $oidcUserGroup;
@@ -47,6 +48,7 @@ class Config
$this->oidcTokenEndpoint = defined('APP_OIDC_TOKEN_ENDPOINT') ? (string)APP_OIDC_TOKEN_ENDPOINT : '';
$this->oidcUserinfoEndpoint = defined('APP_OIDC_USERINFO_ENDPOINT') ? (string)APP_OIDC_USERINFO_ENDPOINT : '';
$this->oidcLogoutEndpoint = defined('APP_OIDC_LOGOUT_ENDPOINT') ? (string)APP_OIDC_LOGOUT_ENDPOINT : '';
$this->oidcPostLogoutRedirectUri = defined('APP_OIDC_POST_LOGOUT_REDIRECT_URI') ? (string)APP_OIDC_POST_LOGOUT_REDIRECT_URI : '';
$this->oidcGroupClaim = defined('APP_OIDC_GROUP_CLAIM') ? (string)APP_OIDC_GROUP_CLAIM : 'groups';
$this->oidcAdminGroup = defined('APP_OIDC_ADMIN_GROUP') ? (string)APP_OIDC_ADMIN_GROUP : 'admin';
$this->oidcUserGroup = defined('APP_OIDC_USER_GROUP') ? (string)APP_OIDC_USER_GROUP : 'user';

4
src/App/OidcClient.php
View File

@@ -123,7 +123,9 @@ final class OidcClient
return null;
}
$params = [
'post_logout_redirect_uri' => $this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/',
'post_logout_redirect_uri' => $this->config->oidcPostLogoutRedirectUri !== ''
? $this->config->oidcPostLogoutRedirectUri
: ($this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/'),
];
if ($idToken) {
$params['id_token_hint'] = $idToken;

37
src/App/functions.php
View File

@@ -80,21 +80,50 @@ function auth_groups(): array
return is_array($user['groups'] ?? null) ? $user['groups'] : [];
}
function parse_group_list(string $value): array
{
$parts = preg_split('/[,\s]+/', $value) ?: [];
$out = [];
foreach ($parts as $p) {
$p = trim($p);
if ($p !== '') {
$out[] = $p;
}
}
return $out;
}
function auth_is_admin(): bool
{
$config = app()->config();
$groups = auth_groups();
return in_array($config->oidcAdminGroup, $groups, true);
$allowed = parse_group_list($config->oidcAdminGroup);
foreach ($allowed as $g) {
if (in_array($g, $groups, true)) {
return true;
}
}
return false;
}
function auth_is_user(): bool
{
$config = app()->config();
$groups = auth_groups();
if (in_array($config->oidcAdminGroup, $groups, true)) {
return true;
$admins = parse_group_list($config->oidcAdminGroup);
foreach ($admins as $g) {
if (in_array($g, $groups, true)) {
return true;
}
}
return in_array($config->oidcUserGroup, $groups, true);
$users = parse_group_list($config->oidcUserGroup);
foreach ($users as $g) {
if (in_array($g, $groups, true)) {
return true;
}
}
return false;
}
function require_auth(): void