Rebuild

public/page/auth_callback.php

@@ -0,0 +1,49 @@
+<?php
+use App\OidcClient;
+
+$config = app()->config();
+$session = app()->session();
+$session->start();
+
+if (!$config->authEnabled) {
+    echo '<div class="card">Auth ist deaktiviert.</div>';
+    return;
+}
+
+$code = (string)($_GET['code'] ?? '');
+$state = (string)($_GET['state'] ?? '');
+$expectedState = (string)($_SESSION['oidc_state'] ?? '');
+$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
+
+if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
+    echo '<div class="card">Ungültiger Login-Status.</div>';
+    return;
+}
+
+unset($_SESSION['oidc_state']);
+
+$client = new OidcClient($config);
+$token = $client->exchangeCode($code);
+
+$idToken = (string)($token['id_token'] ?? '');
+if ($idToken === '') {
+    echo '<div class="card">Kein ID Token erhalten.</div>';
+    return;
+}
+
+$claims = $client->decodeJwt($idToken);
+$client->validateIdToken($claims, $nonce);
+unset($_SESSION['oidc_nonce']);
+
+$groups = $client->groupsFromClaims($claims);
+$user = [
+    'sub' => (string)($claims['sub'] ?? ''),
+    'email' => (string)($claims['email'] ?? ''),
+    'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
+    'groups' => $groups,
+    'id_token' => $idToken,
+];
+
+$_SESSION['auth_user'] = $user;
+
+redirect('/');