rebuild

partials/landingpages/auth/callback.php

@@ -0,0 +1,80 @@
+<?php
+use App\OidcClient;
+
+$config = app()->config();
+$session = app()->session();
+$session->start();
+
+if (!$config->authEnabled) {
+    echo '<div class="card">Auth ist deaktiviert.</div>';
+    return;
+}
+
+$code = (string)($_GET['code'] ?? '');
+$state = (string)($_GET['state'] ?? '');
+$expectedState = (string)($_SESSION['oidc_state'] ?? '');
+$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
+
+if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
+    echo '<div class="card">Ungültiger Login-Status.</div>';
+    return;
+}
+
+unset($_SESSION['oidc_state']);
+
+$client = new OidcClient($config);
+$token = $client->exchangeCode($code);
+
+$idToken = (string)($token['id_token'] ?? '');
+$accessToken = (string)($token['access_token'] ?? '');
+if ($idToken === '') {
+    echo '<div class="card">Kein ID Token erhalten.</div>';
+    return;
+}
+
+$claims = $client->decodeJwt($idToken);
+$client->validateIdToken($claims, $nonce);
+unset($_SESSION['oidc_nonce']);
+
+$groups = $client->groupsFromClaims($claims);
+$accessClaims = null;
+if (!$groups && $accessToken !== '') {
+    try {
+        $accessClaims = $client->decodeJwt($accessToken);
+        $groups = $client->groupsFromClaims($accessClaims);
+    } catch (\Throwable $e) {
+        // ignore access token decoding errors
+    }
+}
+$user = [
+    'sub' => (string)($claims['sub'] ?? ''),
+    'email' => (string)($claims['email'] ?? ''),
+    'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
+    'groups' => $groups,
+    'id_token' => $idToken,
+];
+
+$_SESSION['auth_user'] = $user;
+
+if (defined('APP_AUTH_DEBUG') && APP_AUTH_DEBUG) {
+    $log = [
+        'ts' => date('c'),
+        'sub' => $user['sub'],
+        'email' => $user['email'],
+        'name' => $user['name'],
+        'groups' => $groups,
+        'id_token_claims' => $claims,
+        'access_token_claims' => $accessToken ? ($accessClaims ?? null) : null,
+        'token_meta' => [
+            'has_id_token' => $idToken !== '',
+            'has_access_token' => $accessToken !== '',
+            'expires_in' => $token['expires_in'] ?? null,
+            'refresh_expires_in' => $token['refresh_expires_in'] ?? null,
+            'scope' => $token['scope'] ?? null,
+        ],
+        'claim_source' => !empty($groups) ? 'id_token_or_access_token' : 'none',
+    ];
+    @file_put_contents(__DIR__ . '/../../../debug/oidc_login.log', json_encode($log) . PHP_EOL, FILE_APPEND);
+}
+
+redirect('/');

partials/landingpages/auth/login.php

@@ -0,0 +1,19 @@
+<?php
+use App\OidcClient;
+
+$config = app()->config();
+if (!$config->authEnabled) {
+    echo '<div class="card">Auth ist deaktiviert.</div>';
+    return;
+}
+
+$session = app()->session();
+$session->start();
+
+$state = bin2hex(random_bytes(16));
+$nonce = bin2hex(random_bytes(16));
+$_SESSION['oidc_state'] = $state;
+$_SESSION['oidc_nonce'] = $nonce;
+
+$client = new OidcClient($config);
+redirect($client->authUrl($state, $nonce));

partials/landingpages/auth/logout.php

@@ -0,0 +1,23 @@
+<?php
+use App\OidcClient;
+
+$config = app()->config();
+$session = app()->session();
+$session->start();
+
+$idToken = null;
+if (!empty($_SESSION['auth_user']['id_token'])) {
+    $idToken = (string)$_SESSION['auth_user']['id_token'];
+}
+
+unset($_SESSION['auth_user']);
+
+if ($config->authEnabled) {
+    $client = new OidcClient($config);
+    $url = $client->logoutUrl($idToken);
+    if ($url) {
+        redirect($url);
+    }
+}
+
+redirect('/');