config();
$session = app()->session();
$session->start();
if (!$config->authEnabled) {
echo 'Auth ist deaktiviert.
';
return;
}
$code = (string)($_GET['code'] ?? '');
$state = (string)($_GET['state'] ?? '');
$expectedState = (string)($_SESSION['oidc_state'] ?? '');
$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
echo 'Ungültiger Login-Status.
';
return;
}
unset($_SESSION['oidc_state']);
$client = new OidcClient($config);
$token = $client->exchangeCode($code);
$idToken = (string)($token['id_token'] ?? '');
$accessToken = (string)($token['access_token'] ?? '');
if ($idToken === '') {
echo 'Kein ID Token erhalten.
';
return;
}
$claims = $client->decodeJwt($idToken);
$client->validateIdToken($claims, $nonce);
unset($_SESSION['oidc_nonce']);
$groups = $client->groupsFromClaims($claims);
if (!$groups && $accessToken !== '') {
try {
$accessClaims = $client->decodeJwt($accessToken);
$groups = $client->groupsFromClaims($accessClaims);
} catch (\Throwable $e) {
// ignore access token decoding errors
}
}
$user = [
'sub' => (string)($claims['sub'] ?? ''),
'email' => (string)($claims['email'] ?? ''),
'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
'groups' => $groups,
'id_token' => $idToken,
];
$_SESSION['auth_user'] = $user;
if (defined('APP_AUTH_DEBUG') && APP_AUTH_DEBUG) {
$log = [
'ts' => date('c'),
'sub' => $user['sub'],
'email' => $user['email'],
'name' => $user['name'],
'groups' => $groups,
'iss' => $claims['iss'] ?? null,
'aud' => $claims['aud'] ?? null,
'claim_source' => !empty($groups) ? 'id_token_or_access_token' : 'none',
];
@file_put_contents(__DIR__ . '/../../debug/oidc_login.log', json_encode($log) . PHP_EOL, FILE_APPEND);
}
redirect('/');