config();
$session = app()->session();
$session->start();
if (!$config->authEnabled) {
echo 'Auth ist deaktiviert.
';
return;
}
$code = (string)($_GET['code'] ?? '');
$state = (string)($_GET['state'] ?? '');
$expectedState = (string)($_SESSION['oidc_state'] ?? '');
$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
echo 'Ungültiger Login-Status.
';
return;
}
unset($_SESSION['oidc_state']);
$client = new OidcClient($config);
$token = $client->exchangeCode($code);
$idToken = (string)($token['id_token'] ?? '');
if ($idToken === '') {
echo 'Kein ID Token erhalten.
';
return;
}
$claims = $client->decodeJwt($idToken);
$client->validateIdToken($claims, $nonce);
unset($_SESSION['oidc_nonce']);
$groups = $client->groupsFromClaims($claims);
$user = [
'sub' => (string)($claims['sub'] ?? ''),
'email' => (string)($claims['email'] ?? ''),
'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
'groups' => $groups,
'id_token' => $idToken,
];
$_SESSION['auth_user'] = $user;
redirect('/');