84 lines
2.7 KiB
PHP
84 lines
2.7 KiB
PHP
<?php
|
|
use App\OidcClient;
|
|
|
|
$config = app()->config();
|
|
$session = app()->session();
|
|
$session->start();
|
|
|
|
if (!$config->authEnabled) {
|
|
echo '<div class="card">Auth ist deaktiviert.</div>';
|
|
return;
|
|
}
|
|
|
|
$code = (string)($_GET['code'] ?? '');
|
|
$state = (string)($_GET['state'] ?? '');
|
|
$expectedState = (string)($_SESSION['oidc_state'] ?? '');
|
|
$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
|
|
|
|
if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
|
|
echo '<div class="card">Ungültiger Login-Status.</div>';
|
|
return;
|
|
}
|
|
|
|
unset($_SESSION['oidc_state']);
|
|
|
|
$client = new OidcClient($config);
|
|
$token = $client->exchangeCode($code);
|
|
|
|
$idToken = (string)($token['id_token'] ?? '');
|
|
$accessToken = (string)($token['access_token'] ?? '');
|
|
if ($idToken === '') {
|
|
echo '<div class="card">Kein ID Token erhalten.</div>';
|
|
return;
|
|
}
|
|
|
|
$claims = $client->decodeJwt($idToken);
|
|
$client->validateIdToken($claims, $nonce);
|
|
unset($_SESSION['oidc_nonce']);
|
|
|
|
$groups = $client->groupsFromClaims($claims);
|
|
$accessClaims = null;
|
|
if (!$groups && $accessToken !== '') {
|
|
try {
|
|
$accessClaims = $client->decodeJwt($accessToken);
|
|
$groups = $client->groupsFromClaims($accessClaims);
|
|
} catch (\Throwable $e) {
|
|
// ignore access token decoding errors
|
|
}
|
|
}
|
|
$user = [
|
|
'sub' => (string)($claims['sub'] ?? ''),
|
|
'email' => (string)($claims['email'] ?? ''),
|
|
'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
|
|
'username' => (string)($claims['preferred_username'] ?? $claims['email'] ?? $claims['sub'] ?? ''),
|
|
'groups' => $groups,
|
|
'id_token' => $idToken,
|
|
];
|
|
|
|
app()->auth()->storeUser($claims, $groups, $idToken);
|
|
|
|
if (defined('APP_AUTH_DEBUG') && APP_AUTH_DEBUG) {
|
|
$log = [
|
|
'ts' => date('c'),
|
|
'sub' => $user['sub'],
|
|
'email' => $user['email'],
|
|
'name' => $user['name'],
|
|
'groups' => $groups,
|
|
'id_token_claims' => $claims,
|
|
'access_token_claims' => $accessToken ? ($accessClaims ?? null) : null,
|
|
'token_meta' => [
|
|
'has_id_token' => $idToken !== '',
|
|
'has_access_token' => $accessToken !== '',
|
|
'expires_in' => $token['expires_in'] ?? null,
|
|
'refresh_expires_in' => $token['refresh_expires_in'] ?? null,
|
|
'scope' => $token['scope'] ?? null,
|
|
],
|
|
'claim_source' => !empty($groups) ? 'id_token_or_access_token' : 'none',
|
|
];
|
|
@file_put_contents(__DIR__ . '/../../../debug/oidc_login.log', json_encode($log) . PHP_EOL, FILE_APPEND);
|
|
}
|
|
|
|
$returnTo = (string)($_SESSION['oidc_return_to'] ?? '/');
|
|
unset($_SESSION['oidc_return_to']);
|
|
redirect($returnTo !== '' && str_starts_with($returnTo, '/') && !str_starts_with($returnTo, '//') ? $returnTo : '/');
|