50 lines
1.2 KiB
PHP
50 lines
1.2 KiB
PHP
<?php
|
|
use App\OidcClient;
|
|
|
|
$config = app()->config();
|
|
$session = app()->session();
|
|
$session->start();
|
|
|
|
if (!$config->authEnabled) {
|
|
echo '<div class="card">Auth ist deaktiviert.</div>';
|
|
return;
|
|
}
|
|
|
|
$code = (string)($_GET['code'] ?? '');
|
|
$state = (string)($_GET['state'] ?? '');
|
|
$expectedState = (string)($_SESSION['oidc_state'] ?? '');
|
|
$nonce = (string)($_SESSION['oidc_nonce'] ?? '');
|
|
|
|
if ($code === '' || $state === '' || $expectedState === '' || !hash_equals($expectedState, $state)) {
|
|
echo '<div class="card">Ungültiger Login-Status.</div>';
|
|
return;
|
|
}
|
|
|
|
unset($_SESSION['oidc_state']);
|
|
|
|
$client = new OidcClient($config);
|
|
$token = $client->exchangeCode($code);
|
|
|
|
$idToken = (string)($token['id_token'] ?? '');
|
|
if ($idToken === '') {
|
|
echo '<div class="card">Kein ID Token erhalten.</div>';
|
|
return;
|
|
}
|
|
|
|
$claims = $client->decodeJwt($idToken);
|
|
$client->validateIdToken($claims, $nonce);
|
|
unset($_SESSION['oidc_nonce']);
|
|
|
|
$groups = $client->groupsFromClaims($claims);
|
|
$user = [
|
|
'sub' => (string)($claims['sub'] ?? ''),
|
|
'email' => (string)($claims['email'] ?? ''),
|
|
'name' => (string)($claims['name'] ?? ($claims['preferred_username'] ?? '')),
|
|
'groups' => $groups,
|
|
'id_token' => $idToken,
|
|
];
|
|
|
|
$_SESSION['auth_user'] = $user;
|
|
|
|
redirect('/');
|