diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php index 55a4394aa37..2b2b253c40d 100644 --- a/htdocs/core/modules/oauth/google_oauthcallback.php +++ b/htdocs/core/modules/oauth/google_oauthcallback.php @@ -98,9 +98,6 @@ $apiService = $serviceFactory->createService('Google', $credentials, $storage, $ // also note that a refresh token is sent only after a prompt $apiService->setAccessType('offline'); -$apiService->setApprouvalPrompt('force'); - -//$apiService->setLoginHint(email); // If we know the email of Google account, we can set it to have it correctly selected on login prompt on multiaccount $langs->load("oauth"); @@ -178,14 +175,22 @@ if (GETPOST('code')) { // We are coming from oauth provider page. // to the OAuth provider login page $_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl; + if (!preg_match('/^forlogin/', $state)) { + $apiService->setApprouvalPrompt('force'); + } + // This may create record into oauth_state before the header redirect. // Creation of record with state in this tables depend on the Provider used (see its constructor). - if (GETPOST('state')) { - $url = $apiService->getAuthorizationUri(array('state'=>GETPOST('state'))); + if ($state) { + $url = $apiService->getAuthorizationUri(array('state' => $state)); } else { $url = $apiService->getAuthorizationUri(); // Parameter state will be randomly generated } + // Add more param + $url .= '&nonce='.bin2hex(random_bytes(64/8)); + // TODO Add param hd and/or login_hint + // we go on oauth provider authorization page header('Location: '.$url); exit(); diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index 2645a76a8ab..d7e9bda13dd 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -331,21 +331,16 @@ if (isset($conf->file->main_authentication) && preg_match('/google/', $conf->fil echo '
'; echo '
'; - $shortscope = 'userinfo_email,userinfo_profile'; - $shortscope .= ',openid,email,profile'; // For openid connect + //$shortscope = 'userinfo_email,userinfo_profile'; + $shortscope = 'openid,email,profile'; // For openid connect $oauthstateanticsrf = bin2hex(random_bytes(128/8)); $_SESSION['oauthstateanticsrf'] = $shortscope.'-'.$oauthstateanticsrf; - $urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); + $urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state=forlogin-'.$shortscope.'-'.$oauthstateanticsrf; $url = $urltorenew; - //if (!empty($url)) { - print img_picto('', 'google', 'class="pictofixedwidth"').''.$langs->trans("LoginWith", "Google").''; - /*} else { - $langs->load("errors"); - print ''.$langs->trans("ErrorOpenIDSetupNotComplete", 'MAIN_AUTHENTICATION_OPENID_URL').''; - }*/ + print img_picto('', 'google', 'class="pictofixedwidth"').''.$langs->trans("LoginWith", "Google").''; echo '
'; } diff --git a/htdocs/includes/OAuth/OAuth2/Service/Google.php b/htdocs/includes/OAuth/OAuth2/Service/Google.php index 8cf6daf9a7e..d2041979faa 100644 --- a/htdocs/includes/OAuth/OAuth2/Service/Google.php +++ b/htdocs/includes/OAuth/OAuth2/Service/Google.php @@ -163,8 +163,8 @@ class Google extends AbstractService { // LDR CHANGE Add approval_prompt to force the prompt if value is set to 'force' so it force return of a "refresh token" in addition to "standard token" //return new Uri('https://accounts.google.com/o/oauth2/auth?access_type='.$this->accessType); - $url = 'https://accounts.google.com/o/oauth2/auth?nonce='.bin2hex(random_bytes(64/8)).'&'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType; - // TODO Add param hd and/or login_hint + $url = 'https://accounts.google.com/o/oauth2/auth?'.($this->approvalPrompt?'approval_prompt='.$this->approvalPrompt.'&':'').'access_type='.$this->accessType; + return new Uri($url); }