From ad878cb12e57eec9daf29d273361d352e070fc4e Mon Sep 17 00:00:00 2001 From: Jeritiana Ravelojaona Date: Thu, 3 Nov 2022 18:43:26 +0300 Subject: [PATCH] Add OpenID Connect impl --- .../core/login/functions_openid_connect.php | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 htdocs/core/login/functions_openid_connect.php diff --git a/htdocs/core/login/functions_openid_connect.php b/htdocs/core/login/functions_openid_connect.php new file mode 100644 index 00000000000..32f7f934117 --- /dev/null +++ b/htdocs/core/login/functions_openid_connect.php @@ -0,0 +1,120 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +/** + * \file htdocs/core/login/functions_openid_connect.php + * \ingroup core + * \brief OpenID Connect: Authorization Code flow authentication + */ + +include_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php'; + +/** + * Check validity of user/password/entity + * If test is ko, reason must be filled into $_SESSION["dol_loginmesg"] + * + * @param string $usertotest Login + * @param string $passwordtotest Password + * @param int $entitytotest Number of instance (always 1 if module multicompany not enabled) + * @return string Login if OK, '' if KO + */ +function check_user_password_openid_connect($usertotest, $passwordtotest, $entitytotest) +{ + global $conf; + + dol_syslog("functions_openid_connect::check_user_password_openid_connect"); + + $login = ''; + + // Step 1 is done by user: request an authorization code + + if (GETPOSTISSET('username')) { + + // OIDC does not require credentials here: pass on to next auth handler + $_SESSION["dol_loginmesg"] = "Not an OpenID Connect flow"; + dol_syslog("functions_openid_connect::check_user_password_openid_connect not an OIDC flow"); + + } elseif (GETPOSTISSET['code']) { + $auth_code = GETPOST('code', 'aZ09'); + dol_syslog("functions_openid_connect::check_user_password_openid_connect code=".$auth_code); + + // Step 2: turn the authorization code into an access token, using client_secret + $auth_param = [ + 'grant_type' => 'authorization_code', + 'client_id' => $conf->global->MAIN_AUTHENTICATION_OIDC_CLIENT_ID, + 'client_secret' => $conf->global->MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET, + 'code' => $auth_code, + 'redirect_uri' => $conf->global->MAIN_AUTHENTICATION_OIDC_REDIRECT_URL + ]; + + $token_response = getURLContent($conf->global->MAIN_AUTHENTICATION_OIDC_TOKEN_URL, 'POST', http_build_query($auth_param)); + $token_content = json_decode($token_response['content']); + dol_syslog("functions_openid_connect::check_user_password_openid_connect /token=".print_r($token_response, true), LOG_DEBUG); + + if ($token_content->access_token) { + + // Step 3: retrieve user info using token + $userinfo_headers = array('Authorization: Bearer '.$token_content->access_token); + $userinfo_response = getURLContent($conf->global->MAIN_AUTHENTICATION_OIDC_USERINFO_URL, 'GET', '', 1, $userinfo_headers); + $userinfo_content = json_decode($userinfo_response['content']); + dol_syslog("functions_openid_connect::check_user_password_openid_connect /userinfo=".print_r($userinfo_response, true), LOG_DEBUG); + + // Get the user attribute (claim) matching the Dolibarr login + $login_claim = 'email'; // default + if (!empty($conf->global->MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM)) { + $login_claim = $conf->global->MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM; + } + + if (array_key_exists($login_claim, $userinfo_content)) { + // Success: retrieve claim to return to Dolibarr as login + $login = $userinfo_content->$login_claim; + $_SESSION["dol_loginmesg"] = ""; + } elseif ($userinfo_content->error) { + // Got user info response but content is an error + $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (".$userinfo_content->error_description.")"; + } elseif ($userinfo_response['http_code'] == 200) { + // Claim does not exist + $_SESSION["dol_loginmesg"] = "OpenID Connect claim not found: ".$login_claim; + } elseif ($userinfo_response['curl_error_no']) { + // User info request error + $_SESSION["dol_loginmesg"] = "Network error: ".$userinfo_response['curl_error_msg']." (".$userinfo_response['curl_error_no'].")"; + } else { + // Other user info request error + $_SESSION["dol_loginmesg"] = "Userinfo request error (".$userinfo_response['http_code'].")"; + } + + } elseif ($token_content->error) { + // Got token response but content is an error + $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (".$token_content->error_description.")"; + } elseif ($token_response['curl_error_no']) { + // Token request error + $_SESSION["dol_loginmesg"] = "Network error: ".$token_response['curl_error_msg']." (".$token_response['curl_error_no'].")"; + } else { + // Other token request error + $_SESSION["dol_loginmesg"] = "Token request error (".$token_response['http_code'].")"; + } + + } else { + // No code received + $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (no code received)"; + } + + dol_syslog("functions_openid_connect::check_user_password_openid_connect END"); + + return !empty($login) ? $login : false; +} +