First basic OpenID Connect implementation

2025-07-28 17:02:04 +03:00 · 2020-07-01 23:27:50 +02:00
parent 8dc9689c6d
commit 07a6d7655f
21 changed files with 626 additions and 10 deletions
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@ -136,7 +136,7 @@ class LoginController extends Controller
    {
        // Authenticate on all session guards if a likely admin
        if ($user->can('users-manage') && $user->can('user-roles-manage')) {
-            $guards = ['standard', 'ldap', 'saml2'];
+            $guards = ['standard', 'ldap', 'saml2', 'openid'];
            foreach ($guards as $guard) {
                auth($guard)->login($user);
            }
@ -186,5 +186,4 @@ class LoginController extends Controller

        return redirect('/login');
    }
-
 }
--- a/app/Http/Controllers/Auth/OpenIdController.php
+++ b/app/Http/Controllers/Auth/OpenIdController.php
@ -0,0 +1,70 @@
+<?php
+
+namespace BookStack\Http\Controllers\Auth;
+
+use BookStack\Auth\Access\OpenIdService;
+use BookStack\Http\Controllers\Controller;
+
+class OpenIdController extends Controller
+{
+
+    protected $openidService;
+
+    /**
+     * OpenIdController constructor.
+     */
+    public function __construct(OpenIdService $openidService)
+    {
+        parent::__construct();
+        $this->openidService = $openidService;
+        $this->middleware('guard:openid');
+    }
+
+    /**
+     * Start the authorization login flow via OpenId Connect.
+     */
+    public function login()
+    {
+        $loginDetails = $this->openidService->login();
+        session()->flash('openid_state', $loginDetails['state']);
+
+        return redirect($loginDetails['url']);
+    }
+
+    /**
+     * Start the logout flow via OpenId Connect.
+     */
+    public function logout()
+    {
+        $logoutDetails = $this->openidService->logout();
+
+        if ($logoutDetails['id']) {
+            session()->flash('saml2_logout_request_id', $logoutDetails['id']);
+        }
+
+        return redirect($logoutDetails['url']);
+    }
+
+    /**
+     * Authorization flow Redirect.
+     * Processes authorization response from the OpenId Connect Authorization Server.
+     */
+    public function redirect()
+    {
+        $storedState = session()->pull('openid_state');
+        $responseState = request()->query('state');
+
+        if ($storedState !== $responseState) {
+            $this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
+            return redirect('/login');
+        }
+
+        $user = $this->openidService->processAuthorizeResponse(request()->query('code'));
+        if ($user === null) {
+            $this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
+            return redirect('/login');
+        }
+
+        return redirect()->intended();
+    }
+}