nucleardog
/
authkit2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
166 KiB
 
Tree: 5e4afc5ae5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5e4afc5ae5'
${ noResults }
authkit2/src/Oidc/Flows/UserFlow.php

125 lines
3.4 KiB
Raw Blame History

<?php
namespace authkit2\Oidc\Flows;
use authkit2\Authkit2;
use authkit2\Oidc\Client;
use authkit2\Oidc\Authentication\ClientAuthentication;
use authkit2\Oidc\Token;
/**
* Oauth three legged auth flow for authenticating users
*/
class UserFlow
{
/**
* OIDC client authenticating as the client
* @var Client
*/
protected $client;
/**
* oauth client id
* @var string
*/
protected $client_id;
/**
* oauth client secret
* @var string
*/
protected $client_secret;
/**
* Initialize a new user login flow
*
* @param string $client_id oauth client id
* @param string $client_secret oauth client secret
*/
public function __construct(string $client_id, string $client_secret)
{
$this->client_id = $client_id;
$this->client_secret = $client_secret;
$this->client = new Client(new ClientAuthentication($client_id, $client_secret));
}
/**
* Get the URL the user should be redirected to to begin the authorization process
*
* @param string $redirect_uri url the oidc endpoint should redirect the user back to; generally must be authorized in the provider
* @param string[] $scopes the scopes to request in the token
* @return string url to redirect the user to
*/
public function getRedirectUrl(string $redirect_uri, array $scopes = ['email']): string
{
// Generate nonce
// We use 30 because that should generate an even number of base64 characters
// and not require padding. (6 bits / char)
$state = base64_encode(random_bytes(30));
// Keep a list of all valid states we've generated
$states = Authkit2::session_get('userflow.state') ?? [];
array_push($states, $state);
Authkit2::session_set('userflow.state', $states);
return $this->client->getEndpointUrl('authorization').'?'.http_build_query([
'client_id' => $this->client_id,
'redirect_uri' => $redirect_uri,
'scope' => implode(',', $scopes),
'response_type' => 'code',
'state' => $state
]);
}
/**
* Validate that the provided state string is one we have previously generated
*
* @throws \Exception if the state is unrecognized or invalid
* @return void
*/
public function validateState(string $state): void
{
$states = Authkit2::session_get('userflow.state') ?? [];
for ($i=0; $i<sizeof($states); $i++)
{
if ($states[$i] == $state)
{
$states = array_splice($states, $i, 1);
Authkit2::session_set('userflow.state', $states);
return;
}
}
throw new \Exception("Invalid auth nonce");
}
/**
* After the user is redirected back with a authorization code, exchange it
* for an access token
*
* @param string $redirect_uri url the oidc endpoint redirects back to; must match one given in call to getRedirectUrl
* @param string $code code returned by the authorization flow
* @return Token
*/
public function exchangeCodeForToken(string $redirect_uri, string $code): Token
{
$response = $this->client->post('token', [
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $redirect_uri
]);
return Token::fromResponse($response);
}
/**
* If we want to log out of the SSO service and all apps, the URL to hit to
* sign out everywhere.
*
* @param string $redirect_uri url to redirect back to after logout completes
* @return string
*/
public function getLogoutUrl(string $redirect_uri): string
{
return $this->client->getEndpointUrl('end_session').'?'.http_build_query([
'redirect_uri' => $redirect_uri
]);
}
}