/**
* Calls the authentication manager to authenticate all active tokens
* and redirects to the original intercepted request on success if there
* is one stored in the security context. If no intercepted request is
* found, the function simply returns.
*
* If authentication fails, the result of calling the defined
* $errorMethodName is returned.
*
* Note: Usually there is no need to override this action. You should use
* the according callback methods instead (onAuthenticationSuccess() and
* onAuthenticationFailure()).
*
* @return string
* @Flow\SkipCsrfProtection
*/
public function authenticateAction()
{
$authenticationException = null;
try {
$this->authenticationManager->authenticate();
} catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) {
$authenticationException = $exception;
}
if ($this->authenticationManager->isAuthenticated()) {
$storedRequest = $this->securityContext->getInterceptedRequest();
if ($storedRequest !== null) {
$this->securityContext->setInterceptedRequest(null);
}
return $this->onAuthenticationSuccess($storedRequest);
} else {
$this->onAuthenticationFailure($authenticationException);
return call_user_func(array($this, $this->errorMethodName));
}
}
/**
* Receive an SSO authentication callback and trigger authentication
* through the SingleSignOnProvider.
*
* GET /sso/authentication/callback?...
*
* @param string $callbackUri
* @return void
*/
public function callbackAction($callbackUri)
{
try {
$this->authenticationManager->authenticate();
} catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) {
$authenticationException = $exception;
}
if ($this->authenticationManager->isAuthenticated()) {
$storedRequest = $this->securityContext->getInterceptedRequest();
if ($storedRequest !== NULL) {
$this->securityContext->setInterceptedRequest(NULL);
$this->redirectToRequest($storedRequest);
} else {
// TODO Do we have to check the URI?
$this->redirectToUri($callbackUri);
}
} else {
throw new \Flowpack\SingleSignOn\Client\Exception('Could not authenticate in callbackAction triggered by the SSO server.', 1366613161, isset($authenticationException) ? $authenticationException : NULL);
}
}
/**
* @param string $sso
* @param string $sig
* @return void
* @Flow\SkipCsrfProtection
*/
public function authenticateDiscourseUserAction($sso = '', $sig = '')
{
if ($sso === '' && $sig === '') {
$argumentsOfInterceptedRequest = $this->securityContext->getInterceptedRequest()->getArguments();
if (!isset($argumentsOfInterceptedRequest['sso']) || !isset($argumentsOfInterceptedRequest['sig'])) {
return 'This page needs to be called with valid sso and sig arguments from crowd!';
}
$sso = $argumentsOfInterceptedRequest['sso'];
$sig = $argumentsOfInterceptedRequest['sig'];
}
if (hash_hmac('sha256', $sso, $this->ssoSecret) === $sig) {
parse_str(base64_decode($sso), $incomingPayload);
$currentAccount = $this->securityContext->getAccount();
/** @var Person $crowdUser */
$crowdUser = $this->partyService->getAssignedPartyOfAccount($currentAccount);
$outgoingPayload = base64_encode(http_build_query(array('nonce' => $incomingPayload['nonce'], 'email' => $crowdUser->getPrimaryElectronicAddress()->getIdentifier(), 'name' => $crowdUser->getName()->getFullName(), 'username' => $currentAccount->getAccountIdentifier(), 'external_id' => $currentAccount->getAccountIdentifier()), '', '&', PHP_QUERY_RFC3986));
$outgoingSignature = hash_hmac('sha256', $outgoingPayload, $this->ssoSecret);
$this->redirectToUri(sprintf('%s?%s', $this->discourseSsoUrl, http_build_query(array('sso' => $outgoingPayload, 'sig' => $outgoingSignature), '', '&', PHP_QUERY_RFC3986)), 0, 302);
}
return 'Sorry, we couldn\'t log you in';
}
