Beispiel #1
0
 /**
  * Handle an authentication-only OIDC event.
  *
  * Does the following:
  *     - This is used for setting the system API user, so store the received token appropriately.
  *
  * @param \auth_oidc\event\user_authed $event The triggered event.
  * @return bool Success/Failure.
  */
 public static function handle_oidc_user_authed(\auth_oidc\event\user_authed $event)
 {
     $eventdata = $event->get_data();
     $tokendata = ['idtoken' => $eventdata['other']['tokenparams']['id_token'], $eventdata['other']['tokenparams']['resource'] => ['token' => $eventdata['other']['tokenparams']['access_token'], 'scope' => $eventdata['other']['tokenparams']['scope'], 'refreshtoken' => $eventdata['other']['tokenparams']['refresh_token'], 'resource' => $eventdata['other']['tokenparams']['resource'], 'expiry' => $eventdata['other']['tokenparams']['expires_on']]];
     set_config('systemtokens', serialize($tokendata), 'local_o365');
     set_config('sharepoint_initialized', '0', 'local_o365');
     redirect(new \moodle_url('/admin/settings.php?section=local_o365'));
 }
Beispiel #2
0
 /**
  * Handle an authorization request response received from the configured OP.
  *
  * @param array $authparams Received parameters.
  */
 protected function handleauthresponse(array $authparams)
 {
     global $DB, $CFG, $SESSION, $STATEADDITIONALDATA, $USER;
     if (!isset($authparams['code'])) {
         \auth_oidc\utils::debug('No auth code received.', 'authcode::handleauthresponse', $authparams);
         throw new \moodle_exception('errorauthnoauthcode', 'auth_oidc');
     }
     if (!isset($authparams['state'])) {
         \auth_oidc\utils::debug('No state received.', 'authcode::handleauthresponse', $authparams);
         throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
     }
     // Validate and expire state.
     $staterec = $DB->get_record('auth_oidc_state', ['state' => $authparams['state']]);
     if (empty($staterec)) {
         throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
     }
     $orignonce = $staterec->nonce;
     $additionaldata = [];
     if (!empty($staterec->additionaldata)) {
         $additionaldata = @unserialize($staterec->additionaldata);
         if (!is_array($additionaldata)) {
             $additionaldata = [];
         }
     }
     $STATEADDITIONALDATA = $additionaldata;
     $DB->delete_records('auth_oidc_state', ['id' => $staterec->id]);
     // Get token from auth code.
     $client = $this->get_oidcclient();
     $tokenparams = $client->tokenrequest($authparams['code']);
     if (!isset($tokenparams['id_token'])) {
         throw new \moodle_exception('errorauthnoidtoken', 'auth_oidc');
     }
     // Decode and verify idtoken.
     list($oidcuniqid, $idtoken) = $this->process_idtoken($tokenparams['id_token'], $orignonce);
     // Check restrictions.
     $passed = $this->checkrestrictions($idtoken);
     if ($passed !== true) {
         $errstr = 'User prevented from logging in due to restrictions.';
         \auth_oidc\utils::debug($errstr, 'handleauthresponse', $idtoken);
         throw new \moodle_exception('errorrestricted', 'auth_oidc');
     }
     // This is for setting the system API user.
     if (isset($SESSION->auth_oidc_justevent)) {
         unset($SESSION->auth_oidc_justevent);
         $eventdata = ['other' => ['authparams' => $authparams, 'tokenparams' => $tokenparams]];
         $event = \auth_oidc\event\user_authed::create($eventdata);
         $event->trigger();
         return true;
     }
     // Check if OIDC user is already migrated.
     $tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]);
     if (isloggedin() === true && (empty($tokenrec) || isset($USER->auth) && $USER->auth !== 'oidc')) {
         // If the user is already logged in we can treat this as a "migration" - a user switching to OIDC.
         $connectiononly = false;
         if (isset($SESSION->auth_oidc_connectiononly)) {
             $connectiononly = true;
             unset($SESSION->auth_oidc_connectiononly);
         }
         if (isset($STATEADDITIONALDATA['connectiononly']) && $STATEADDITIONALDATA['connectiononly'] === true) {
             $connectiononly = true;
         }
         $this->handlemigration($oidcuniqid, $authparams, $tokenparams, $idtoken, $connectiononly);
         $redirect = !empty($additionaldata['redirect']) ? $additionaldata['redirect'] : '/auth/oidc/ucp.php';
         redirect(new \moodle_url($redirect));
     } else {
         // Otherwise it's a user logging in normally with OIDC.
         $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
         redirect(core_login_get_return_url());
     }
 }