public function oidc_logout() { $open_id_url = 'https://noshchartingsystem.com/openid-connect-server-webapp/'; $practice = DB::table('practiceinfo')->where('practice_id', '=', '1')->first(); $client_id = $practice->uma_client_id; $client_secret = $practice->uma_client_secret; $url = route('oidc_logout'); $oidc = new OpenIDConnectClient($open_id_url, $client_id, $client_secret); $oidc->setRedirectURL($url); $oidc->setAccessToken(Session::get('oidc_auth_access_token')); $oidc->revoke(); Session::forget('oidc_auth_access_token'); return Redirect::intended('logout'); }
* * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. You may obtain * a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations * under the License. * */ require "OpenIDConnectClient.php5"; $oidc = new OpenIDConnectClient('http://myproviderURL.com/', 'ClientIDHere', 'ClientSecretHere'); $oidc->authenticate(); $name = $oidc->requestUserInfo('given_name'); ?> <html> <head> <title>Example OpenID Connect Client Use</title> <style> body { font-family: 'Lucida Grande', Verdana, Arial, sans-serif; } </style> </head> <body>
protected function register_scope($id, $type, $table) { if ($type == 'Condition') { if ($table == 'encounters') { $table_key = 'eid_'; } if ($table == 'issues') { $table_key = 'issue_id'; } $resource_set_array = array('name' => 'Condition', 'icon' => 'https://noshchartingsystem.com/i-condition.png', 'scopes' => array(URL::to('/') . '/fhir/Condition/' . $table_key . $id, URL::to('/') . '/fhir/Condition?identifier=' . $table_key . $id)); } if ($type == 'MedicationStatement') { $resource_set_array = array('name' => 'Medication List', 'icon' => 'https://noshchartingsystem.com/i-pharmacy.png', 'scopes' => array(URL::to('/') . '/fhir/MedicationStatement/' . $id, URL::to('/') . '/fhir/MedicationStatement?identifier=' . $id)); } if ($type == 'Allergy') { $resource_set_array = array('name' => 'Allergy', 'icon' => 'https://noshchartingsystem.com/i-allergy.png', 'scopes' => array(URL::to('/') . '/fhir/AllergyIntolerance/' . $id, URL::to('/') . '/fhir/AllergyIntolerance?identifier=' . $id)); } if ($type == 'Immunization') { $resource_set_array = array('name' => 'Immunization', 'icon' => 'https://noshchartingsystem.com/i-immunization.png', 'scopes' => array(URL::to('/') . '/fhir/Immunization/' . $id, URL::to('/') . '/fhir/Immunization?identifier=' . $id)); } if ($type == 'Encounter') { $resource_set_array = array('name' => 'Encounter', 'icon' => 'https://noshchartingsystem.com/i-medical-records.png', 'scopes' => array(URL::to('/') . '/fhir/Encounter/' . $id, URL::to('/') . '/fhir/Encounter?identifier=' . $id)); } if ($type == 'FamilyHistory') { $resource_set_array = array('name' => 'Family History', 'icon' => 'https://noshchartingsystem.com/i-family-practice.png', 'scopes' => array(URL::to('/') . '/fhir/FamilyHistory/' . $id, URL::to('/') . '/fhir/FamilyHistory?identifier=' . $id)); } if ($type == 'Binary') { $resource_set_array[] = array('name' => 'Binary Files', 'icon' => 'https://noshchartingsystem.com/i-file.png', 'scopes' => array(URL::to('/') . '/fhir/Binary/' . $id, URL::to('/') . '/fhir/Binary?identifier=' . $id)); } if ($type == 'Observation') { $resource_set_array = array('name' => 'Observation', 'icon' => 'https://noshchartingsystem.com/i-cardiology.png', 'scopes' => array(URL::to('/') . '/fhir/Observation/' . $id, URL::to('/') . '/fhir/Observation?identifier=' . $id)); } $open_id_url = str_replace('/nosh', '/uma-server-webapp/', URL::to('/')); $practice = DB::table('practiceinfo')->where('practice_id', '=', '1')->first(); $client_id = $practice->uma_client_id; $client_secret = $practice->uma_client_secret; $refresh_token = $practice->uma_refresh_token; $oidc1 = new OpenIDConnectClient($open_id_url, $client_id, $client_secret); $oidc1->refresh($refresh_token, true); $response = $oidc1->resource_set($resource_set_array['name'], $resource_set_array['icon'], $resource_set_array['scopes']); if (isset($response['resource_set_id'])) { foreach ($resource_set_array['scopes'] as $scope_item) { $response_data1 = array('resource_set_id' => $response['resource_set_id'], 'scope' => $scope_item, 'user_access_policy_uri' => $response['user_access_policy_uri'], 'table_id' => $id, 'table' => $table); DB::table('uma')->insert($response_data1); $this->audit('Add'); } } return true; }
} } else { // No RPT, Request Permission Ticket $url = Request::url(); $query = DB::table('uma')->where('scope', '=', $url)->first(); $as_uri = str_replace('/nosh', '/uma-server-webapp/', URL::to('/')); $header = ['WWW-Authenticate' => 'UMA realm = "pNOSH_UMA", as_uri = "' . $as_uri . '"']; $statusCode = 403; if ($query) { // Look for additional scopes for resource_set_id $query1 = DB::table('uma')->where('resource_set_id', '=', $query->resource_set_id)->get(); $scopes = array(); foreach ($query1 as $row1) { $scopes[] = $row1->scope; } $oidc = new OpenIDConnectClient($open_id_url, $client_id, $client_secret); $oidc->refresh($practice->uma_refresh_token, true); $permission_ticket = $oidc->permission_request($query->resource_set_id, $scopes); if (isset($permission_ticket['error'])) { $response = ['error' => $permission_ticket['error'], 'error_description' => $permission_ticket['error_description']]; } else { $response = ['ticket' => $permission_ticket['ticket']]; } } else { $response = ['error' => 'invalid_scope', 'error_description' => 'At least one of the scopes included in the request was not registered previously by this resource server.']; } return Response::json($response, $statusCode, $header); } //$payload = Request::header('X-Auth-Token'); //$user = DB::table('users')->where('oauth_token', '=', $payload)->where('oauth_token_secret', '>', time())->first(); //if(!$payload || !$user) {
protected function uma_api_build($command, $url, $send_object = null, $put_delete = null) { //$open_id_url = 'http://162.243.111.18/uma-server-webapp/'; $open_id_url = str_replace('/nosh', '/uma-server-webapp/', URL::to('/')); $practice = DB::table('practiceinfo')->where('practice_id', '=', '1')->first(); $client_id = $practice->uma_client_id; $client_secret = $practice->uma_client_secret; //$api_endpoint = 'http://162.243.111.18/uma-server-webapp/api/' . $command; $api_endpoint = str_replace('/nosh', '/uma-server-webapp/api/' . $command, URL::to('/')); $oidc = new OpenIDConnectClient($open_id_url, $client_id, $client_secret); $oidc->setRedirectURL($url); $oidc->setAccessToken(Session::get('uma_auth_access_token')); $response = $oidc->api($command, $api_endpoint, $send_object, $put_delete); return $response; }
<?php /* * To change this license header, choose License Headers in Project Properties. * To change this template file, choose Tools | Templates * and open the template in the editor. */ header('Content-Type: text/plain'); require_once './phpseclib/Math/BigInteger.php'; require_once './phpseclib/Crypt/RSA.php'; require_once './lib/OpenIDConnectClient.php'; $oidc = new OpenIDConnectClient('http://localhost/epicenote/htdocs/api.php', 'ClientIDHere', 'ClientSecretHere'); $oidc->authenticate(); echo 'Pseudo: ' . $oidc->requestUserInfo('nickname') . "\n"; echo 'Nom: ' . $oidc->requestUserInfo('family_name') . "\n"; echo 'Prénom: ' . $oidc->requestUserInfo('given_name') . "\n"; echo 'Email: ' . $oidc->requestUserInfo('email') . "\n"; echo 'Epitanime ACL: ' . $oidc->requestUserInfo('acl') . "\n"; var_dump($oidc->requestUserInfo('groups'));
function do_login_oidc() { global $DB, $userdata, $username, $ip; if (AUTH_METHOD != "PHP_SESSIONS") { error("You can only use OpenID Connect if the site is using PHP Sessions for authentication."); } if (dbconfig_get('allow_openid_auth', false) == false) { error("OpenID authentication disabled by administrator."); } if (empty(BASEURL)) { error("OpenID authentication requires that 'BASEURL' be configured."); } $provider = dbconfig_get('openid_provider', ''); $clientID = dbconfig_get('openid_clientid', ''); $clientSecret = dbconfig_get('openid_clientsecret', ''); if (empty($provider) || empty($clientID) || empty($clientSecret)) { error("OpenID details are not configured."); } $oidc = new OpenIDConnectClient($provider, $clientID, $clientSecret); $oidc->addScope(array("openid", "email")); // TODO: how to dynamically figure this out properly on all/most servers $oidc->setRedirectURL(BASEURL . "/auth/oid_cb.php"); // For google, forces asking the user what account they want to use every time. $oidc->addAuthParam(array("prompt" => "select_account")); if (isset($_REQUEST["code"])) { // authenticate the code we've received $oidc->authenticate(); } else { // save destination url in session so we can redirect after log in $_SESSION['redirect_after_login'] = $_SERVER['PHP_SELF']; // Launch the OpenID Connect process $oidc->authenticate(); } // we are logged in now, get a bunch of user information from the OID Provider $username = "******" . $oidc->requestUserInfo("sub"); $email = $oidc->requestUserInfo("email"); // Create the user if they don't exist $user = $DB->q('MAYBETUPLE SELECT * FROM user WHERE username = %s', $username); if (!$user) { $u = array(); // Create a team for the user as well if (dbconfig_get("openid_autocreate_team", true)) { $i = array(); $i['name'] = $email; $i['categoryid'] = 2; // Self-registered category id $i['enabled'] = 1; $i['comments'] = "Registered via OIDC by {$ip} on " . date('r'); $teamid = $DB->q("RETURNID INSERT INTO team SET %S", $i); auditlog('team', $teamid, 'registered via OIDC by ' . $ip); $u['teamid'] = $teamid; } $u['username'] = $username; $u['email'] = $email; $u['name'] = $email; $u['password'] = NULL; $newid = $DB->q("RETURNID INSERT INTO user SET %S", $u); auditlog('user', $newid, 'registered via OIDC', $ip); // Assign the team role if we created a team for them if (isset($u['teamid'])) { $DB->q("INSERT INTO `userrole` (`userid`, `roleid`) VALUES ({$newid}, 3)"); } } // Load the information about the user $userdata = $DB->q('MAYBETUPLE SELECT * FROM user WHERE username = %s AND enabled = 1', $username); // Save the username in the session so they are logged in session_start(); $_SESSION['username'] = $username; auditlog('user', $userdata['userid'], 'logged in', $ip); // Update the user's last login time $DB->q('UPDATE user SET last_login = %s, last_ip_address = %s WHERE username = %s', now(), $ip, $username); }