}
//something went wrong, but we do have a valid uri to redirect to.
$errorParameters['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
if (isset($_REQUEST['state'])) {
$errorParameters['state'] = $_REQUEST['state'];
}
unset($errorParameters['error_code_internal']);
unset($errorParameters['error_parameters_internal']);
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($returnUri, $errorParameters));
} else {
if (is_string(parse_url($returnUri, PHP_URL_FRAGMENT))) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'fragments are not allowed in redirect_uri: ' . $returnUri, 'FRAGMENT_REDIRECT_URI', array('REDIRECT_URI' => $returnUri, 'FRAGMENT' => parse_url($returnUri, PHP_URL_FRAGMENT)));
} else {
// this is not a proper error code used only internally
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'illegal redirect_uri: ' . $returnUri, 'INVALID_REDIRECT_URI', array('REDIRECT_URI' => $returnUri));
}
}
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('server_error', 'no redirection uri associated with client id', 'NO_REDIRECT_URI', array());
}
} else {
if (isset($_REQUEST['client_id'])) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unauthorized_client', 'unauthorized_client: ' . $_REQUEST['client_id'], 'UNAUTHORIZED_CLIENT', array('CLIENT_ID' => $_REQUEST['client_id']));
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('missing_client', 'missing client id', 'MISSING_CLIENT_ID', array());
}
}
//something went wrong, and we do not have a valid uri to redirect to.
$error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
SimpleSAML\Utils\HTTP::redirectTrustedURL($error_uri);
/**
* Ask the user to log out before being able to log in again with a different identity provider. Note that this
* method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP
* and an IdP at the same time.
*
* This method will never return.
*
* @param array $state The state array. The following keys must be defined in the array:
* - 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated
* the user in the current session.
* - 'saml:sp:AuthId': the identifier of the current authentication source.
* - 'core:IdP': the identifier of the local IdP.
* - 'SPMetadata': an array with the metadata of this local SP.
*
* @throws SimpleSAML_Error_NoPassive In case the authentication request was passive.
*/
public static function askForIdPChange(array &$state)
{
assert('array_key_exists("saml:sp:IdPMetadata", $state)');
assert('array_key_exists("saml:sp:AuthId", $state)');
assert('array_key_exists("core:IdP", $state)');
assert('array_key_exists("SPMetadata", $state)');
if (isset($state['isPassive']) && (bool) $state['isPassive']) {
// passive request, we cannot authenticate the user
throw new SimpleSAML_Error_NoPassive('Reauthentication required');
}
// save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
$id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
$url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
assert('false');
}
$tokenStore->removeAuthorizationCode($_REQUEST['tokenId']);
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php'));
}
} else {
if (array_search($_REQUEST['tokenId'], $user['refreshTokens']) !== false) {
$token = $tokenStore->getRefreshToken($_REQUEST['tokenId']);
if (is_array($token) && isset($_POST['revoke'])) {
$tokenStore->removeRefreshToken($_REQUEST['tokenId']);
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php'));
}
} else {
if (array_search($_REQUEST['tokenId'], $user['accessTokens']) !== false) {
$token = $tokenStore->getAccessToken($_REQUEST['tokenId']);
if (is_array($token) && isset($_POST['revoke'])) {
$tokenStore->removeAccessToken($_REQUEST['tokenId']);
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php'));
}
}
}
}
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'oauth2server:manage/token.php');
foreach ($config->getValue('scopes', array()) as $scope => $translations) {
$t->includeInlineTranslation('{oauth2server:oauth2server:' . $scope . '}', $translations);
}
if (isset($token)) {
$clientStore = new sspmod_oauth2server_OAuth2_ClientStore($config);
$client = $clientStore->getClient($token['clientId']);
if (!is_null($client)) {
$t->data['token'] = $token;
}
$skipLogoutPage = $casconfig->getValue('skip_logout_page', false);
if ($skipLogoutPage && !array_key_exists('url', $_GET)) {
$message = 'Required URL query parameter [url] not provided. (CAS Server)';
SimpleSAML_Logger::debug('casserver:' . $message);
throw new Exception($message);
}
/* Load simpleSAMLphp metadata */
$as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource'));
$session = SimpleSAML_Session::getSession();
if (!is_null($session)) {
$ticketStoreConfig = $casconfig->getValue('ticketstore', array('class' => 'casserver:FileSystemTicketStore'));
$ticketStoreClass = SimpleSAML_Module::resolveClass($ticketStoreConfig['class'], 'Cas_Ticket');
$ticketStore = new $ticketStoreClass($casconfig);
$ticketStore->deleteTicket($session->getSessionId());
}
if ($as->isAuthenticated()) {
SimpleSAML_Logger::debug('casserver: performing a real logout');
if ($casconfig->getValue('skip_logout_page', false)) {
$as->logout($_GET['url']);
} else {
$as->logout(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
} else {
SimpleSAML_Logger::debug('casserver: no session to log out of, performing redirect');
if ($casconfig->getValue('skip_logout_page', false)) {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['url'], array()));
} else {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
}
if (is_string($_GET['language'])) {
$parameters['language'] = $_GET['language'];
}
}
}
if (isset($_GET['service'])) {
$attributes = $as->getAttributes();
$casUsernameAttribute = $casconfig->getValue('attrname', 'eduPersonPrincipalName');
$userName = $attributes[$casUsernameAttribute][0];
if ($casconfig->getValue('attributes', true)) {
$attributesToTransfer = $casconfig->getValue('attributes_to_transfer', array());
if (sizeof($attributesToTransfer) > 0) {
$casAttributes = array();
foreach ($attributesToTransfer as $key) {
if (array_key_exists($key, $attributes)) {
$casAttributes[$key] = $attributes[$key];
}
}
} else {
$casAttributes = $attributes;
}
} else {
$casAttributes = array();
}
$serviceTicket = $ticketFactory->createServiceTicket(array('service' => $_GET['service'], 'forceAuthn' => $forceAuthn, 'userName' => $userName, 'attributes' => $casAttributes, 'proxies' => array(), 'sessionId' => $sessionTicket['id']));
$ticketStore->addTicket($serviceTicket);
$parameters['ticket'] = $serviceTicket['id'];
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['service'], $parameters));
} else {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedIn.php'), $parameters));
}
