$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_scope', 'invalid scope: ' . $firstOffendingScope, 'INVALID_SCOPE', array('SCOPE' => $firstOffendingScope));
}
//something went wrong, but we do have a valid uri to redirect to.
$errorParameters['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
if (isset($_REQUEST['state'])) {
$errorParameters['state'] = $_REQUEST['state'];
}
unset($errorParameters['error_code_internal']);
unset($errorParameters['error_parameters_internal']);
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($returnUri, $errorParameters));
} else {
if (is_string(parse_url($returnUri, PHP_URL_FRAGMENT))) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'fragments are not allowed in redirect_uri: ' . $returnUri, 'FRAGMENT_REDIRECT_URI', array('REDIRECT_URI' => $returnUri, 'FRAGMENT' => parse_url($returnUri, PHP_URL_FRAGMENT)));
} else {
// this is not a proper error code used only internally
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'illegal redirect_uri: ' . $returnUri, 'INVALID_REDIRECT_URI', array('REDIRECT_URI' => $returnUri));
}
}
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('server_error', 'no redirection uri associated with client id', 'NO_REDIRECT_URI', array());
}
} else {
if (isset($_REQUEST['client_id'])) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unauthorized_client', 'unauthorized_client: ' . $_REQUEST['client_id'], 'UNAUTHORIZED_CLIENT', array('CLIENT_ID' => $_REQUEST['client_id']));
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('missing_client', 'missing client id', 'MISSING_CLIENT_ID', array());
}
}
//something went wrong, and we do not have a valid uri to redirect to.
$error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
SimpleSAML\Utils\HTTP::redirectTrustedURL($error_uri);
}
} else {
// wrong token type
$errorCode = 401;
$response = array('error' => 'invalid_token', 'error_description' => 'Only Bearer tokens are supported');
$response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/resource/error.php'), array('error_code_internal' => 'UNSUPPORTED_ACCESS_TOKEN', 'error_parameters_internal' => array('TOKEN_ID' => $accessTokenId)));
}
} else {
// error missing token
$errorCode = 401;
$response = array();
}
}
} else {
$errorCode = 403;
$response = array('error' => 'invalid_request', 'error_description' => 'resource owner end point not enabled');
$response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/resource/error.php'), array('error_code_internal' => 'DISABLED', 'error_parameters_internal' => array()));
}
header('X-PHP-Response-Code: ' . $errorCode, true, $errorCode);
if ($errorCode !== 200) {
$authHeader = "WWW-Authenticate: Bearer ";
if (array_key_exists('error', $response)) {
$authHeader .= 'error="' . $response['error'] . '",error_description="' . $response['error_description'] . '",' . 'error_uri="' . urlencode($response['error_uri']) . '"';
if (array_key_exists('scope', $response)) {
$authHeader .= ',scope="' . $response['scope'] . '"';
}
}
header($authHeader, true, $errorCode);
} else {
echo count($response) > 0 ? json_encode($response) : '{}';
}
}
$skipLogoutPage = $casconfig->getValue('skip_logout_page', false);
if ($skipLogoutPage && !array_key_exists('url', $_GET)) {
$message = 'Required URL query parameter [url] not provided. (CAS Server)';
SimpleSAML_Logger::debug('casserver:' . $message);
throw new Exception($message);
}
/* Load simpleSAMLphp metadata */
$as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource'));
$session = SimpleSAML_Session::getSession();
if (!is_null($session)) {
$ticketStoreConfig = $casconfig->getValue('ticketstore', array('class' => 'casserver:FileSystemTicketStore'));
$ticketStoreClass = SimpleSAML_Module::resolveClass($ticketStoreConfig['class'], 'Cas_Ticket');
$ticketStore = new $ticketStoreClass($casconfig);
$ticketStore->deleteTicket($session->getSessionId());
}
if ($as->isAuthenticated()) {
SimpleSAML_Logger::debug('casserver: performing a real logout');
if ($casconfig->getValue('skip_logout_page', false)) {
$as->logout($_GET['url']);
} else {
$as->logout(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
} else {
SimpleSAML_Logger::debug('casserver: no session to log out of, performing redirect');
if ($casconfig->getValue('skip_logout_page', false)) {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['url'], array()));
} else {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
}
if (is_string($_GET['language'])) {
$parameters['language'] = $_GET['language'];
}
}
}
if (isset($_GET['service'])) {
$attributes = $as->getAttributes();
$casUsernameAttribute = $casconfig->getValue('attrname', 'eduPersonPrincipalName');
$userName = $attributes[$casUsernameAttribute][0];
if ($casconfig->getValue('attributes', true)) {
$attributesToTransfer = $casconfig->getValue('attributes_to_transfer', array());
if (sizeof($attributesToTransfer) > 0) {
$casAttributes = array();
foreach ($attributesToTransfer as $key) {
if (array_key_exists($key, $attributes)) {
$casAttributes[$key] = $attributes[$key];
}
}
} else {
$casAttributes = $attributes;
}
} else {
$casAttributes = array();
}
$serviceTicket = $ticketFactory->createServiceTicket(array('service' => $_GET['service'], 'forceAuthn' => $forceAuthn, 'userName' => $userName, 'attributes' => $casAttributes, 'proxies' => array(), 'sessionId' => $sessionTicket['id']));
$ticketStore->addTicket($serviceTicket);
$parameters['ticket'] = $serviceTicket['id'];
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['service'], $parameters));
} else {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedIn.php'), $parameters));
}
echo $this->t('{oauth2server:oauth2server:client_description}');
?>
</th>
<th><?php
echo $this->t('{oauth2server:oauth2server:client_expire}');
?>
</th>
</tr>
<?php
foreach ($this->data['clients'] as $client) {
?>
<tr>
<td>
<a href="<?php
echo htmlentities(SimpleSAML\Utils\HTTP::addURLParameters($this->data['clientForm'], array('clientId' => $client['id'])));
?>
">
<?php
echo htmlspecialchars($client['id']);
?>
</a>
</td>
<td>
<?php
echo $this->t('{oauth2server:oauth2server:client_description_' . $client['id'] . '}');
?>
</td>
<td><?php
echo htmlspecialchars(date("Y-m-d H:i:s", $client['expire']));
?>
// build return uri with authorization code and redirect
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($state['returnUri'], $response));
} else {
$fragment = '#access_token=' . $token['id'] . '&token_type=bearer&expires_in=' . ($token['expire'] - time());
if (count($token['scopes']) > 0) {
$fragment .= '&scope=' . urlencode(trim(implode(' ', $token['scopes'])));
}
if (array_key_exists('state', $state)) {
$fragment .= '&state=' . $state['state'];
}
sspmod_oauth2server_Utility_Uri::redirectUri($state['returnUri'] . $fragment);
}
} else {
if (array_key_exists('deny', $_REQUEST)) {
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('access_denied', 'request denied by resource owner', 'CONSENT_NOT_GRANTED', array());
$response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $response);
if (array_key_exists('state', $state)) {
$response['state'] = $state['state'];
}
unset($response['error_code_internal']);
unset($response['error_parameters_internal']);
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($state['returnUri'], $response));
}
}
$t = new SimpleSAML_XHTML_Template($globalConfig, 'oauth2server:authorization/consent.php');
foreach ($config->getValue('scopes', array()) as $scope => $translations) {
$t->includeInlineTranslation('{oauth2server:oauth2server:' . $scope . '}', $translations);
}
$t->includeInlineTranslation('{oauth2server:oauth2server:client_description}', array_key_exists('description', $client) ? $client['description'] : array('' => ''));
$t->data['clientId'] = $state['clientId'];
$t->data['stateId'] = $_REQUEST['stateId'];
