$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_scope', 'invalid scope: ' . $firstOffendingScope, 'INVALID_SCOPE', array('SCOPE' => $firstOffendingScope)); } //something went wrong, but we do have a valid uri to redirect to. $errorParameters['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters); if (isset($_REQUEST['state'])) { $errorParameters['state'] = $_REQUEST['state']; } unset($errorParameters['error_code_internal']); unset($errorParameters['error_parameters_internal']); sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($returnUri, $errorParameters)); } else { if (is_string(parse_url($returnUri, PHP_URL_FRAGMENT))) { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'fragments are not allowed in redirect_uri: ' . $returnUri, 'FRAGMENT_REDIRECT_URI', array('REDIRECT_URI' => $returnUri, 'FRAGMENT' => parse_url($returnUri, PHP_URL_FRAGMENT))); } else { // this is not a proper error code used only internally $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'illegal redirect_uri: ' . $returnUri, 'INVALID_REDIRECT_URI', array('REDIRECT_URI' => $returnUri)); } } } else { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('server_error', 'no redirection uri associated with client id', 'NO_REDIRECT_URI', array()); } } else { if (isset($_REQUEST['client_id'])) { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unauthorized_client', 'unauthorized_client: ' . $_REQUEST['client_id'], 'UNAUTHORIZED_CLIENT', array('CLIENT_ID' => $_REQUEST['client_id'])); } else { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('missing_client', 'missing client id', 'MISSING_CLIENT_ID', array()); } } //something went wrong, and we do not have a valid uri to redirect to. $error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters); SimpleSAML\Utils\HTTP::redirectTrustedURL($error_uri);
} } else { // wrong token type $errorCode = 401; $response = array('error' => 'invalid_token', 'error_description' => 'Only Bearer tokens are supported'); $response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/resource/error.php'), array('error_code_internal' => 'UNSUPPORTED_ACCESS_TOKEN', 'error_parameters_internal' => array('TOKEN_ID' => $accessTokenId))); } } else { // error missing token $errorCode = 401; $response = array(); } } } else { $errorCode = 403; $response = array('error' => 'invalid_request', 'error_description' => 'resource owner end point not enabled'); $response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/resource/error.php'), array('error_code_internal' => 'DISABLED', 'error_parameters_internal' => array())); } header('X-PHP-Response-Code: ' . $errorCode, true, $errorCode); if ($errorCode !== 200) { $authHeader = "WWW-Authenticate: Bearer "; if (array_key_exists('error', $response)) { $authHeader .= 'error="' . $response['error'] . '",error_description="' . $response['error_description'] . '",' . 'error_uri="' . urlencode($response['error_uri']) . '"'; if (array_key_exists('scope', $response)) { $authHeader .= ',scope="' . $response['scope'] . '"'; } } header($authHeader, true, $errorCode); } else { echo count($response) > 0 ? json_encode($response) : '{}'; }
} $skipLogoutPage = $casconfig->getValue('skip_logout_page', false); if ($skipLogoutPage && !array_key_exists('url', $_GET)) { $message = 'Required URL query parameter [url] not provided. (CAS Server)'; SimpleSAML_Logger::debug('casserver:' . $message); throw new Exception($message); } /* Load simpleSAMLphp metadata */ $as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource')); $session = SimpleSAML_Session::getSession(); if (!is_null($session)) { $ticketStoreConfig = $casconfig->getValue('ticketstore', array('class' => 'casserver:FileSystemTicketStore')); $ticketStoreClass = SimpleSAML_Module::resolveClass($ticketStoreConfig['class'], 'Cas_Ticket'); $ticketStore = new $ticketStoreClass($casconfig); $ticketStore->deleteTicket($session->getSessionId()); } if ($as->isAuthenticated()) { SimpleSAML_Logger::debug('casserver: performing a real logout'); if ($casconfig->getValue('skip_logout_page', false)) { $as->logout($_GET['url']); } else { $as->logout(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array())); } } else { SimpleSAML_Logger::debug('casserver: no session to log out of, performing redirect'); if ($casconfig->getValue('skip_logout_page', false)) { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['url'], array())); } else { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array())); } }
if (is_string($_GET['language'])) { $parameters['language'] = $_GET['language']; } } } if (isset($_GET['service'])) { $attributes = $as->getAttributes(); $casUsernameAttribute = $casconfig->getValue('attrname', 'eduPersonPrincipalName'); $userName = $attributes[$casUsernameAttribute][0]; if ($casconfig->getValue('attributes', true)) { $attributesToTransfer = $casconfig->getValue('attributes_to_transfer', array()); if (sizeof($attributesToTransfer) > 0) { $casAttributes = array(); foreach ($attributesToTransfer as $key) { if (array_key_exists($key, $attributes)) { $casAttributes[$key] = $attributes[$key]; } } } else { $casAttributes = $attributes; } } else { $casAttributes = array(); } $serviceTicket = $ticketFactory->createServiceTicket(array('service' => $_GET['service'], 'forceAuthn' => $forceAuthn, 'userName' => $userName, 'attributes' => $casAttributes, 'proxies' => array(), 'sessionId' => $sessionTicket['id'])); $ticketStore->addTicket($serviceTicket); $parameters['ticket'] = $serviceTicket['id']; SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['service'], $parameters)); } else { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedIn.php'), $parameters)); }
echo $this->t('{oauth2server:oauth2server:client_description}'); ?> </th> <th><?php echo $this->t('{oauth2server:oauth2server:client_expire}'); ?> </th> </tr> <?php foreach ($this->data['clients'] as $client) { ?> <tr> <td> <a href="<?php echo htmlentities(SimpleSAML\Utils\HTTP::addURLParameters($this->data['clientForm'], array('clientId' => $client['id']))); ?> "> <?php echo htmlspecialchars($client['id']); ?> </a> </td> <td> <?php echo $this->t('{oauth2server:oauth2server:client_description_' . $client['id'] . '}'); ?> </td> <td><?php echo htmlspecialchars(date("Y-m-d H:i:s", $client['expire'])); ?>
// build return uri with authorization code and redirect sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($state['returnUri'], $response)); } else { $fragment = '#access_token=' . $token['id'] . '&token_type=bearer&expires_in=' . ($token['expire'] - time()); if (count($token['scopes']) > 0) { $fragment .= '&scope=' . urlencode(trim(implode(' ', $token['scopes']))); } if (array_key_exists('state', $state)) { $fragment .= '&state=' . $state['state']; } sspmod_oauth2server_Utility_Uri::redirectUri($state['returnUri'] . $fragment); } } else { if (array_key_exists('deny', $_REQUEST)) { $response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('access_denied', 'request denied by resource owner', 'CONSENT_NOT_GRANTED', array()); $response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $response); if (array_key_exists('state', $state)) { $response['state'] = $state['state']; } unset($response['error_code_internal']); unset($response['error_parameters_internal']); sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($state['returnUri'], $response)); } } $t = new SimpleSAML_XHTML_Template($globalConfig, 'oauth2server:authorization/consent.php'); foreach ($config->getValue('scopes', array()) as $scope => $translations) { $t->includeInlineTranslation('{oauth2server:oauth2server:' . $scope . '}', $translations); } $t->includeInlineTranslation('{oauth2server:oauth2server:client_description}', array_key_exists('description', $client) ? $client['description'] : array('' => '')); $t->data['clientId'] = $state['clientId']; $t->data['stateId'] = $_REQUEST['stateId'];