} //something went wrong, but we do have a valid uri to redirect to. $errorParameters['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters); if (isset($_REQUEST['state'])) { $errorParameters['state'] = $_REQUEST['state']; } unset($errorParameters['error_code_internal']); unset($errorParameters['error_parameters_internal']); sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($returnUri, $errorParameters)); } else { if (is_string(parse_url($returnUri, PHP_URL_FRAGMENT))) { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'fragments are not allowed in redirect_uri: ' . $returnUri, 'FRAGMENT_REDIRECT_URI', array('REDIRECT_URI' => $returnUri, 'FRAGMENT' => parse_url($returnUri, PHP_URL_FRAGMENT))); } else { // this is not a proper error code used only internally $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'illegal redirect_uri: ' . $returnUri, 'INVALID_REDIRECT_URI', array('REDIRECT_URI' => $returnUri)); } } } else { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('server_error', 'no redirection uri associated with client id', 'NO_REDIRECT_URI', array()); } } else { if (isset($_REQUEST['client_id'])) { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unauthorized_client', 'unauthorized_client: ' . $_REQUEST['client_id'], 'UNAUTHORIZED_CLIENT', array('CLIENT_ID' => $_REQUEST['client_id'])); } else { $errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('missing_client', 'missing client id', 'MISSING_CLIENT_ID', array()); } } //something went wrong, and we do not have a valid uri to redirect to. $error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters); SimpleSAML\Utils\HTTP::redirectTrustedURL($error_uri);
/** * Ask the user to log out before being able to log in again with a different identity provider. Note that this * method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP * and an IdP at the same time. * * This method will never return. * * @param array $state The state array. The following keys must be defined in the array: * - 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated * the user in the current session. * - 'saml:sp:AuthId': the identifier of the current authentication source. * - 'core:IdP': the identifier of the local IdP. * - 'SPMetadata': an array with the metadata of this local SP. * * @throws SimpleSAML_Error_NoPassive In case the authentication request was passive. */ public static function askForIdPChange(array &$state) { assert('array_key_exists("saml:sp:IdPMetadata", $state)'); assert('array_key_exists("saml:sp:AuthId", $state)'); assert('array_key_exists("core:IdP", $state)'); assert('array_key_exists("SPMetadata", $state)'); if (isset($state['isPassive']) && (bool) $state['isPassive']) { // passive request, we cannot authenticate the user throw new SimpleSAML_Error_NoPassive('Reauthentication required'); } // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true); $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php'); SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id)); assert('false'); }
$tokenStore->removeAuthorizationCode($_REQUEST['tokenId']); SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php')); } } else { if (array_search($_REQUEST['tokenId'], $user['refreshTokens']) !== false) { $token = $tokenStore->getRefreshToken($_REQUEST['tokenId']); if (is_array($token) && isset($_POST['revoke'])) { $tokenStore->removeRefreshToken($_REQUEST['tokenId']); SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php')); } } else { if (array_search($_REQUEST['tokenId'], $user['accessTokens']) !== false) { $token = $tokenStore->getAccessToken($_REQUEST['tokenId']); if (is_array($token) && isset($_POST['revoke'])) { $tokenStore->removeAccessToken($_REQUEST['tokenId']); SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML_Module::getModuleURL('oauth2server/manage/status.php')); } } } } } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'oauth2server:manage/token.php'); foreach ($config->getValue('scopes', array()) as $scope => $translations) { $t->includeInlineTranslation('{oauth2server:oauth2server:' . $scope . '}', $translations); } if (isset($token)) { $clientStore = new sspmod_oauth2server_OAuth2_ClientStore($config); $client = $clientStore->getClient($token['clientId']); if (!is_null($client)) { $t->data['token'] = $token;
} $skipLogoutPage = $casconfig->getValue('skip_logout_page', false); if ($skipLogoutPage && !array_key_exists('url', $_GET)) { $message = 'Required URL query parameter [url] not provided. (CAS Server)'; SimpleSAML_Logger::debug('casserver:' . $message); throw new Exception($message); } /* Load simpleSAMLphp metadata */ $as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource')); $session = SimpleSAML_Session::getSession(); if (!is_null($session)) { $ticketStoreConfig = $casconfig->getValue('ticketstore', array('class' => 'casserver:FileSystemTicketStore')); $ticketStoreClass = SimpleSAML_Module::resolveClass($ticketStoreConfig['class'], 'Cas_Ticket'); $ticketStore = new $ticketStoreClass($casconfig); $ticketStore->deleteTicket($session->getSessionId()); } if ($as->isAuthenticated()) { SimpleSAML_Logger::debug('casserver: performing a real logout'); if ($casconfig->getValue('skip_logout_page', false)) { $as->logout($_GET['url']); } else { $as->logout(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array())); } } else { SimpleSAML_Logger::debug('casserver: no session to log out of, performing redirect'); if ($casconfig->getValue('skip_logout_page', false)) { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['url'], array())); } else { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array())); } }
if (is_string($_GET['language'])) { $parameters['language'] = $_GET['language']; } } } if (isset($_GET['service'])) { $attributes = $as->getAttributes(); $casUsernameAttribute = $casconfig->getValue('attrname', 'eduPersonPrincipalName'); $userName = $attributes[$casUsernameAttribute][0]; if ($casconfig->getValue('attributes', true)) { $attributesToTransfer = $casconfig->getValue('attributes_to_transfer', array()); if (sizeof($attributesToTransfer) > 0) { $casAttributes = array(); foreach ($attributesToTransfer as $key) { if (array_key_exists($key, $attributes)) { $casAttributes[$key] = $attributes[$key]; } } } else { $casAttributes = $attributes; } } else { $casAttributes = array(); } $serviceTicket = $ticketFactory->createServiceTicket(array('service' => $_GET['service'], 'forceAuthn' => $forceAuthn, 'userName' => $userName, 'attributes' => $casAttributes, 'proxies' => array(), 'sessionId' => $sessionTicket['id'])); $ticketStore->addTicket($serviceTicket); $parameters['ticket'] = $serviceTicket['id']; SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['service'], $parameters)); } else { SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedIn.php'), $parameters)); }