/**
* Handle an authentication-only OIDC event.
*
* Does the following:
* - This is used for setting the system API user, so store the received token appropriately.
*
* @param \auth_oidc\event\user_authed $event The triggered event.
* @return bool Success/Failure.
*/
public static function handle_oidc_user_authed(\auth_oidc\event\user_authed $event)
{
$eventdata = $event->get_data();
$tokendata = ['idtoken' => $eventdata['other']['tokenparams']['id_token'], $eventdata['other']['tokenparams']['resource'] => ['token' => $eventdata['other']['tokenparams']['access_token'], 'scope' => $eventdata['other']['tokenparams']['scope'], 'refreshtoken' => $eventdata['other']['tokenparams']['refresh_token'], 'resource' => $eventdata['other']['tokenparams']['resource'], 'expiry' => $eventdata['other']['tokenparams']['expires_on']]];
set_config('systemtokens', serialize($tokendata), 'local_o365');
set_config('sharepoint_initialized', '0', 'local_o365');
redirect(new \moodle_url('/admin/settings.php?section=local_o365'));
}
/**
* Handle an authorization request response received from the configured OP.
*
* @param array $authparams Received parameters.
*/
protected function handleauthresponse(array $authparams)
{
global $DB, $CFG, $SESSION, $STATEADDITIONALDATA, $USER;
if (!isset($authparams['code'])) {
\auth_oidc\utils::debug('No auth code received.', 'authcode::handleauthresponse', $authparams);
throw new \moodle_exception('errorauthnoauthcode', 'auth_oidc');
}
if (!isset($authparams['state'])) {
\auth_oidc\utils::debug('No state received.', 'authcode::handleauthresponse', $authparams);
throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
}
// Validate and expire state.
$staterec = $DB->get_record('auth_oidc_state', ['state' => $authparams['state']]);
if (empty($staterec)) {
throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
}
$orignonce = $staterec->nonce;
$additionaldata = [];
if (!empty($staterec->additionaldata)) {
$additionaldata = @unserialize($staterec->additionaldata);
if (!is_array($additionaldata)) {
$additionaldata = [];
}
}
$STATEADDITIONALDATA = $additionaldata;
$DB->delete_records('auth_oidc_state', ['id' => $staterec->id]);
// Get token from auth code.
$client = $this->get_oidcclient();
$tokenparams = $client->tokenrequest($authparams['code']);
if (!isset($tokenparams['id_token'])) {
throw new \moodle_exception('errorauthnoidtoken', 'auth_oidc');
}
// Decode and verify idtoken.
list($oidcuniqid, $idtoken) = $this->process_idtoken($tokenparams['id_token'], $orignonce);
// Check restrictions.
$passed = $this->checkrestrictions($idtoken);
if ($passed !== true) {
$errstr = 'User prevented from logging in due to restrictions.';
\auth_oidc\utils::debug($errstr, 'handleauthresponse', $idtoken);
throw new \moodle_exception('errorrestricted', 'auth_oidc');
}
// This is for setting the system API user.
if (isset($SESSION->auth_oidc_justevent)) {
unset($SESSION->auth_oidc_justevent);
$eventdata = ['other' => ['authparams' => $authparams, 'tokenparams' => $tokenparams]];
$event = \auth_oidc\event\user_authed::create($eventdata);
$event->trigger();
return true;
}
// Check if OIDC user is already migrated.
$tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]);
if (isloggedin() === true && (empty($tokenrec) || isset($USER->auth) && $USER->auth !== 'oidc')) {
// If the user is already logged in we can treat this as a "migration" - a user switching to OIDC.
$connectiononly = false;
if (isset($SESSION->auth_oidc_connectiononly)) {
$connectiononly = true;
unset($SESSION->auth_oidc_connectiononly);
}
if (isset($STATEADDITIONALDATA['connectiononly']) && $STATEADDITIONALDATA['connectiononly'] === true) {
$connectiononly = true;
}
$this->handlemigration($oidcuniqid, $authparams, $tokenparams, $idtoken, $connectiononly);
$redirect = !empty($additionaldata['redirect']) ? $additionaldata['redirect'] : '/auth/oidc/ucp.php';
redirect(new \moodle_url($redirect));
} else {
// Otherwise it's a user logging in normally with OIDC.
$this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
redirect(core_login_get_return_url());
}
}