/** * Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @Flow\Session(autoStart=true) */ public function authenticate(\TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken) { if (!$authenticationToken instanceof SingleSignOnToken) { throw new \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1351008039); } if ($authenticationToken->getAuthenticationStatus() === \TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_NEEDED) { // Verify signature with server public key $credentials = $authenticationToken->getCredentials(); $signature = $credentials['signature']; $accessTokenCipher = $credentials['accessToken']; $ssoServer = $this->createSsoServer(); if (!$ssoServer->verifyCallbackSignature($accessTokenCipher, $signature)) { throw new Exception('Could not verify signature of access token', 1351008742); } $ssoClient = $this->ssoClientFactory->create(); $accessToken = $ssoClient->decryptCallbackAccessToken($accessTokenCipher); if ($accessToken === '') { throw new Exception('Could not decrypt access token', 1351690950); } $authenticationData = $ssoServer->redeemAccessToken($ssoClient, $accessToken); // TODO Check validity of authentication data (presence of "account" and "sessionId") $account = $this->globalAccountMapper->getAccount($ssoClient, $authenticationData['account']); $globalSessionId = $authenticationData['sessionId']; $this->session->addTag('Flowpack_SingleSignOn_Client-' . $globalSessionId); $authenticationToken->setGlobalSessionId($globalSessionId); $authenticationToken->setAccount($account); $authenticationToken->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL); } elseif ($authenticationToken->getAuthenticationStatus() !== \TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN); } }