/** * Calls the authentication manager to authenticate all active tokens * and redirects to the original intercepted request on success if there * is one stored in the security context. If no intercepted request is * found, the function simply returns. * * If authentication fails, the result of calling the defined * $errorMethodName is returned. * * Note: Usually there is no need to override this action. You should use * the according callback methods instead (onAuthenticationSuccess() and * onAuthenticationFailure()). * * @return string * @Flow\SkipCsrfProtection */ public function authenticateAction() { $authenticationException = null; try { $this->authenticationManager->authenticate(); } catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) { $authenticationException = $exception; } if ($this->authenticationManager->isAuthenticated()) { $storedRequest = $this->securityContext->getInterceptedRequest(); if ($storedRequest !== null) { $this->securityContext->setInterceptedRequest(null); } return $this->onAuthenticationSuccess($storedRequest); } else { $this->onAuthenticationFailure($authenticationException); return call_user_func(array($this, $this->errorMethodName)); } }
/** * Receive an SSO authentication callback and trigger authentication * through the SingleSignOnProvider. * * GET /sso/authentication/callback?... * * @param string $callbackUri * @return void */ public function callbackAction($callbackUri) { try { $this->authenticationManager->authenticate(); } catch (\TYPO3\Flow\Security\Exception\AuthenticationRequiredException $exception) { $authenticationException = $exception; } if ($this->authenticationManager->isAuthenticated()) { $storedRequest = $this->securityContext->getInterceptedRequest(); if ($storedRequest !== NULL) { $this->securityContext->setInterceptedRequest(NULL); $this->redirectToRequest($storedRequest); } else { // TODO Do we have to check the URI? $this->redirectToUri($callbackUri); } } else { throw new \Flowpack\SingleSignOn\Client\Exception('Could not authenticate in callbackAction triggered by the SSO server.', 1366613161, isset($authenticationException) ? $authenticationException : NULL); } }
/** * @param string $sso * @param string $sig * @return void * @Flow\SkipCsrfProtection */ public function authenticateDiscourseUserAction($sso = '', $sig = '') { if ($sso === '' && $sig === '') { $argumentsOfInterceptedRequest = $this->securityContext->getInterceptedRequest()->getArguments(); if (!isset($argumentsOfInterceptedRequest['sso']) || !isset($argumentsOfInterceptedRequest['sig'])) { return 'This page needs to be called with valid sso and sig arguments from crowd!'; } $sso = $argumentsOfInterceptedRequest['sso']; $sig = $argumentsOfInterceptedRequest['sig']; } if (hash_hmac('sha256', $sso, $this->ssoSecret) === $sig) { parse_str(base64_decode($sso), $incomingPayload); $currentAccount = $this->securityContext->getAccount(); /** @var Person $crowdUser */ $crowdUser = $this->partyService->getAssignedPartyOfAccount($currentAccount); $outgoingPayload = base64_encode(http_build_query(array('nonce' => $incomingPayload['nonce'], 'email' => $crowdUser->getPrimaryElectronicAddress()->getIdentifier(), 'name' => $crowdUser->getName()->getFullName(), 'username' => $currentAccount->getAccountIdentifier(), 'external_id' => $currentAccount->getAccountIdentifier()), '', '&', PHP_QUERY_RFC3986)); $outgoingSignature = hash_hmac('sha256', $outgoingPayload, $this->ssoSecret); $this->redirectToUri(sprintf('%s?%s', $this->discourseSsoUrl, http_build_query(array('sso' => $outgoingPayload, 'sig' => $outgoingSignature), '', '&', PHP_QUERY_RFC3986)), 0, 302); } return 'Sorry, we couldn\'t log you in'; }