Fixes for OIDC flow

4a5ba99f · Sonia Zorba · zonia3000 · 9d4ad05d · 4a5ba99f · 4a5ba99f
Commit 4a5ba99f authored 6 years ago by Sonia Zorba Committed by zonia3000 6 years ago
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Requirements:
 On Ubuntu:
-    sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml
+    sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml php7.2-mbstring php-mysql
 ### PHP

--- a/classes/JWKSHandler.php
+++ b/classes/JWKSHandler.php
@@ -52,11 +52,13 @@ class JWKSHandler {
            $rsaModulus = $this->getTagContent($publicKeyXML, "Modulus");
            $rsaExponent = $this->getTagContent($publicKeyXML, "Exponent");
+            $urisafeModulus = strtr($rsaModulus, '+/', '-_');
            $jwk = [];
            $jwk['kty'] = "RSA";
            $jwk['kid'] = $keyPair->keyId;
            $jwk['use'] = "sig";
-            $jwk['n'] = $rsaModulus;
+            $jwk['n'] = $urisafeModulus;
            $jwk['e'] = $rsaExponent;
            array_push($keys, $jwk);

--- a/classes/OAuth2RequestHandler.php
+++ b/classes/OAuth2RequestHandler.php
@@ -89,19 +89,16 @@ class OAuth2RequestHandler {
            throw new BadRequestException("Invalid redirect URI: " . $params['redirect_uri']);
        }
-        $token = [];
+        $result = [];
-        //$token['access_token'] = $accessToken->token;
+        $result['access_token'] = $accessToken->token;
-        $token['token_type'] = 'bearer';
+        $result['token_type'] = 'Bearer';
-        $token['expires_in'] = $this->getExpiresIn($accessToken);
+        $result['expires_in'] = $this->getExpiresIn($accessToken);
-        if ($accessToken->scope !== null) {
+        if ($accessToken->scope !== null && in_array('openid', $accessToken->scope)) {
-            $token['access_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
+            $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
-            //$token['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
-        } else {
-            $token['access_token'] = $accessToken->token;
        }
-        return $token;
+        return $result;
    }
    private function validateAccessTokenRequest($params) {
@@ -140,8 +137,10 @@ class OAuth2RequestHandler {
        if ($accessToken->scope !== null) {
            $result['scope'] = $accessToken->scope;
+            if (in_array('openid', $accessToken->scope)) {
                $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
            }
+        }
        return $result;
    }

--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -197,36 +197,38 @@ Flight::route('POST /submit-x509-name', function() {
 Flight::route('GET /tou-check', function() {
-    startSession();
+    session_start();
-    global $session, $BASE_PATH, $VERSION;
+    global $locator;
-    if ($session->userToLogin === null) {
+    if ($locator->getSession()->userToLogin === null) {
        die("User data not retrieved.");
    } else {
        Flight::render('tou-check.php', array('title' => 'Terms of Use acceptance',
-            'user' => $session->userToLogin,
+            'user' => $locator->getSession()->userToLogin,
-            'version' => $VERSION,
+            'version' => $locator->getVersion(),
-            'registration_url' => $BASE_PATH . '/register'));
+            'registration_url' => $locator->getBasePath() . '/register'));
    }
 });
 Flight::route('GET /register', function() {
-    startSession();
+    session_start();
-    global $session, $userHandler, $auditLog, $callbackHandler;
+    global $locator;
-    if ($session->userToLogin === null) {
+    if ($locator->getSession()->userToLogin === null) {
        die("User data not retrieved.");
    } else {
+        $session = $locator->getSession();
        $user = $session->userToLogin;
-        $userHandler->saveUser($user);
+        $locator->getUserHandler()->saveUser($user);
        $session->userToLogin = null;
        $session->save();
-        $auditLog->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
+        $locator->getAuditLogger()->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
-        $callbackHandler->manageLoginRedirect($user, $session);
+        $locator->getCallbackHandler()->manageLoginRedirect($user, $session);
    }
 });

--- a/sql/setup-database.sql
+++ b/sql/setup-database.sql
@@ -12,7 +12,7 @@ CREATE TABLE `oauth2_client` (
 CREATE TABLE `oauth2_client_auth_methods` (
  `client_id` int NOT NULL,
-  `auth_method` varchar(255) NOT NULL,
+  `auth_method` varchar(50) NOT NULL,
  PRIMARY KEY (`client_id`, `auth_method`),
  FOREIGN KEY (`client_id`) REFERENCES `oauth2_client`(`id`)
 );
@@ -67,7 +67,7 @@ CREATE TABLE `join_request` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 CREATE TABLE `rsa_keypairs` (
-  `id` varchar(255) NOT NULL,
+  `id` varchar(50) NOT NULL,
  `public_key` text,
  `private_key` text,
  `alg` varchar(255),