From 4a5ba99ff32b7bd9bcd85739664b351a3a417c16 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Fri, 5 Jul 2019 17:35:00 +0200
Subject: [PATCH] Fixes for OIDC flow
---
README.md | 2 +-
classes/JWKSHandler.php | 4 +++-
classes/OAuth2RequestHandler.php | 21 ++++++++++-----------
include/front-controller.php | 26 ++++++++++++++------------
sql/setup-database.sql | 4 ++--
5 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/README.md b/README.md
index b14acbf..2c54c98 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ Requirements:
On Ubuntu:
- sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml
+ sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml php7.2-mbstring php-mysql
### PHP
diff --git a/classes/JWKSHandler.php b/classes/JWKSHandler.php
index fb7c87e..48b5822 100644
--- a/classes/JWKSHandler.php
+++ b/classes/JWKSHandler.php
@@ -52,11 +52,13 @@ class JWKSHandler {
$rsaModulus = $this->getTagContent($publicKeyXML, "Modulus");
$rsaExponent = $this->getTagContent($publicKeyXML, "Exponent");
+ $urisafeModulus = strtr($rsaModulus, '+/', '-_');
+
$jwk = [];
$jwk['kty'] = "RSA";
$jwk['kid'] = $keyPair->keyId;
$jwk['use'] = "sig";
- $jwk['n'] = $rsaModulus;
+ $jwk['n'] = $urisafeModulus;
$jwk['e'] = $rsaExponent;
array_push($keys, $jwk);
diff --git a/classes/OAuth2RequestHandler.php b/classes/OAuth2RequestHandler.php
index ab21bf2..4d801f6 100644
--- a/classes/OAuth2RequestHandler.php
+++ b/classes/OAuth2RequestHandler.php
@@ -89,19 +89,16 @@ class OAuth2RequestHandler {
throw new BadRequestException("Invalid redirect URI: " . $params['redirect_uri']);
}
- $token = [];
- //$token['access_token'] = $accessToken->token;
- $token['token_type'] = 'bearer';
- $token['expires_in'] = $this->getExpiresIn($accessToken);
+ $result = [];
+ $result['access_token'] = $accessToken->token;
+ $result['token_type'] = 'Bearer';
+ $result['expires_in'] = $this->getExpiresIn($accessToken);
- if ($accessToken->scope !== null) {
- $token['access_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
- //$token['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
- } else {
- $token['access_token'] = $accessToken->token;
+ if ($accessToken->scope !== null && in_array('openid', $accessToken->scope)) {
+ $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
}
- return $token;
+ return $result;
}
private function validateAccessTokenRequest($params) {
@@ -140,7 +137,9 @@ class OAuth2RequestHandler {
if ($accessToken->scope !== null) {
$result['scope'] = $accessToken->scope;
- $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
+ if (in_array('openid', $accessToken->scope)) {
+ $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
+ }
}
return $result;
diff --git a/include/front-controller.php b/include/front-controller.php
index e9d7936..818c116 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -197,36 +197,38 @@ Flight::route('POST /submit-x509-name', function() {
Flight::route('GET /tou-check', function() {
- startSession();
- global $session, $BASE_PATH, $VERSION;
+ session_start();
+ global $locator;
- if ($session->userToLogin === null) {
+ if ($locator->getSession()->userToLogin === null) {
die("User data not retrieved.");
} else {
Flight::render('tou-check.php', array('title' => 'Terms of Use acceptance',
- 'user' => $session->userToLogin,
- 'version' => $VERSION,
- 'registration_url' => $BASE_PATH . '/register'));
+ 'user' => $locator->getSession()->userToLogin,
+ 'version' => $locator->getVersion(),
+ 'registration_url' => $locator->getBasePath() . '/register'));
}
});
Flight::route('GET /register', function() {
- startSession();
- global $session, $userHandler, $auditLog, $callbackHandler;
+ session_start();
+ global $locator;
- if ($session->userToLogin === null) {
+ if ($locator->getSession()->userToLogin === null) {
die("User data not retrieved.");
} else {
+ $session = $locator->getSession();
+
$user = $session->userToLogin;
- $userHandler->saveUser($user);
+ $locator->getUserHandler()->saveUser($user);
$session->userToLogin = null;
$session->save();
- $auditLog->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
- $callbackHandler->manageLoginRedirect($user, $session);
+ $locator->getAuditLogger()->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
+ $locator->getCallbackHandler()->manageLoginRedirect($user, $session);
}
});
diff --git a/sql/setup-database.sql b/sql/setup-database.sql
index a390e5a..62ae410 100644
--- a/sql/setup-database.sql
+++ b/sql/setup-database.sql
@@ -12,7 +12,7 @@ CREATE TABLE `oauth2_client` (
CREATE TABLE `oauth2_client_auth_methods` (
`client_id` int NOT NULL,
- `auth_method` varchar(255) NOT NULL,
+ `auth_method` varchar(50) NOT NULL,
PRIMARY KEY (`client_id`, `auth_method`),
FOREIGN KEY (`client_id`) REFERENCES `oauth2_client`(`id`)
);
@@ -67,7 +67,7 @@ CREATE TABLE `join_request` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `rsa_keypairs` (
- `id` varchar(255) NOT NULL,
+ `id` varchar(50) NOT NULL,
`public_key` text,
`private_key` text,
`alg` varchar(255),
--
GitLab