Fixes for OIDC flow

README.md

@@ -11,7 +11,7 @@ Requirements:
 
 On Ubuntu:
 
-    sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml
+    sudo apt install apache2 mariadb-server libapache2-mod-php mariadb-server php7.2-xml php7.2-mbstring php-mysql
 
 ### PHP
 

classes/JWKSHandler.php

@@ -52,11 +52,13 @@ class JWKSHandler {
             $rsaModulus = $this->getTagContent($publicKeyXML, "Modulus");
             $rsaExponent = $this->getTagContent($publicKeyXML, "Exponent");
 
+            $urisafeModulus = strtr($rsaModulus, '+/', '-_');
+
             $jwk = [];
             $jwk['kty'] = "RSA";
             $jwk['kid'] = $keyPair->keyId;
             $jwk['use'] = "sig";
-            $jwk['n'] = $rsaModulus;
+            $jwk['n'] = $urisafeModulus;
             $jwk['e'] = $rsaExponent;
 
             array_push($keys, $jwk);

classes/OAuth2RequestHandler.php

@@ -89,19 +89,16 @@ class OAuth2RequestHandler {
             throw new BadRequestException("Invalid redirect URI: " . $params['redirect_uri']);
         }
 
-        $token = [];
-        //$token['access_token'] = $accessToken->token;
-        $token['token_type'] = 'bearer';
-        $token['expires_in'] = $this->getExpiresIn($accessToken);
+        $result = [];
+        $result['access_token'] = $accessToken->token;
+        $result['token_type'] = 'Bearer';
+        $result['expires_in'] = $this->getExpiresIn($accessToken);
 
-        if ($accessToken->scope !== null) {
-            $token['access_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
-            //$token['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
-        } else {
-            $token['access_token'] = $accessToken->token;
+        if ($accessToken->scope !== null && in_array('openid', $accessToken->scope)) {
+            $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
         }
 
-        return $token;
+        return $result;
     }
 
     private function validateAccessTokenRequest($params) {
@@ -140,8 +137,10 @@ class OAuth2RequestHandler {
 
         if ($accessToken->scope !== null) {
             $result['scope'] = $accessToken->scope;
+            if (in_array('openid', $accessToken->scope)) {
                 $result['id_token'] = $this->locator->getIdTokenBuilder()->getIdToken($accessToken);
             }
+        }
 
         return $result;
     }

include/front-controller.php

@@ -197,36 +197,38 @@ Flight::route('POST /submit-x509-name', function() {
 
 Flight::route('GET /tou-check', function() {
 
-    startSession();
-    global $session, $BASE_PATH, $VERSION;
+    session_start();
+    global $locator;
 
-    if ($session->userToLogin === null) {
+    if ($locator->getSession()->userToLogin === null) {
         die("User data not retrieved.");
     } else {
         Flight::render('tou-check.php', array('title' => 'Terms of Use acceptance',
-            'user' => $session->userToLogin,
-            'version' => $VERSION,
-            'registration_url' => $BASE_PATH . '/register'));
+            'user' => $locator->getSession()->userToLogin,
+            'version' => $locator->getVersion(),
+            'registration_url' => $locator->getBasePath() . '/register'));
     }
 });
 
 Flight::route('GET /register', function() {
 
-    startSession();
-    global $session, $userHandler, $auditLog, $callbackHandler;
+    session_start();
+    global $locator;
 
-    if ($session->userToLogin === null) {
+    if ($locator->getSession()->userToLogin === null) {
         die("User data not retrieved.");
     } else {
 
+        $session = $locator->getSession();
+        
         $user = $session->userToLogin;
-        $userHandler->saveUser($user);
+        $locator->getUserHandler()->saveUser($user);
 
         $session->userToLogin = null;
         $session->save();
 
-        $auditLog->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
-        $callbackHandler->manageLoginRedirect($user, $session);
+        $locator->getAuditLogger()->info("LOGIN," . $user->identities[0]->type . "," . $user->id);
+        $locator->getCallbackHandler()->manageLoginRedirect($user, $session);
     }
 });
 

sql/setup-database.sql

@@ -12,7 +12,7 @@ CREATE TABLE `oauth2_client` (
 
 CREATE TABLE `oauth2_client_auth_methods` (
   `client_id` int NOT NULL,
-  `auth_method` varchar(255) NOT NULL,
+  `auth_method` varchar(50) NOT NULL,
   PRIMARY KEY (`client_id`, `auth_method`),
   FOREIGN KEY (`client_id`) REFERENCES `oauth2_client`(`id`)
 );
@@ -67,7 +67,7 @@ CREATE TABLE `join_request` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `rsa_keypairs` (
-  `id` varchar(255) NOT NULL,
+  `id` varchar(50) NOT NULL,
   `public_key` text,
   `private_key` text,
   `alg` varchar(255),