-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathOpenIdLoginAuthenticator.php
More file actions
86 lines (72 loc) · 3.15 KB
/
Copy pathOpenIdLoginAuthenticator.php
File metadata and controls
86 lines (72 loc) · 3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<?php
namespace ItkDev\OpenIdConnectBundle\Security;
use ItkDev\OpenIdConnect\Exception\OpenIdConnectExceptionInterface;
use ItkDev\OpenIdConnect\Exception\ValidationException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
/**
* Authenticator for OpenId Connect login.
*/
abstract class OpenIdLoginAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
{
/**
* OpenIdLoginAuthenticator constructor.
*/
public function __construct(
private readonly OpenIdConfigurationProviderManager $providerManager,
) {
}
public function supports(Request $request): ?bool
{
// Check if request has state and code
return $request->query->has('state') && $request->query->has('code');
}
/**
* Validate oidc claims.
*
* @return array<string, string> Array of claims
*
* @throws OpenIdConnectExceptionInterface
*/
protected function validateClaims(Request $request): array
{
$session = $request->getSession();
$providerKey = $session->remove('oauth2provider');
$providerKey = is_string($providerKey) ? $providerKey : '';
$provider = $this->providerManager->getProvider($providerKey);
// Make sure state and oauth2state are the same
$oauth2state = $session->remove('oauth2state');
if ($request->query->get('state') !== $oauth2state) {
throw new ValidationException('Invalid state');
}
$oauth2nonce = $session->remove('oauth2nonce');
if (!is_string($oauth2nonce) || '' === $oauth2nonce) {
throw new ValidationException('Nonce empty or not found');
}
try {
$code = $request->query->get('code');
if (!is_string($code)) {
throw new ValidationException('Missing or invalid code');
}
$idToken = $provider->getIdToken($code);
$claims = $provider->validateIdToken($idToken, $oauth2nonce);
// Authentication successful
} catch (OpenIdConnectExceptionInterface $exception) {
// Handle failed authentication
throw new ValidationException($exception->getMessage(), previous: $exception);
}
/** @var array<string, string> $claimsArray */
$claimsArray = (array) $claims;
return $claimsArray + ['open_id_connect_provider' => $providerKey];
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
// Preserve the cause so logs and error reporters can see what actually
// failed (timeout, signature mismatch, wrong nonce, etc.). Symfony's
// security component renders only the safe message key to the user.
throw new AuthenticationException(sprintf('Error occurred validating openid login: %s', $exception->getMessage()), $exception->getCode(), $exception);
}
}