-
Notifications
You must be signed in to change notification settings - Fork 610
Expand file tree
/
Copy pathOidcController.php
More file actions
111 lines (99 loc) · 4.13 KB
/
OidcController.php
File metadata and controls
111 lines (99 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Services\EloquentOidcUserRepo;
use App\Services\OidcUserResolver;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use Jumbojett\OpenIDConnectClient;
// NOTE: jumbojett uses raw $_SESSION for OIDC state/nonce. Verify Phase 5 that
// state validation actually works under Laravel's session middleware — if not,
// add a session_start() shim or inject a custom OIDC session handler.
class OidcController extends Controller
{
public function login(Request $request)
{
if (!config('services.oidc.enabled')) {
return redirect('/login?password=1');
}
try {
$oidc = $this->client();
$oidc->setRedirectURL(config('services.oidc.redirect_uri'));
$oidc->addScope(config('services.oidc.scopes'));
$oidc->authenticate(); // 302 to Authentik
} catch (\Throwable $e) {
Log::error('OIDC login redirect failed', ['err' => $e->getMessage()]);
return redirect('/login?password=1&oidc_error=login_redirect_failed');
}
Log::error('OIDC authenticate() returned unexpectedly without redirecting');
return redirect('/login?password=1&oidc_error=login_redirect_unexpected_return');
}
public function callback(Request $request)
{
if (!config('services.oidc.enabled')) {
return redirect('/login?password=1');
}
try {
$oidc = $this->client();
$oidc->setRedirectURL(config('services.oidc.redirect_uri'));
$oidc->addScope(config('services.oidc.scopes'));
$oidc->authenticate();
} catch (\Throwable $e) {
Log::error('OIDC callback authenticate() failed', [
'err' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
return redirect('/login?password=1&oidc_error=callback_failed');
}
$sub = $oidc->getVerifiedClaims('sub');
$userInfo = $oidc->requestUserInfo();
$email = $userInfo->email ?? '';
$username = $userInfo->preferred_username ?? $email;
$name = $userInfo->name ?? $username;
Log::info('OIDC userinfo', compact('sub', 'username', 'email', 'name'));
$map = $this->parseUsernameMap(config('services.oidc.username_map') ?? '');
$resolver = new OidcUserResolver(
usernameMap: $map,
autoProvision: (bool)config('services.oidc.auto_provision'),
adminBreakGlassUsername: config('services.oidc.admin_breakglass_username'),
userRepo: new EloquentOidcUserRepo(),
);
[$heimdallUsername, $err] = $resolver->resolveUsername($username);
if ($err) {
Log::warning('OIDC username resolve refused', ['err' => $err, 'username' => $username]);
return redirect('/login?password=1&oidc_error=' . $err);
}
[$user, $err] = $resolver->findOrProvision($heimdallUsername, $email);
if ($err) {
Log::warning('OIDC find-or-provision refused', ['err' => $err, 'username' => $heimdallUsername]);
return redirect('/login?password=1&oidc_error=' . $err);
}
Auth::login($user, true);
session(['current_user' => $user]);
Log::info('OIDC login success', ['username' => $heimdallUsername, 'sub' => $sub]);
return redirect('/');
}
private function parseUsernameMap(string $raw): array
{
$out = [];
if ($raw === '') return $out;
foreach (explode(',', $raw) as $pair) {
$parts = explode(':', $pair, 2);
if (count($parts) !== 2) continue;
$out[trim($parts[0])] = trim($parts[1]);
}
return $out;
}
private function client(): OpenIDConnectClient
{
$oidc = new OpenIDConnectClient(
config('services.oidc.issuer'),
config('services.oidc.client_id'),
config('services.oidc.client_secret'),
);
$oidc->setVerifyHost(true);
$oidc->setVerifyPeer(true);
return $oidc;
}
}