|
|
|
|
@ -734,13 +734,11 @@ class OpenIDConnectClient
|
|
|
|
|
/**
|
|
|
|
|
* Start Here
|
|
|
|
|
* @return void
|
|
|
|
|
* @throws OpenIDConnectClientException
|
|
|
|
|
* @throws Exception
|
|
|
|
|
*/
|
|
|
|
|
private function requestAuthorization() {
|
|
|
|
|
|
|
|
|
|
$auth_endpoint = $this->getProviderConfigValue('authorization_endpoint');
|
|
|
|
|
$response_type = 'code';
|
|
|
|
|
public function getAuthorizationUrl()
|
|
|
|
|
{
|
|
|
|
|
$auth_endpoint = $this->getProviderConfigValue("authorization_endpoint");
|
|
|
|
|
$response_type = "code";
|
|
|
|
|
|
|
|
|
|
// Generate and store a nonce in the session
|
|
|
|
|
// The nonce is an arbitrary value
|
|
|
|
|
@ -749,45 +747,29 @@ class OpenIDConnectClient
|
|
|
|
|
// State essentially acts as a session key for OIDC
|
|
|
|
|
$state = $this->setState($this->generateRandString());
|
|
|
|
|
|
|
|
|
|
$auth_params = array_merge($this->authParams, [
|
|
|
|
|
$auth_params = array_merge($this->authParams, array(
|
|
|
|
|
'response_type' => $response_type,
|
|
|
|
|
'redirect_uri' => $this->getRedirectURL(),
|
|
|
|
|
'client_id' => $this->clientID,
|
|
|
|
|
'nonce' => $nonce,
|
|
|
|
|
'state' => $state,
|
|
|
|
|
'scope' => 'openid'
|
|
|
|
|
]);
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
// If the client has been registered with additional scopes
|
|
|
|
|
if (count($this->scopes) > 0) {
|
|
|
|
|
$auth_params = array_merge($auth_params, ['scope' => implode(' ', array_merge($this->scopes, ['openid']))]);
|
|
|
|
|
if (sizeof($this->scopes) > 0) {
|
|
|
|
|
$auth_params = array_merge($auth_params, array('scope' => implode(' ', $this->scopes)));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If the client has been registered with additional response types
|
|
|
|
|
if (count($this->responseTypes) > 0) {
|
|
|
|
|
$auth_params = array_merge($auth_params, ['response_type' => implode(' ', $this->responseTypes)]);
|
|
|
|
|
if (sizeof($this->responseTypes) > 0) {
|
|
|
|
|
$auth_params = array_merge($auth_params, array('response_type' => implode(' ', $this->responseTypes)));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If the client supports Proof Key for Code Exchange (PKCE)
|
|
|
|
|
$codeChallengeMethod = $this->getCodeChallengeMethod();
|
|
|
|
|
if (!empty($codeChallengeMethod) && in_array($codeChallengeMethod, $this->getProviderConfigValue('code_challenge_methods_supported', []), true)) {
|
|
|
|
|
$codeVerifier = bin2hex(random_bytes(64));
|
|
|
|
|
$this->setCodeVerifier($codeVerifier);
|
|
|
|
|
if (!empty($this->pkceAlgs[$codeChallengeMethod])) {
|
|
|
|
|
$codeChallenge = rtrim(strtr(base64_encode(hash($this->pkceAlgs[$codeChallengeMethod], $codeVerifier, true)), '+/', '-_'), '=');
|
|
|
|
|
} else {
|
|
|
|
|
$codeChallenge = $codeVerifier;
|
|
|
|
|
}
|
|
|
|
|
$auth_params = array_merge($auth_params, [
|
|
|
|
|
'code_challenge' => $codeChallenge,
|
|
|
|
|
'code_challenge_method' => $codeChallengeMethod
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
$auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params);
|
|
|
|
|
|
|
|
|
|
$auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, '', '&', $this->encType);
|
|
|
|
|
|
|
|
|
|
$this->commitSession();
|
|
|
|
|
$this->redirect($auth_endpoint);
|
|
|
|
|
session_commit();
|
|
|
|
|
return $auth_endpoint;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -967,7 +949,7 @@ class OpenIDConnectClient
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert token params to string format
|
|
|
|
|
$post_params = http_build_query($post_data, null, '&', $this->encType);
|
|
|
|
|
$post_params = http_build_query($post_data, '', '&', $this->encType);
|
|
|
|
|
|
|
|
|
|
return json_decode($this->fetchURL($token_endpoint, $post_params, $headers), false);
|
|
|
|
|
}
|
|
|
|
|
|
