You are here

Home » API reference » OpenID Connect / OAuth client 7 » openid_connect.module

function openid_connect_complete_authorization in OpenID Connect / OAuth client 7

Same name and namespace in other branches
  1. 8 openid_connect.module \openid_connect_complete_authorization()

Complete the authorization after tokens have been retrieved.

Parameters

OpenIDConnectClientInterface $client: The client.

array $tokens: The tokens as returned from OpenIDConnectClientInterface::retrieveTokens().

string|array &$destination: The path to redirect to after authorization.

Return value

bool TRUE on success, FALSE on failure.

1 call to openid_connect_complete_authorization()
openid_connect_redirect_page in includes/openid_connect.pages.inc
Page callback: Page whereto OpenID Connect login provider redirects.

File

./openid_connect.module, line 792
A pluggable client implementation for the OpenID Connect protocol.

Code

function openid_connect_complete_authorization($client, $tokens, &$destination) {
  if (user_is_logged_in()) {
    throw new \RuntimeException('User already logged in');
  }
  $user_data = $client
    ->decodeIdToken($tokens['id_token']);
  $userinfo = $client
    ->retrieveUserInfo($tokens['access_token']);
  if (empty($userinfo['email'])) {
    watchdog('openid_connect', 'No e-mail address provided by @provider', array(
      '@provider' => $client
        ->getLabel(),
    ), WATCHDOG_ERROR);
    return FALSE;
  }
  $sub = openid_connect_extract_sub($user_data, $userinfo);
  if (empty($sub)) {
    watchdog('openid_connect', 'No "sub" found from @provider', array(
      '@provider' => $client
        ->getLabel(),
    ), WATCHDOG_ERROR);
    return FALSE;
  }
  $account = openid_connect_user_load_by_sub($sub, $client
    ->getName());
  $results = module_invoke_all('openid_connect_pre_authorize', $tokens, $account, $userinfo, $client
    ->getName());

  // Deny access if any module returns FALSE.
  if (in_array(FALSE, $results, TRUE)) {
    watchdog('openid_connect', 'Login denied for @email via pre-authorize hook.', array(
      '@email' => $userinfo['email'],
    ), WATCHDOG_ERROR);
    return FALSE;
  }
  if ($account) {

    // An existing account was found. Save user claims.
    if (variable_get('openid_connect_always_save_userinfo', TRUE)) {
      openid_connect_save_userinfo($account, $userinfo);
    }
    $account_is_new = FALSE;
  }
  else {

    // Check whether the e-mail address is valid.
    if (!filter_var($userinfo['email'], FILTER_VALIDATE_EMAIL)) {
      drupal_set_message(t('The e-mail address %mail is not valid.', array(
        '%mail' => $userinfo['email'],
      )), 'error');
      return FALSE;
    }

    // Check whether there is an e-mail address conflict.
    if (user_load_by_mail($userinfo['email'])) {
      drupal_set_message(t('The e-mail address %email is already taken.', array(
        '%email' => $userinfo['email'],
      )), 'error');
      return FALSE;
    }

    // Create a new account.
    $account = openid_connect_create_user($sub, $userinfo, $client
      ->getName());

    // Reload $account in case it has been altered in a user hook elsewhere.
    $account = user_load($account->uid);
    openid_connect_save_userinfo($account, $userinfo);
    $account_is_new = TRUE;
  }
  openid_connect_login_user($account, $destination);
  module_invoke_all('openid_connect_post_authorize', $tokens, $account, $userinfo, $client
    ->getName(), $account_is_new);
  return TRUE;
}