View source
<?php
namespace Drupal\openid_connect\Controller;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Logger\LoggerChannelFactoryInterface;
use Drupal\Core\Routing\Access\AccessInterface;
use Drupal\Core\Url;
use Drupal\openid_connect\Plugin\OpenIDConnectClientManager;
use Drupal\openid_connect\Plugin\OpenIDConnectClientInterface;
use Drupal\openid_connect\OpenIDConnect;
use Drupal\openid_connect\OpenIDConnectStateTokenInterface;
use Drupal\user\UserInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
class OpenIDConnectRedirectController extends ControllerBase implements AccessInterface {
protected $pluginManager;
protected $stateToken;
protected $requestStack;
protected $loggerFactory;
protected $openIDConnect;
public function __construct(OpenIDConnectClientManager $plugin_manager, OpenIDConnect $openid_connect, OpenIDConnectStateTokenInterface $state_token, RequestStack $request_stack, LoggerChannelFactoryInterface $logger_factory) {
$this->pluginManager = $plugin_manager;
$this->openIDConnect = $openid_connect;
$this->stateToken = $state_token;
$this->requestStack = $request_stack;
$this->loggerFactory = $logger_factory;
}
public static function create(ContainerInterface $container) {
return new static($container
->get('plugin.manager.openid_connect_client'), $container
->get('openid_connect.openid_connect'), $container
->get('openid_connect.state_token'), $container
->get('request_stack'), $container
->get('logger.factory'));
}
public function access() {
$request = $this->requestStack
->getCurrentRequest();
$state_token = $request
->get('state');
if ($state_token && $this->stateToken
->confirm($state_token)) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
public function authenticate($client_name) {
$request = $this->requestStack
->getCurrentRequest();
unset($_SESSION['openid_connect_state']);
$parameters = [
'destination' => 'user',
'op' => 'login',
'connect_uid' => NULL,
];
foreach ($parameters as $key => $default) {
if (isset($_SESSION['openid_connect_' . $key])) {
$parameters[$key] = $_SESSION['openid_connect_' . $key];
unset($_SESSION['openid_connect_' . $key]);
}
}
$destination = $parameters['destination'];
$configuration = $this
->config('openid_connect.settings.' . $client_name)
->get('settings');
$client = $this->pluginManager
->createInstance($client_name, $configuration);
if (!$request
->get('error') && (!$client instanceof OpenIDConnectClientInterface || !$request
->get('code'))) {
throw new NotFoundHttpException();
}
$provider_param = [
'@provider' => $client
->getPluginDefinition()['label'],
];
if ($request
->get('error')) {
if (in_array($request
->get('error'), [
'interaction_required',
'login_required',
'account_selection_required',
'consent_required',
])) {
$this
->messenger()
->addWarning($this
->t('Logging in with @provider has been canceled.', $provider_param));
}
else {
$variables = [
'@error' => $request
->get('error'),
'@details' => $request
->get('error_description') ? $request
->get('error_description') : $this
->t('Unknown error.'),
];
$message = 'Authorization failed: @error. Details: @details';
$this->loggerFactory
->get('openid_connect_' . $client_name)
->error($message, $variables);
$this
->messenger()
->addError($this
->t('Could not authenticate with @provider.', $provider_param));
}
}
else {
$tokens = $client
->retrieveTokens($request
->get('code'));
if ($tokens) {
if ($parameters['op'] === 'login') {
$success = $this->openIDConnect
->completeAuthorization($client, $tokens, $destination);
if (!$success) {
$register = $this
->config('user.settings')
->get('register');
$register_override = $this
->config('openid_connect.settings')
->get('override_registration_settings');
if ($register === UserInterface::REGISTER_ADMINISTRATORS_ONLY && $register_override) {
$register = UserInterface::REGISTER_VISITORS;
}
switch ($register) {
case UserInterface::REGISTER_ADMINISTRATORS_ONLY:
case UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL:
break;
default:
$this
->messenger()
->addError($this
->t('Logging in with @provider could not be completed due to an error.', $provider_param));
break;
}
}
}
elseif ($parameters['op'] === 'connect' && $parameters['connect_uid'] === $this
->currentUser()
->id()) {
$success = $this->openIDConnect
->connectCurrentUser($client, $tokens);
if ($success) {
$this
->messenger()
->addMessage($this
->t('Account successfully connected with @provider.', $provider_param));
}
else {
$this
->messenger()
->addError($this
->t('Connecting with @provider could not be completed due to an error.', $provider_param));
}
}
}
else {
$this
->messenger()
->addError($this
->t('Failed to get authentication tokens for @provider. Check logs for further details.', $provider_param));
}
}
if (is_array($destination)) {
$query = !empty($destination[1]['query']) ? '?' . $destination[1]['query'] : '';
$redirect = Url::fromUri('internal:/' . ltrim($destination[0], '/') . $query)
->toString();
}
else {
$redirect = Url::fromUri('internal:/' . ltrim($destination, '/'))
->toString();
}
return new RedirectResponse($redirect);
}
}