public function OpenIDConnect::completeAuthorization in OpenID Connect / OAuth client 8
Same name and namespace in other branches
- 2.x src/OpenIDConnect.php \Drupal\openid_connect\OpenIDConnect::completeAuthorization()
Complete the authorization after tokens have been retrieved.
Parameters
\Drupal\openid_connect\Plugin\OpenIDConnectClientInterface $client: The client.
array $tokens: The tokens as returned by OpenIDConnectClientInterface::retrieveTokens().
string|array $destination: The path to redirect to after authorization.
Return value
bool TRUE on success, FALSE on failure.
File
- src/
OpenIDConnect.php, line 301
Class
- OpenIDConnect
- Main service of the OpenID Connect module.
Namespace
Drupal\openid_connectCode
public function completeAuthorization(OpenIDConnectClientInterface $client, array $tokens, &$destination) {
if ($this->currentUser
->isAuthenticated()) {
throw new \RuntimeException('User already logged in');
}
$context = $this
->buildContext($client, $tokens);
if ($context === FALSE) {
return FALSE;
}
$account = $context['account'];
if ($account !== FALSE) {
// An existing account was found. Save user claims.
if ($this->configFactory
->get('openid_connect.settings')
->get('always_save_userinfo')) {
$this
->saveUserinfo($account, $context + [
'is_new' => FALSE,
]);
}
}
else {
// Check whether the e-mail address is valid.
$email = $context['userinfo']['email'];
if (!$this->emailValidator
->isValid($email)) {
$this->messenger
->addError($this
->t('The e-mail address is not valid: @email', [
'@email' => $email,
]));
return FALSE;
}
// Check whether there is an e-mail address conflict.
$accounts = $this->userStorage
->loadByProperties([
'mail' => $email,
]);
if ($accounts) {
/** @var \Drupal\user\UserInterface|bool $account */
$account = reset($accounts);
$connect_existing_users = $this->configFactory
->get('openid_connect.settings')
->get('connect_existing_users');
if ($connect_existing_users) {
// Connect existing user account with this sub.
$this->authmap
->createAssociation($account, $client
->getPluginId(), $context['sub']);
}
else {
$this->messenger
->addError($this
->t('The e-mail address is already taken: @email', [
'@email' => $email,
]));
return FALSE;
}
}
// Check Drupal user register settings before saving.
$register = $this->configFactory
->get('user.settings')
->get('register');
// Respect possible override from OpenID-Connect settings.
$register_override = $this->configFactory
->get('openid_connect.settings')
->get('override_registration_settings');
if ($register === UserInterface::REGISTER_ADMINISTRATORS_ONLY && $register_override) {
$register = UserInterface::REGISTER_VISITORS;
}
if (empty($account)) {
switch ($register) {
case UserInterface::REGISTER_ADMINISTRATORS_ONLY:
// Deny user registration.
$this->messenger
->addError($this
->t('Only administrators can register new accounts.'));
return FALSE;
case UserInterface::REGISTER_VISITORS:
// Create a new account if register settings is set to visitors or
// override is active.
$account = $this
->createUser($context['sub'], $context['userinfo'], $client
->getPluginId(), 1);
break;
case UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL:
// Create a new account and inform the user of the pending approval.
$account = $this
->createUser($context['sub'], $context['userinfo'], $client
->getPluginId(), 0);
$this->messenger
->addMessage($this
->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
break;
}
}
// Store the newly created account.
$this
->saveUserinfo($account, $context + [
'is_new' => TRUE,
]);
$this->authmap
->createAssociation($account, $client
->getPluginId(), $context['sub']);
}
// Whether the user should not be logged in due to pending administrator
// approval.
if ($account
->isBlocked()) {
if (empty($context['is_new'])) {
$this->messenger
->addError($this
->t('The username %name has not been activated or is blocked.', [
'%name' => $account
->getAccountName(),
]));
}
return FALSE;
}
$this
->loginUser($account);
$this->moduleHandler
->invokeAll('openid_connect_post_authorize', [
$account,
$context,
]);
return TRUE;
}