You are here

public function OpenIDConnect::completeAuthorization in OpenID Connect / OAuth client 8

Same name and namespace in other branches
  1. 2.x src/OpenIDConnect.php \Drupal\openid_connect\OpenIDConnect::completeAuthorization()

Complete the authorization after tokens have been retrieved.

Parameters

\Drupal\openid_connect\Plugin\OpenIDConnectClientInterface $client: The client.

array $tokens: The tokens as returned by OpenIDConnectClientInterface::retrieveTokens().

string|array $destination: The path to redirect to after authorization.

Return value

bool TRUE on success, FALSE on failure.

File

src/OpenIDConnect.php, line 301

Class

OpenIDConnect
Main service of the OpenID Connect module.

Namespace

Drupal\openid_connect

Code

public function completeAuthorization(OpenIDConnectClientInterface $client, array $tokens, &$destination) {
  if ($this->currentUser
    ->isAuthenticated()) {
    throw new \RuntimeException('User already logged in');
  }
  $context = $this
    ->buildContext($client, $tokens);
  if ($context === FALSE) {
    return FALSE;
  }
  $account = $context['account'];
  if ($account !== FALSE) {

    // An existing account was found. Save user claims.
    if ($this->configFactory
      ->get('openid_connect.settings')
      ->get('always_save_userinfo')) {
      $this
        ->saveUserinfo($account, $context + [
        'is_new' => FALSE,
      ]);
    }
  }
  else {

    // Check whether the e-mail address is valid.
    $email = $context['userinfo']['email'];
    if (!$this->emailValidator
      ->isValid($email)) {
      $this->messenger
        ->addError($this
        ->t('The e-mail address is not valid: @email', [
        '@email' => $email,
      ]));
      return FALSE;
    }

    // Check whether there is an e-mail address conflict.
    $accounts = $this->userStorage
      ->loadByProperties([
      'mail' => $email,
    ]);
    if ($accounts) {

      /** @var \Drupal\user\UserInterface|bool $account */
      $account = reset($accounts);
      $connect_existing_users = $this->configFactory
        ->get('openid_connect.settings')
        ->get('connect_existing_users');
      if ($connect_existing_users) {

        // Connect existing user account with this sub.
        $this->authmap
          ->createAssociation($account, $client
          ->getPluginId(), $context['sub']);
      }
      else {
        $this->messenger
          ->addError($this
          ->t('The e-mail address is already taken: @email', [
          '@email' => $email,
        ]));
        return FALSE;
      }
    }

    // Check Drupal user register settings before saving.
    $register = $this->configFactory
      ->get('user.settings')
      ->get('register');

    // Respect possible override from OpenID-Connect settings.
    $register_override = $this->configFactory
      ->get('openid_connect.settings')
      ->get('override_registration_settings');
    if ($register === UserInterface::REGISTER_ADMINISTRATORS_ONLY && $register_override) {
      $register = UserInterface::REGISTER_VISITORS;
    }
    if (empty($account)) {
      switch ($register) {
        case UserInterface::REGISTER_ADMINISTRATORS_ONLY:

          // Deny user registration.
          $this->messenger
            ->addError($this
            ->t('Only administrators can register new accounts.'));
          return FALSE;
        case UserInterface::REGISTER_VISITORS:

          // Create a new account if register settings is set to visitors or
          // override is active.
          $account = $this
            ->createUser($context['sub'], $context['userinfo'], $client
            ->getPluginId(), 1);
          break;
        case UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL:

          // Create a new account and inform the user of the pending approval.
          $account = $this
            ->createUser($context['sub'], $context['userinfo'], $client
            ->getPluginId(), 0);
          $this->messenger
            ->addMessage($this
            ->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
          break;
      }
    }

    // Store the newly created account.
    $this
      ->saveUserinfo($account, $context + [
      'is_new' => TRUE,
    ]);
    $this->authmap
      ->createAssociation($account, $client
      ->getPluginId(), $context['sub']);
  }

  // Whether the user should not be logged in due to pending administrator
  // approval.
  if ($account
    ->isBlocked()) {
    if (empty($context['is_new'])) {
      $this->messenger
        ->addError($this
        ->t('The username %name has not been activated or is blocked.', [
        '%name' => $account
          ->getAccountName(),
      ]));
    }
    return FALSE;
  }
  $this
    ->loginUser($account);
  $this->moduleHandler
    ->invokeAll('openid_connect_post_authorize', [
    $account,
    $context,
  ]);
  return TRUE;
}