You are here

class WindowsAadSSOController in OpenID Connect Microsoft Azure Active Directory client 8

Same name and namespace in other branches
  1. 2.0.x src/Controller/WindowsAadSSOController.php \Drupal\openid_connect_windows_aad\Controller\WindowsAadSSOController

Controller routines for Azure AD single sign out user routes.

Hierarchy

Expanded class hierarchy of WindowsAadSSOController

File

src/Controller/WindowsAadSSOController.php, line 17

Namespace

Drupal\openid_connect_windows_aad\Controller
View source
class WindowsAadSSOController extends ControllerBase {

  /**
   * A logger instance.
   *
   * @var \Psr\Log\LoggerInterface
   */
  protected $logger;

  /*
   * @param \Drupal\openid_connect\OpenIDConnectAuthmap $authmap
   *   The authmap storage.
   */
  protected $authmap;

  /**
   * Constructs a WindowsAadSSOController object.
   *
   * @param \Psr\Log\LoggerInterface $logger
   *   A logger instance.
   */
  public function __construct(LoggerInterface $logger, OpenIDConnectAuthmap $authmap) {
    $this->logger = $logger;
    $this->authmap = $authmap;
  }

  /**
   * {@inheritdoc}
   */
  public static function create(ContainerInterface $container) {
    return new static($container
      ->get('logger.factory')
      ->get('openid_connect_windows_aad'), $container
      ->get('openid_connect.authmap'));
  }

  /**
   * Single Sign Out callback to log the current user out.
   *
   * Called by Windows Azure AD when a user logs out of their SSO session from
   * another application such as Office 365.
   *
   * @return \Symfony\Component\HttpFoundation\Response
   *   Either a 200 or 403 response without any content.
   */
  public function signout() {
    $configuration = $this
      ->config('openid_connect.settings.windows_aad');
    $settings = $configuration
      ->get('settings');
    $enabled = $configuration
      ->get('enabled');

    // Check that the windows_aad client is enabled and so is SSOut.
    if ($enabled && isset($settings['enable_single_sign_out']) && $settings['enable_single_sign_out']) {

      // Ensure the user has a connected account.
      $user = \Drupal::currentUser();
      $connected_accounts = $this->authmap
        ->getConnectedAccounts($user);
      $connected = $connected_accounts && isset($connected_accounts['windows_aad']);
      $logged_in = $user
        ->isAuthenticated();

      // Only log the user out if they are logged in and have a connected
      // account. Return a 200 OK in any case since all is good.
      if ($logged_in && $connected) {
        user_logout();
      }
      return new Response('', Response::HTTP_OK);
    }

    // Likely a misconfiguration since SSOut attempts should not be made to the
    // logout uri unless it has been configured in Azure AD; if you had
    // configured it in Azure AD then you should have also enabled SSOut in the
    // OpenID Connect settings. Also, a possible malicious CSRF attempt. Log a
    // warning either way.
    $this->logger
      ->warning('Windows AAD Single Sign Out attempt, but SSOut has not been enabled in the OpenID Connect Windows AAD configuration.');
    return new Response('', Response::HTTP_FORBIDDEN);
  }

  /**
   * Logs the current user out. Overrides UserController::logout().
   *
   * If Single Sign out has been enabled in OpenID Connect Windows AAD config
   * then redirect the user when they try to log out of the app to the Windows
   * single sign out endpoint. They will be logged out of their other SSO apps.
   *
   * @return \Symfony\Component\HttpFoundation\RedirectResponse
   *   A redirection to either the home page or to Azure AD Single Sign out.
   */
  public function logout() {
    $connected = FALSE;
    $configuration = $this
      ->config('openid_connect.settings.windows_aad');
    $settings = $configuration
      ->get('settings');

    // Check that the windows_aad client is enabled and so is SSOut.
    $enabled = $configuration
      ->get('enabled') && isset($settings['enable_single_sign_out']) && $settings['enable_single_sign_out'];

    // Check for a connected account before we log the Drupal user out.
    if ($enabled) {

      // Ensure the user has a connected account.
      $user = \Drupal::currentUser();
      $connected_accounts = $this->authmap
        ->getConnectedAccounts($user);
      $connected = $connected_accounts && isset($connected_accounts['windows_aad']);
    }
    user_logout();
    if ($connected) {

      // Redirect back to the home page once signed out.
      $redirect_uri = Url::fromRoute('<front>', [], [
        'absolute' => TRUE,
      ])
        ->toString(TRUE)
        ->getGeneratedUrl();
      $query_parameters = [
        'post_logout_redirect_uri' => $redirect_uri,
      ];
      $query = UrlHelper::buildQuery($query_parameters);
      $response = new TrustedRedirectResponse('https://login.microsoftonline.com/common/oauth2/v2.0/logout?' . $query);

      // We can't cache the response, since we need the user to get logged out
      // prior to being redirected. The kill switch will prevent the page
      // getting cached when page cache is active.
      \Drupal::service('page_cache_kill_switch')
        ->trigger();
      return $response;
    }

    // No SSOut so do the usual thing and redirect to the front page.
    return $this
      ->redirect('<front>');
  }

}

Members

Namesort descending Modifiers Type Description Overrides
ControllerBase::$configFactory protected property The configuration factory.
ControllerBase::$currentUser protected property The current user service. 1
ControllerBase::$entityFormBuilder protected property The entity form builder.
ControllerBase::$entityManager protected property The entity manager.
ControllerBase::$entityTypeManager protected property The entity type manager.
ControllerBase::$formBuilder protected property The form builder. 2
ControllerBase::$keyValue protected property The key-value storage. 1
ControllerBase::$languageManager protected property The language manager. 1
ControllerBase::$moduleHandler protected property The module handler. 2
ControllerBase::$stateService protected property The state service.
ControllerBase::cache protected function Returns the requested cache bin.
ControllerBase::config protected function Retrieves a configuration object.
ControllerBase::container private function Returns the service container.
ControllerBase::currentUser protected function Returns the current user. 1
ControllerBase::entityFormBuilder protected function Retrieves the entity form builder.
ControllerBase::entityManager Deprecated protected function Retrieves the entity manager service.
ControllerBase::entityTypeManager protected function Retrieves the entity type manager.
ControllerBase::formBuilder protected function Returns the form builder service. 2
ControllerBase::keyValue protected function Returns a key/value storage collection. 1
ControllerBase::languageManager protected function Returns the language manager service. 1
ControllerBase::moduleHandler protected function Returns the module handler. 2
ControllerBase::redirect protected function Returns a redirect response object for the specified route. Overrides UrlGeneratorTrait::redirect
ControllerBase::state protected function Returns the state storage service.
LinkGeneratorTrait::$linkGenerator protected property The link generator. 1
LinkGeneratorTrait::getLinkGenerator Deprecated protected function Returns the link generator.
LinkGeneratorTrait::l Deprecated protected function Renders a link to a route given a route name and its parameters.
LinkGeneratorTrait::setLinkGenerator Deprecated public function Sets the link generator service.
LoggerChannelTrait::$loggerFactory protected property The logger channel factory service.
LoggerChannelTrait::getLogger protected function Gets the logger for a specific channel.
LoggerChannelTrait::setLoggerFactory public function Injects the logger channel factory.
MessengerTrait::$messenger protected property The messenger. 29
MessengerTrait::messenger public function Gets the messenger. 29
MessengerTrait::setMessenger public function Sets the messenger.
RedirectDestinationTrait::$redirectDestination protected property The redirect destination service. 1
RedirectDestinationTrait::getDestinationArray protected function Prepares a 'destination' URL query parameter for use with \Drupal\Core\Url.
RedirectDestinationTrait::getRedirectDestination protected function Returns the redirect destination service.
RedirectDestinationTrait::setRedirectDestination public function Sets the redirect destination service.
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.
UrlGeneratorTrait::$urlGenerator protected property The url generator.
UrlGeneratorTrait::getUrlGenerator Deprecated protected function Returns the URL generator service.
UrlGeneratorTrait::setUrlGenerator Deprecated public function Sets the URL generator service.
UrlGeneratorTrait::url Deprecated protected function Generates a URL or path for a specific route based on the given parameters.
WindowsAadSSOController::$authmap protected property
WindowsAadSSOController::$logger protected property A logger instance.
WindowsAadSSOController::create public static function Instantiates a new instance of this class. Overrides ControllerBase::create
WindowsAadSSOController::logout public function Logs the current user out. Overrides UserController::logout().
WindowsAadSSOController::signout public function Single Sign Out callback to log the current user out.
WindowsAadSSOController::__construct public function Constructs a WindowsAadSSOController object.