|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace rhertogh\Yii2Oauth2Server\controllers\web\openidconnect; |
|
4
|
|
|
|
|
5
|
|
|
use Lcobucci\JWT\Encoding\JoseEncoder; |
|
6
|
|
|
use Lcobucci\JWT\Signer\Key\InMemory; |
|
7
|
|
|
use Lcobucci\JWT\Signer\Rsa\Sha256; |
|
8
|
|
|
use Lcobucci\JWT\Token\Parser; |
|
9
|
|
|
use Lcobucci\JWT\Validation\Constraint\PermittedFor; |
|
10
|
|
|
use Lcobucci\JWT\Validation\Constraint\RelatedTo; |
|
11
|
|
|
use Lcobucci\JWT\Validation\Constraint\SignedWith; |
|
12
|
|
|
use Lcobucci\JWT\Validation\Validator; |
|
13
|
|
|
use League\OAuth2\Server\RedirectUriValidators\RedirectUriValidator; |
|
14
|
|
|
use rhertogh\Yii2Oauth2Server\controllers\web\base\Oauth2BaseWebAction; |
|
15
|
|
|
use rhertogh\Yii2Oauth2Server\controllers\web\Oauth2OidcController; |
|
16
|
|
|
use rhertogh\Yii2Oauth2Server\helpers\UrlHelper; |
|
17
|
|
|
use rhertogh\Yii2Oauth2Server\interfaces\models\external\user\Oauth2OidcUserInterface; |
|
18
|
|
|
use Yii; |
|
19
|
|
|
use yii\base\InvalidConfigException; |
|
20
|
|
|
use yii\web\BadRequestHttpException; |
|
21
|
|
|
use yii\web\ForbiddenHttpException; |
|
22
|
|
|
use yii\web\Response; |
|
23
|
|
|
use yii\web\UnauthorizedHttpException; |
|
24
|
|
|
|
|
25
|
|
|
/** |
|
26
|
|
|
* @property Oauth2OidcController $controller |
|
27
|
|
|
*/ |
|
28
|
|
|
class Oauth2OidcEndSessionAction extends Oauth2BaseWebAction |
|
29
|
|
|
{ |
|
30
|
|
|
/** |
|
31
|
|
|
* @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html |
|
32
|
|
|
* @return Response |
|
33
|
|
|
* @throws InvalidConfigException |
|
34
|
|
|
*/ |
|
35
|
|
|
public function run() |
|
36
|
|
|
{ |
|
37
|
|
|
$module = $this->controller->module; |
|
38
|
|
|
$request = Yii::$app->request; |
|
|
|
|
|
|
39
|
|
|
$identity = $module->getUserIdentity(); |
|
|
|
|
|
|
40
|
|
|
|
|
41
|
|
|
$logoutVerificationRequired = false; |
|
42
|
|
|
|
|
43
|
|
|
if (!$module->enableOpenIdConnect) { |
|
44
|
|
|
throw new ForbiddenHttpException('OpenID Connect is disabled.'); |
|
45
|
|
|
} |
|
46
|
|
|
|
|
47
|
|
|
if ($identity && !($identity instanceof Oauth2OidcUserInterface)) { |
|
|
|
|
|
|
48
|
|
|
throw new InvalidConfigException('In order to support OpenID Connect ' |
|
49
|
|
|
. get_class($identity) . ' must implement ' . Oauth2OidcUserInterface::class); |
|
50
|
|
|
} |
|
51
|
|
|
|
|
52
|
|
|
$clientIdentifier = $this->getRequestParam($request, 'client_id'); |
|
|
|
|
|
|
53
|
|
|
$idTokenHint = $this->getRequestParam($request, 'id_token_hint'); |
|
54
|
|
|
$state = $this->getRequestParam($request, 'state'); |
|
55
|
|
|
$postLogoutRedirectUri = $this->getRequestParam($request, 'post_logout_redirect_uri'); |
|
56
|
|
|
|
|
57
|
|
|
// The `id_token_hint` is the OIDC id token (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) |
|
|
|
|
|
|
58
|
|
|
if ($idTokenHint) { |
|
59
|
|
|
|
|
60
|
|
|
$parser = new Parser(new JoseEncoder()); |
|
61
|
|
|
|
|
62
|
|
|
$idToken = $parser->parse($idTokenHint); |
|
|
|
|
|
|
63
|
|
|
|
|
64
|
|
|
$validator = new Validator(); |
|
65
|
|
|
|
|
66
|
|
|
if (!$validator->validate($idToken, new SignedWith( |
|
|
|
|
|
|
67
|
|
|
new Sha256(), |
|
68
|
|
|
InMemory::plainText($module->getPublicKey()->getKeyContents()) |
|
69
|
|
|
))) { |
|
|
|
|
|
|
70
|
|
|
throw new UnauthorizedHttpException('Invalid `id_token_hint` signature.'); |
|
71
|
|
|
} |
|
72
|
|
|
|
|
73
|
|
|
if ($clientIdentifier) { |
|
74
|
|
|
if (!$validator->validate($idToken, new PermittedFor($clientIdentifier))) { |
|
|
|
|
|
|
75
|
|
|
throw new UnauthorizedHttpException('Invalid "aud" claim in `id_token_hint`.'); |
|
76
|
|
|
} |
|
77
|
|
|
} else { |
|
78
|
|
|
$audiences = $idToken->claims()->get('aud'); |
|
79
|
|
|
if (count($audiences) === 1) { |
|
|
|
|
|
|
80
|
|
|
$clientIdentifier = $audiences[0]; |
|
81
|
|
|
} else { |
|
82
|
|
|
throw new BadRequestHttpException( |
|
83
|
|
|
'The `client_id` parameter is required when there are multiple audiences' |
|
84
|
|
|
. ' in the "aud" claim of the `id_token_hint`.' |
|
85
|
|
|
); |
|
86
|
|
|
} |
|
87
|
|
|
} |
|
88
|
|
|
|
|
89
|
|
|
if ($identity) { |
|
|
|
|
|
|
90
|
|
|
if (!$validator->validate($idToken, new RelatedTo((string)$identity->getIdentifier()))) { |
|
91
|
|
|
$logoutVerificationRequired = true; |
|
92
|
|
|
} |
|
93
|
|
|
} |
|
94
|
|
|
} else { |
|
95
|
|
|
if (!$module->openIdConnectAllowAnonymousEndSession) { |
|
96
|
|
|
throw new BadRequestHttpException('The `id_token_hint` parameter is required.'); |
|
97
|
|
|
} |
|
98
|
|
|
$logoutVerificationRequired = true; |
|
99
|
|
|
} |
|
100
|
|
|
|
|
101
|
|
|
if ($clientIdentifier) { |
|
102
|
|
|
$client = $module->getClientRepository()->getClientEntity($clientIdentifier); |
|
103
|
|
|
if (!$client || !$client->isEnabled()) { |
|
|
|
|
|
|
104
|
|
|
throw new ForbiddenHttpException('Client "' . $clientIdentifier . '" not found or disabled.'); |
|
105
|
|
|
} |
|
106
|
|
|
} |
|
107
|
|
|
|
|
108
|
|
|
if (!$logoutVerificationRequired) { |
|
109
|
|
|
if (isset($client)) { |
|
110
|
|
|
if (!$client->getOpenIdConnectSkipLogoutValidation()) { |
|
|
|
|
|
|
111
|
|
|
$logoutVerificationRequired = true; |
|
112
|
|
|
} |
|
113
|
|
|
} else { |
|
114
|
|
|
$logoutVerificationRequired = true; |
|
115
|
|
|
} |
|
116
|
|
|
} |
|
117
|
|
|
|
|
118
|
|
|
if ($logoutVerificationRequired) { |
|
119
|
|
|
throw new \LogicException('Not yet implemented'); |
|
120
|
|
|
} |
|
121
|
|
|
|
|
122
|
|
|
$module->logoutUser(); |
|
123
|
|
|
|
|
124
|
|
|
if (empty($client) || empty($postLogoutRedirectUri)) { |
|
125
|
|
|
return $this->controller->goHome(); |
|
126
|
|
|
} |
|
127
|
|
|
|
|
128
|
|
|
$allowedPostLogoutRedirectUris = $client->getPostLogoutRedirectUris(); |
|
129
|
|
|
$validatePostLogoutRedirectUri = $postLogoutRedirectUri; |
|
130
|
|
|
if ($client->isVariableRedirectUriQueryAllowed()) { |
|
131
|
|
|
$validatePostLogoutRedirectUri = UrlHelper::stripQueryAndFragment($validatePostLogoutRedirectUri); |
|
132
|
|
|
} |
|
133
|
|
|
|
|
134
|
|
|
$validator = new RedirectUriValidator($allowedPostLogoutRedirectUris); |
|
135
|
|
|
if (!$validator->validateRedirectUri($validatePostLogoutRedirectUri)) { |
|
|
|
|
|
|
136
|
|
|
throw new UnauthorizedHttpException('Invalid `post_logout_redirect_uri`.'); |
|
137
|
|
|
} |
|
138
|
|
|
|
|
139
|
|
|
$redirectUri = UrlHelper::addQueryParams($postLogoutRedirectUri, ['state' => $state]); |
|
|
|
|
|
|
140
|
|
|
|
|
141
|
|
|
return $this->controller->redirect($redirectUri); |
|
142
|
|
|
} |
|
143
|
|
|
} |
|
144
|
|
|
|
rhertogh /
yii2-oauth2-server
Loading history...
Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly.
For example, imagine you have a variable
$accountIdthat can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to theidproperty of an instance of theAccountclass. This class holds a proper account, so the id value must no longer be false.Either this assignment is in error or a type check should be added for that assignment.