oidc cleanup and discovery
This commit is contained in:
zotlabs
parent
4fdf5d28ca
commit
62925c4c3f
@ -7,27 +7,34 @@ use Zotlabs\Identity\OAuth2Storage;
|
||||
class Authorize extends \Zotlabs\Web\Controller {
|
||||
|
||||
function get() {
|
||||
if (!local_channel()) {
|
||||
if (! local_channel()) {
|
||||
return login();
|
||||
} else {
|
||||
// TODO: Fully implement the dynamic client registration protocol:
|
||||
// OpenID Connect Dynamic Client Registration 1.0 Client Metadata
|
||||
// http://openid.net/specs/openid-connect-registration-1_0.html
|
||||
$app = array(
|
||||
'name' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : t('Unknown App')),
|
||||
'icon' => (x($_REQUEST, 'logo_uri') ? $_REQUEST['logo_uri'] : z_root() . '/images/icons/plugin.png'),
|
||||
}
|
||||
else {
|
||||
|
||||
$name = $_REQUEST['client_name'];
|
||||
if(! $name) {
|
||||
$name = (($_REQUEST['client_id']) ?: t('Unknown App'));
|
||||
}
|
||||
|
||||
$app = [
|
||||
'name' => $name,
|
||||
'icon' => (x($_REQUEST, 'logo_uri') ? $_REQUEST['logo_uri'] : z_root() . '/images/icons/plugin.png'),
|
||||
'url' => (x($_REQUEST, 'client_uri') ? $_REQUEST['client_uri'] : ''),
|
||||
);
|
||||
$o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array(
|
||||
'$title' => t('Authorize'),
|
||||
'$authorize' => sprintf( t('Do you authorize the app %s to access your channel data?'), '<a style="float: none;" href="' . $app['url'] . '">' . $app['name'] . '</a> '),
|
||||
'$app' => $app,
|
||||
'$yes' => t('Allow'),
|
||||
'$no' => t('Deny'),
|
||||
'$client_id' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : ''),
|
||||
];
|
||||
|
||||
$link = (($app['url']) ? '<a style="float: none;" href="' . $app['url'] . '">' . $app['name'] . '</a> ' : $app['name']);
|
||||
|
||||
$o .= replace_macros(get_markup_template('oauth_authorize.tpl'), [
|
||||
'$title' => t('Authorize'),
|
||||
'$authorize' => sprintf( t('Do you authorize the app %s to access your channel data?'), $link ),
|
||||
'$app' => $app,
|
||||
'$yes' => t('Allow'),
|
||||
'$no' => t('Deny'),
|
||||
'$client_id' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : ''),
|
||||
'$redirect_uri' => (x($_REQUEST, 'redirect_uri') ? $_REQUEST['redirect_uri'] : ''),
|
||||
'$state' => (x($_REQUEST, 'state') ? $_REQUEST['state'] : ''),
|
||||
));
|
||||
'$state' => (x($_REQUEST, 'state') ? $_REQUEST['state'] : ''),
|
||||
]);
|
||||
return $o;
|
||||
}
|
||||
}
|
||||
@ -60,17 +67,16 @@ class Authorize extends \Zotlabs\Web\Controller {
|
||||
$request = \OAuth2\Request::createFromGlobals();
|
||||
$response = new \OAuth2\Response();
|
||||
|
||||
// Note, "sub" field must match type and content. $user_id is used to populate - make sure it's a string.
|
||||
$channel = channelx_by_n(local_channel());
|
||||
$user_id = $channel["channel_id"];
|
||||
// Note, "sub" field must match type and content. $user_id is used to populate - make sure it's a string.
|
||||
$channel = channelx_by_n(local_channel());
|
||||
$user_id = $channel['channel_id'];
|
||||
|
||||
// If the client is not registered, add to the database
|
||||
if (!$client = $storage->getClientDetails($client_id)) {
|
||||
// Until "Dynamic Client Registration" is pursued - allow new clients to assign their own secret in the REQUEST
|
||||
$client_secret = (isset($_REQUEST["client_secret"])) ? $_REQUEST["client_secret"] : random_string(16);
|
||||
// Until "Dynamic Client Registration" is pursued - allow new clients to assign their own secret in the REQUEST
|
||||
$client_secret = (isset($_REQUEST['client_secret'])) ? $_REQUEST['client_secret'] : random_string(16);
|
||||
// Client apps are registered per channel
|
||||
$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', urldecode($_REQUEST["scope"]), $user_id);
|
||||
|
||||
$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', $_REQUEST['scope'], $user_id);
|
||||
}
|
||||
if (!$client = $storage->getClientDetails($client_id)) {
|
||||
// There was an error registering the client.
|
||||
|
||||
@ -5,19 +5,17 @@ namespace Zotlabs\Module;
|
||||
|
||||
class Oauthinfo extends \Zotlabs\Web\Controller {
|
||||
|
||||
|
||||
function init() {
|
||||
|
||||
$ret = [
|
||||
'issuer' => z_root(),
|
||||
'authorization_endpoint' => z_root() . '/authorize',
|
||||
'token_endpoint' => z_root() . '/token',
|
||||
'userinfo_endpoint' => z_root() . '/userinfo',
|
||||
'scopes_supported' => [ 'openid', 'profile', 'email' ],
|
||||
'response_types_supported' => [ 'code', 'token', 'id_token', 'code id_token', 'token id_token' ]
|
||||
];
|
||||
|
||||
|
||||
json_return_and_die($ret);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
@ -52,6 +52,7 @@ class Well_known extends \Zotlabs\Web\Controller {
|
||||
break;
|
||||
|
||||
case 'oauth-authorization-server':
|
||||
case 'openid-configuration':
|
||||
\App::$argc -= 1;
|
||||
array_shift(\App::$argv);
|
||||
\App::$argv[0] = 'oauthinfo';
|
||||
|
||||
@ -172,6 +172,11 @@ class Wfinger extends \Zotlabs\Web\Controller {
|
||||
'href' => z_root() . '/hcard/' . $r[0]['channel_address']
|
||||
],
|
||||
|
||||
[
|
||||
'rel' => 'http://openid.net/specs/connect/1.0/issuer',
|
||||
'href' => z_root()
|
||||
],
|
||||
|
||||
|
||||
[
|
||||
'rel' => 'http://webfinger.net/rel/profile-page',
|
||||
|
||||
Reference in New Issue
Block a user