commit 4fccc7ecba33495f7e17768e7f540f6c8e8fd3df
parent ce4daece98fd5257fd90b5bc346fdf0ef5577f4f
Author: Jan Dankert <develop@jandankert.de>
Date: Sat, 31 Oct 2020 03:48:03 +0100
Some bad fixes for OIDC to work properly.
Diffstat:
5 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/modules/cms/Dispatcher.class.php b/modules/cms/Dispatcher.class.php
@@ -311,7 +311,7 @@ class Dispatcher
// Daten werden nur angezeigt, die Sitzung kann also schon geschlossen werden.
// Halt! In Index-Action können Benutzer-Logins gesetzt werden.
- if ( ! $this->request->isAction && $this->request->action != 'index' )
+ if ( ! $this->request->isAction && $this->request->action != 'index' && $this->request->method != 'oidc' )
Session::close();
Logger::debug("Dispatcher executing {$this->request->action}/{$this->request->method}/" . $this->request->getRequestId().' -> '.$actionClassName.'#'.$subactionMethodName.'()');
@@ -332,6 +332,10 @@ class Dispatcher
{
// The validation exception is catched here
$do->addValidationError( $ve->fieldName,$ve->key );
+
+ if ( !$this->request->isAction )
+ // Validation exceptions should only be thrown in POST requests.
+ throw new BadMethodCallException("Validation error in GET request",0,$ve);
}
catch (\ReflectionException $re)
{
diff --git a/modules/cms/action/LoginAction.class.php b/modules/cms/action/LoginAction.class.php
@@ -169,12 +169,19 @@ class LoginAction extends BaseAction
public function oidcView() {
- $providerName = $this->request->getRequiredRequestVar('id',RequestParams::FILTER_ALPHANUM);
+ if ( $this->hasRequestVar("id")) {
+ $providerName = $this->request->getRequestVar('id',RequestParams::FILTER_ALPHANUM);
+ Session::set(Session::KEY_OIDC_PROVIDER,$providerName);
+ }else {
+ $providerName = Session::get( Session::KEY_OIDC_PROVIDER);
+ }
+
$providerConfig = Configuration::subset(['security','oidc','provider',$providerName]);
$oidc = new OpenIDConnectClient();
$oidc->setProviderURL ( $providerConfig->get('url' ));
+ $oidc->setIssuer ( $providerConfig->get('url' ));
$oidc->setClientID ( $providerConfig->get('client_id' ));
$oidc->setClientSecret( $providerConfig->get('client_secret'));
diff --git a/modules/cms/ui/UI.class.php b/modules/cms/ui/UI.class.php
@@ -43,7 +43,11 @@ class UI
// Sending the Content-Security-Policy.
self::setContentSecurityPolicy();
- if (empty($request->action)) {
+ if ( @$_REQUEST['scope']=='openid' ) {
+ $request->action = 'login';
+ $request->method = 'oidc';
+ }
+ elseif (empty($request->action)) {
$request->action = 'index';
$request->method = 'show';
}
diff --git a/modules/openid_connect/OpenIDConnectClient.class.php b/modules/openid_connect/OpenIDConnectClient.class.php
@@ -1124,7 +1124,8 @@ class OpenIDConnectClient
curl_setopt($ch, CURLOPT_HEADER, 0);
// Allows to follow redirect
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+ // FIXME not possible in openbasedir-restrictions
+ //curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
/**
* Set cert
diff --git a/modules/util/Session.class.php b/modules/util/Session.class.php
@@ -20,6 +20,7 @@ use cms\model\User;
*/
class Session
{
+ const KEY_OIDC_PROVIDER = 'oidc_provider';
const KEY_DBID = 'dbid';
const KEY_DB = 'database';
const KEY_USER = 'userObject';