bookstack/app/Auth/Access/OpenIdConnect/OpenIdConnectOAuthProvider.php

<?php

namespace BookStack\Auth\Access\OpenIdConnect;

use League\OAuth2\Client\Grant\AbstractGrant;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Provider\GenericResourceOwner;
use League\OAuth2\Client\Provider\ResourceOwnerInterface;
use League\OAuth2\Client\Token\AccessToken;
use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
use Psr\Http\Message\ResponseInterface;

/**
 * Extended OAuth2Provider for using with OIDC.
 * Credit to the https://github.com/steverhoades/oauth2-openid-connect-client
 * project for the idea of extending a League\OAuth2 client for this use-case.
 */
class OpenIdConnectOAuthProvider extends AbstractProvider
{
    use BearerAuthorizationTrait;

    /**
     * @var string
     */
    protected $authorizationEndpoint;

    /**
     * @var string
     */
    protected $tokenEndpoint;


    /**
     * Returns the base URL for authorizing a client.
     */
    public function getBaseAuthorizationUrl(): string
    {
        return $this->authorizationEndpoint;
    }

    /**
     * Returns the base URL for requesting an access token.
     */
    public function getBaseAccessTokenUrl(array $params): string
    {
        return $this->tokenEndpoint;
    }

    /**
     * Returns the URL for requesting the resource owner's details.
     */
    public function getResourceOwnerDetailsUrl(AccessToken $token): string
    {
        return '';
    }

    /**
     * Returns the default scopes used by this provider.
     *
     * This should only be the scopes that are required to request the details
     * of the resource owner, rather than all the available scopes.
     */
    protected function getDefaultScopes(): array
    {
        return ['openid', 'profile', 'email'];
    }


    /**
     * Returns the string that should be used to separate scopes when building
     * the URL for requesting an access token.
     */
    protected function getScopeSeparator(): string
    {
        return ' ';
    }

    /**
     * Checks a provider response for errors.
     *
     * @param ResponseInterface $response
     * @param array|string $data Parsed response data
     * @return void
     * @throws IdentityProviderException
     */
    protected function checkResponse(ResponseInterface $response, $data)
    {
        if ($response->getStatusCode() >= 400 || isset($data['error'])) {
            throw new IdentityProviderException(
                $data['error'] ?? $response->getReasonPhrase(),
                $response->getStatusCode(),
                (string) $response->getBody()
            );
        }
    }

    /**
     * Generates a resource owner object from a successful resource owner
     * details request.
     *
     * @param array $response
     * @param AccessToken $token
     * @return ResourceOwnerInterface
     */
    protected function createResourceOwner(array $response, AccessToken $token)
    {
        return new GenericResourceOwner($response, '');
    }

    /**
     * Creates an access token from a response.
     *
     * The grant that was used to fetch the response can be used to provide
     * additional context.
     *
     * @param array $response
     * @param AbstractGrant $grant
     * @return OpenIdConnectAccessToken
     */
    protected function createAccessToken(array $response, AbstractGrant $grant)
    {
        return new OpenIdConnectAccessToken($response);
    }


}
Started on a custom oidc oauth provider 2021-10-11 02:14:08 +08:00			`<?php`

Added token and key handling elements for oidc jwt - Got basic signing support and structure checking done. - Need to run through actual claim checking before providing details back to app. 2021-10-12 02:05:16 +08:00			`namespace BookStack\Auth\Access\OpenIdConnect;`
Started on a custom oidc oauth provider 2021-10-11 02:14:08 +08:00
Added token and key handling elements for oidc jwt - Got basic signing support and structure checking done. - Need to run through actual claim checking before providing details back to app. 2021-10-12 02:05:16 +08:00			`use League\OAuth2\Client\Grant\AbstractGrant;`
Started on a custom oidc oauth provider 2021-10-11 02:14:08 +08:00			`use League\OAuth2\Client\Provider\AbstractProvider;`
			`use League\OAuth2\Client\Provider\Exception\IdentityProviderException;`
			`use League\OAuth2\Client\Provider\GenericResourceOwner;`
			`use League\OAuth2\Client\Provider\ResourceOwnerInterface;`
			`use League\OAuth2\Client\Token\AccessToken;`
			`use League\OAuth2\Client\Tool\BearerAuthorizationTrait;`
			`use Psr\Http\Message\ResponseInterface;`

			`/**`
			`* Extended OAuth2Provider for using with OIDC.`
			`* Credit to the https://github.com/steverhoades/oauth2-openid-connect-client`
			`* project for the idea of extending a League\OAuth2 client for this use-case.`
			`*/`
			`class OpenIdConnectOAuthProvider extends AbstractProvider`
			`{`
			`use BearerAuthorizationTrait;`

			`/**`
			`* @var string`
			`*/`
			`protected $authorizationEndpoint;`

			`/**`
			`* @var string`
			`*/`
			`protected $tokenEndpoint;`


			`/**`
			`* Returns the base URL for authorizing a client.`
			`*/`
			`public function getBaseAuthorizationUrl(): string`
			`{`
			`return $this->authorizationEndpoint;`
			`}`

			`/**`
			`* Returns the base URL for requesting an access token.`
			`*/`
			`public function getBaseAccessTokenUrl(array $params): string`
			`{`
			`return $this->tokenEndpoint;`
			`}`

			`/**`
			`* Returns the URL for requesting the resource owner's details.`
			`*/`
			`public function getResourceOwnerDetailsUrl(AccessToken $token): string`
			`{`
			`return '';`
			`}`

			`/**`
			`* Returns the default scopes used by this provider.`
			`*`
			`* This should only be the scopes that are required to request the details`
			`* of the resource owner, rather than all the available scopes.`
			`*/`
			`protected function getDefaultScopes(): array`
			`{`
			`return ['openid', 'profile', 'email'];`
			`}`


			`/**`
			`* Returns the string that should be used to separate scopes when building`
			`* the URL for requesting an access token.`
			`*/`
			`protected function getScopeSeparator(): string`
			`{`
			`return ' ';`
			`}`

			`/**`
			`* Checks a provider response for errors.`
			`*`
			`* @param ResponseInterface $response`
			`* @param array\|string $data Parsed response data`
			`* @return void`
			`* @throws IdentityProviderException`
			`*/`
			`protected function checkResponse(ResponseInterface $response, $data)`
			`{`
			`if ($response->getStatusCode() >= 400 \|\| isset($data['error'])) {`
			`throw new IdentityProviderException(`
			`$data['error'] ?? $response->getReasonPhrase(),`
			`$response->getStatusCode(),`
			`(string) $response->getBody()`
			`);`
			`}`
			`}`

			`/**`
			`* Generates a resource owner object from a successful resource owner`
			`* details request.`
			`*`
			`* @param array $response`
			`* @param AccessToken $token`
			`* @return ResourceOwnerInterface`
			`*/`
			`protected function createResourceOwner(array $response, AccessToken $token)`
			`{`
			`return new GenericResourceOwner($response, '');`
			`}`
Added token and key handling elements for oidc jwt - Got basic signing support and structure checking done. - Need to run through actual claim checking before providing details back to app. 2021-10-12 02:05:16 +08:00
			`/**`
			`* Creates an access token from a response.`
			`*`
			`* The grant that was used to fetch the response can be used to provide`
			`* additional context.`
			`*`
			`* @param array $response`
			`* @param AbstractGrant $grant`
			`* @return OpenIdConnectAccessToken`
			`*/`
			`protected function createAccessToken(array $response, AbstractGrant $grant)`
			`{`
			`return new OpenIdConnectAccessToken($response);`
			`}`


Started on a custom oidc oauth provider 2021-10-11 02:14:08 +08:00			`}`