mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 05:36:00 +00:00
Continued review of #2169
- Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8.
This commit is contained in:
parent
2ec0aa85ca
commit
41438adbd1
@ -4,48 +4,10 @@ namespace BookStack\Auth\Access;
|
|||||||
|
|
||||||
use BookStack\Auth\Role;
|
use BookStack\Auth\Role;
|
||||||
use BookStack\Auth\User;
|
use BookStack\Auth\User;
|
||||||
use BookStack\Exceptions\UserRegistrationException;
|
|
||||||
use Illuminate\Support\Collection;
|
use Illuminate\Support\Collection;
|
||||||
use Illuminate\Support\Str;
|
|
||||||
|
|
||||||
class ExternalAuthService
|
class GroupSyncService
|
||||||
{
|
{
|
||||||
protected $registrationService;
|
|
||||||
protected $user;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* ExternalAuthService base constructor.
|
|
||||||
*/
|
|
||||||
public function __construct(RegistrationService $registrationService, User $user)
|
|
||||||
{
|
|
||||||
$this->registrationService = $registrationService;
|
|
||||||
$this->user = $user;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get the user from the database for the specified details.
|
|
||||||
* @throws UserRegistrationException
|
|
||||||
*/
|
|
||||||
protected function getOrRegisterUser(array $userDetails): ?User
|
|
||||||
{
|
|
||||||
$user = User::query()
|
|
||||||
->where('external_auth_id', '=', $userDetails['external_id'])
|
|
||||||
->first();
|
|
||||||
|
|
||||||
if (is_null($user)) {
|
|
||||||
$userData = [
|
|
||||||
'name' => $userDetails['name'],
|
|
||||||
'email' => $userDetails['email'],
|
|
||||||
'password' => Str::random(32),
|
|
||||||
'external_auth_id' => $userDetails['external_id'],
|
|
||||||
];
|
|
||||||
|
|
||||||
$user = $this->registrationService->registerUser($userData, null, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
return $user;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check a role against an array of group names to see if it matches.
|
* Check a role against an array of group names to see if it matches.
|
||||||
* Checked against role 'external_auth_id' if set otherwise the name of the role.
|
* Checked against role 'external_auth_id' if set otherwise the name of the role.
|
||||||
@ -98,13 +60,13 @@ class ExternalAuthService
|
|||||||
/**
|
/**
|
||||||
* Sync the groups to the user roles for the current user.
|
* Sync the groups to the user roles for the current user.
|
||||||
*/
|
*/
|
||||||
public function syncWithGroups(User $user, array $userGroups): void
|
public function syncUserWithFoundGroups(User $user, array $userGroups, bool $detachExisting): void
|
||||||
{
|
{
|
||||||
// Get the ids for the roles from the names
|
// Get the ids for the roles from the names
|
||||||
$groupsAsRoles = $this->matchGroupsToSystemsRoles($userGroups);
|
$groupsAsRoles = $this->matchGroupsToSystemsRoles($userGroups);
|
||||||
|
|
||||||
// Sync groups
|
// Sync groups
|
||||||
if ($this->config['remove_from_groups']) {
|
if ($detachExisting) {
|
||||||
$user->roles()->sync($groupsAsRoles);
|
$user->roles()->sync($groupsAsRoles);
|
||||||
$user->attachDefaultRole();
|
$user->attachDefaultRole();
|
||||||
} else {
|
} else {
|
@ -10,7 +10,7 @@ namespace BookStack\Auth\Access\Guards;
|
|||||||
* via the Saml2 controller & Saml2Service. This class provides a safer, thin
|
* via the Saml2 controller & Saml2Service. This class provides a safer, thin
|
||||||
* version of SessionGuard.
|
* version of SessionGuard.
|
||||||
*/
|
*/
|
||||||
class Saml2SessionGuard extends ExternalBaseSessionGuard
|
class AsyncExternalBaseSessionGuard extends ExternalBaseSessionGuard
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Validate a user's credentials.
|
* Validate a user's credentials.
|
@ -1,79 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
namespace BookStack\Auth\Access\Guards;
|
|
||||||
|
|
||||||
use BookStack\Auth\Access\OpenIdService;
|
|
||||||
use BookStack\Auth\Access\RegistrationService;
|
|
||||||
use Illuminate\Contracts\Auth\UserProvider;
|
|
||||||
use Illuminate\Contracts\Session\Session;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* OpenId Session Guard
|
|
||||||
*
|
|
||||||
* The OpenId login process is async in nature meaning it does not fit very well
|
|
||||||
* into the default laravel 'Guard' auth flow. Instead most of the logic is done
|
|
||||||
* via the OpenId controller & OpenIdService. This class provides a safer, thin
|
|
||||||
* version of SessionGuard.
|
|
||||||
*
|
|
||||||
* @package BookStack\Auth\Access\Guards
|
|
||||||
*/
|
|
||||||
class OpenIdSessionGuard extends ExternalBaseSessionGuard
|
|
||||||
{
|
|
||||||
|
|
||||||
protected $openidService;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* OpenIdSessionGuard constructor.
|
|
||||||
*/
|
|
||||||
public function __construct(
|
|
||||||
$name,
|
|
||||||
UserProvider $provider,
|
|
||||||
Session $session,
|
|
||||||
OpenIdService $openidService,
|
|
||||||
RegistrationService $registrationService
|
|
||||||
) {
|
|
||||||
$this->openidService = $openidService;
|
|
||||||
parent::__construct($name, $provider, $session, $registrationService);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get the currently authenticated user.
|
|
||||||
*
|
|
||||||
* @return \Illuminate\Contracts\Auth\Authenticatable|null
|
|
||||||
*/
|
|
||||||
public function user()
|
|
||||||
{
|
|
||||||
// retrieve the current user
|
|
||||||
$user = parent::user();
|
|
||||||
|
|
||||||
// refresh the current user
|
|
||||||
if ($user && !$this->openidService->refresh()) {
|
|
||||||
$this->user = null;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $this->user;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Validate a user's credentials.
|
|
||||||
*
|
|
||||||
* @param array $credentials
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public function validate(array $credentials = [])
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Attempt to authenticate a user using the given credentials.
|
|
||||||
*
|
|
||||||
* @param array $credentials
|
|
||||||
* @param bool $remember
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public function attempt(array $credentials = [], $remember = false)
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
@ -13,9 +13,10 @@ use Illuminate\Support\Facades\Log;
|
|||||||
* Class LdapService
|
* Class LdapService
|
||||||
* Handles any app-specific LDAP tasks.
|
* Handles any app-specific LDAP tasks.
|
||||||
*/
|
*/
|
||||||
class LdapService extends ExternalAuthService
|
class LdapService
|
||||||
{
|
{
|
||||||
protected $ldap;
|
protected $ldap;
|
||||||
|
protected $groupSyncService;
|
||||||
protected $ldapConnection;
|
protected $ldapConnection;
|
||||||
protected $userAvatars;
|
protected $userAvatars;
|
||||||
protected $config;
|
protected $config;
|
||||||
@ -24,20 +25,19 @@ class LdapService extends ExternalAuthService
|
|||||||
/**
|
/**
|
||||||
* LdapService constructor.
|
* LdapService constructor.
|
||||||
*/
|
*/
|
||||||
public function __construct(Ldap $ldap, UserAvatars $userAvatars)
|
public function __construct(Ldap $ldap, UserAvatars $userAvatars, GroupSyncService $groupSyncService)
|
||||||
{
|
{
|
||||||
$this->ldap = $ldap;
|
$this->ldap = $ldap;
|
||||||
$this->userAvatars = $userAvatars;
|
$this->userAvatars = $userAvatars;
|
||||||
|
$this->groupSyncService = $groupSyncService;
|
||||||
$this->config = config('services.ldap');
|
$this->config = config('services.ldap');
|
||||||
$this->enabled = config('auth.method') === 'ldap';
|
$this->enabled = config('auth.method') === 'ldap';
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if groups should be synced.
|
* Check if groups should be synced.
|
||||||
*
|
|
||||||
* @return bool
|
|
||||||
*/
|
*/
|
||||||
public function shouldSyncGroups()
|
public function shouldSyncGroups(): bool
|
||||||
{
|
{
|
||||||
return $this->enabled && $this->config['user_to_groups'] !== false;
|
return $this->enabled && $this->config['user_to_groups'] !== false;
|
||||||
}
|
}
|
||||||
@ -285,9 +285,7 @@ class LdapService extends ExternalAuthService
|
|||||||
}
|
}
|
||||||
|
|
||||||
$userGroups = $this->groupFilter($user);
|
$userGroups = $this->groupFilter($user);
|
||||||
$userGroups = $this->getGroupsRecursive($userGroups, []);
|
return $this->getGroupsRecursive($userGroups, []);
|
||||||
|
|
||||||
return $userGroups;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -374,7 +372,7 @@ class LdapService extends ExternalAuthService
|
|||||||
public function syncGroups(User $user, string $username)
|
public function syncGroups(User $user, string $username)
|
||||||
{
|
{
|
||||||
$userLdapGroups = $this->getUserGroups($username);
|
$userLdapGroups = $this->getUserGroups($username);
|
||||||
$this->syncWithGroups($user, $userLdapGroups);
|
$this->groupSyncService->syncUserWithFoundGroups($user, $userLdapGroups, $this->config['remove_from_groups']);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
164
app/Auth/Access/OpenIdConnectService.php
Normal file
164
app/Auth/Access/OpenIdConnectService.php
Normal file
@ -0,0 +1,164 @@
|
|||||||
|
<?php namespace BookStack\Auth\Access;
|
||||||
|
|
||||||
|
use BookStack\Auth\User;
|
||||||
|
use BookStack\Exceptions\JsonDebugException;
|
||||||
|
use BookStack\Exceptions\OpenIdConnectException;
|
||||||
|
use BookStack\Exceptions\StoppedAuthenticationException;
|
||||||
|
use BookStack\Exceptions\UserRegistrationException;
|
||||||
|
use Exception;
|
||||||
|
use Lcobucci\JWT\Signer\Rsa\Sha256;
|
||||||
|
use Lcobucci\JWT\Token;
|
||||||
|
use OpenIDConnectClient\AccessToken;
|
||||||
|
use OpenIDConnectClient\OpenIDConnectProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class OpenIdConnectService
|
||||||
|
* Handles any app-specific OIDC tasks.
|
||||||
|
*/
|
||||||
|
class OpenIdConnectService
|
||||||
|
{
|
||||||
|
protected $registrationService;
|
||||||
|
protected $loginService;
|
||||||
|
protected $config;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OpenIdService constructor.
|
||||||
|
*/
|
||||||
|
public function __construct(RegistrationService $registrationService, LoginService $loginService)
|
||||||
|
{
|
||||||
|
$this->config = config('oidc');
|
||||||
|
$this->registrationService = $registrationService;
|
||||||
|
$this->loginService = $loginService;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initiate an authorization flow.
|
||||||
|
* @return array{url: string, state: string}
|
||||||
|
*/
|
||||||
|
public function login(): array
|
||||||
|
{
|
||||||
|
$provider = $this->getProvider();
|
||||||
|
return [
|
||||||
|
'url' => $provider->getAuthorizationUrl(),
|
||||||
|
'state' => $provider->getState(),
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Process the Authorization response from the authorization server and
|
||||||
|
* return the matching, or new if registration active, user matched to
|
||||||
|
* the authorization server.
|
||||||
|
* Returns null if not authenticated.
|
||||||
|
* @throws Exception
|
||||||
|
*/
|
||||||
|
public function processAuthorizeResponse(?string $authorizationCode): ?User
|
||||||
|
{
|
||||||
|
$provider = $this->getProvider();
|
||||||
|
|
||||||
|
// Try to exchange authorization code for access token
|
||||||
|
$accessToken = $provider->getAccessToken('authorization_code', [
|
||||||
|
'code' => $authorizationCode,
|
||||||
|
]);
|
||||||
|
|
||||||
|
return $this->processAccessTokenCallback($accessToken);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Load the underlying OpenID Connect Provider.
|
||||||
|
*/
|
||||||
|
protected function getProvider(): OpenIDConnectProvider
|
||||||
|
{
|
||||||
|
// Setup settings
|
||||||
|
$settings = [
|
||||||
|
'clientId' => $this->config['client_id'],
|
||||||
|
'clientSecret' => $this->config['client_secret'],
|
||||||
|
'idTokenIssuer' => $this->config['issuer'],
|
||||||
|
'redirectUri' => url('/oidc/redirect'),
|
||||||
|
'urlAuthorize' => $this->config['authorization_endpoint'],
|
||||||
|
'urlAccessToken' => $this->config['token_endpoint'],
|
||||||
|
'urlResourceOwnerDetails' => null,
|
||||||
|
'publicKey' => $this->config['jwt_public_key'],
|
||||||
|
'scopes' => 'profile email',
|
||||||
|
];
|
||||||
|
|
||||||
|
// Setup services
|
||||||
|
$services = [
|
||||||
|
'signer' => new Sha256(),
|
||||||
|
];
|
||||||
|
|
||||||
|
return new OpenIDConnectProvider($settings, $services);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Calculate the display name
|
||||||
|
*/
|
||||||
|
protected function getUserDisplayName(Token $token, string $defaultValue): string
|
||||||
|
{
|
||||||
|
$displayNameAttr = $this->config['display_name_claims'];
|
||||||
|
|
||||||
|
$displayName = [];
|
||||||
|
foreach ($displayNameAttr as $dnAttr) {
|
||||||
|
$dnComponent = $token->claims()->get($dnAttr, '');
|
||||||
|
if ($dnComponent !== '') {
|
||||||
|
$displayName[] = $dnComponent;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (count($displayName) == 0) {
|
||||||
|
$displayName[] = $defaultValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
return implode(' ', $displayName);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extract the details of a user from an ID token.
|
||||||
|
* @return array{name: string, email: string, external_id: string}
|
||||||
|
*/
|
||||||
|
protected function getUserDetails(Token $token): array
|
||||||
|
{
|
||||||
|
$id = $token->claims()->get('sub');
|
||||||
|
return [
|
||||||
|
'external_id' => $id,
|
||||||
|
'email' => $token->claims()->get('email'),
|
||||||
|
'name' => $this->getUserDisplayName($token, $id),
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Processes a received access token for a user. Login the user when
|
||||||
|
* they exist, optionally registering them automatically.
|
||||||
|
* @throws OpenIdConnectException
|
||||||
|
* @throws JsonDebugException
|
||||||
|
* @throws UserRegistrationException
|
||||||
|
* @throws StoppedAuthenticationException
|
||||||
|
*/
|
||||||
|
protected function processAccessTokenCallback(AccessToken $accessToken): User
|
||||||
|
{
|
||||||
|
$userDetails = $this->getUserDetails($accessToken->getIdToken());
|
||||||
|
$isLoggedIn = auth()->check();
|
||||||
|
|
||||||
|
if ($this->config['dump_user_details']) {
|
||||||
|
throw new JsonDebugException($accessToken->jsonSerialize());
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($userDetails['email'] === null) {
|
||||||
|
throw new OpenIdConnectException(trans('errors.oidc_no_email_address'));
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($isLoggedIn) {
|
||||||
|
throw new OpenIdConnectException(trans('errors.oidc_already_logged_in'), '/login');
|
||||||
|
}
|
||||||
|
|
||||||
|
$user = $this->registrationService->findOrRegister(
|
||||||
|
$userDetails['name'], $userDetails['email'], $userDetails['external_id']
|
||||||
|
);
|
||||||
|
|
||||||
|
if ($user === null) {
|
||||||
|
throw new OpenIdConnectException(trans('errors.oidc_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->loginService->login($user, 'oidc');
|
||||||
|
return $user;
|
||||||
|
}
|
||||||
|
}
|
@ -1,257 +0,0 @@
|
|||||||
<?php namespace BookStack\Auth\Access;
|
|
||||||
|
|
||||||
use BookStack\Auth\User;
|
|
||||||
use BookStack\Exceptions\JsonDebugException;
|
|
||||||
use BookStack\Exceptions\OpenIdException;
|
|
||||||
use BookStack\Exceptions\UserRegistrationException;
|
|
||||||
use Exception;
|
|
||||||
use Lcobucci\JWT\Signer\Rsa\Sha256;
|
|
||||||
use Lcobucci\JWT\Token;
|
|
||||||
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
|
|
||||||
use OpenIDConnectClient\AccessToken;
|
|
||||||
use OpenIDConnectClient\Exception\InvalidTokenException;
|
|
||||||
use OpenIDConnectClient\OpenIDConnectProvider;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Class OpenIdService
|
|
||||||
* Handles any app-specific OpenId tasks.
|
|
||||||
*/
|
|
||||||
class OpenIdService extends ExternalAuthService
|
|
||||||
{
|
|
||||||
protected $config;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* OpenIdService constructor.
|
|
||||||
*/
|
|
||||||
public function __construct(RegistrationService $registrationService, User $user)
|
|
||||||
{
|
|
||||||
parent::__construct($registrationService, $user);
|
|
||||||
|
|
||||||
$this->config = config('oidc');
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Initiate an authorization flow.
|
|
||||||
* @throws Exception
|
|
||||||
*/
|
|
||||||
public function login(): array
|
|
||||||
{
|
|
||||||
$provider = $this->getProvider();
|
|
||||||
return [
|
|
||||||
'url' => $provider->getAuthorizationUrl(),
|
|
||||||
'state' => $provider->getState(),
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Initiate a logout flow.
|
|
||||||
*/
|
|
||||||
public function logout(): array
|
|
||||||
{
|
|
||||||
$this->actionLogout();
|
|
||||||
$url = '/';
|
|
||||||
$id = null;
|
|
||||||
|
|
||||||
return ['url' => $url, 'id' => $id];
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Refresh the currently logged in user.
|
|
||||||
* @throws Exception
|
|
||||||
*/
|
|
||||||
public function refresh(): bool
|
|
||||||
{
|
|
||||||
// Retrieve access token for current session
|
|
||||||
$json = session()->get('openid_token');
|
|
||||||
|
|
||||||
// If no access token was found, reject the refresh
|
|
||||||
if (!$json) {
|
|
||||||
$this->actionLogout();
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
$accessToken = new AccessToken(json_decode($json, true) ?? []);
|
|
||||||
|
|
||||||
// If the token is not expired, refreshing isn't necessary
|
|
||||||
if ($this->isUnexpired($accessToken)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Try to obtain refreshed access token
|
|
||||||
try {
|
|
||||||
$newAccessToken = $this->refreshAccessToken($accessToken);
|
|
||||||
} catch (Exception $e) {
|
|
||||||
// Log out if an unknown problem arises
|
|
||||||
$this->actionLogout();
|
|
||||||
throw $e;
|
|
||||||
}
|
|
||||||
|
|
||||||
// If a token was obtained, update the access token, otherwise log out
|
|
||||||
if ($newAccessToken !== null) {
|
|
||||||
session()->put('openid_token', json_encode($newAccessToken));
|
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
$this->actionLogout();
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check whether an access token or OpenID token isn't expired.
|
|
||||||
*/
|
|
||||||
protected function isUnexpired(AccessToken $accessToken): bool
|
|
||||||
{
|
|
||||||
$idToken = $accessToken->getIdToken();
|
|
||||||
|
|
||||||
$accessTokenUnexpired = $accessToken->getExpires() && !$accessToken->hasExpired();
|
|
||||||
$idTokenUnexpired = !$idToken || !$idToken->isExpired();
|
|
||||||
|
|
||||||
return $accessTokenUnexpired && $idTokenUnexpired;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Generate an updated access token, through the associated refresh token.
|
|
||||||
* @throws Exception
|
|
||||||
*/
|
|
||||||
protected function refreshAccessToken(AccessToken $accessToken): ?AccessToken
|
|
||||||
{
|
|
||||||
// If no refresh token available, abort
|
|
||||||
if ($accessToken->getRefreshToken() === null) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
// ID token or access token is expired, we refresh it using the refresh token
|
|
||||||
try {
|
|
||||||
return $this->getProvider()->getAccessToken('refresh_token', [
|
|
||||||
'refresh_token' => $accessToken->getRefreshToken(),
|
|
||||||
]);
|
|
||||||
} catch (IdentityProviderException $e) {
|
|
||||||
// Refreshing failed
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Process the Authorization response from the authorization server and
|
|
||||||
* return the matching, or new if registration active, user matched to
|
|
||||||
* the authorization server.
|
|
||||||
* Returns null if not authenticated.
|
|
||||||
* @throws Exception
|
|
||||||
* @throws InvalidTokenException
|
|
||||||
*/
|
|
||||||
public function processAuthorizeResponse(?string $authorizationCode): ?User
|
|
||||||
{
|
|
||||||
$provider = $this->getProvider();
|
|
||||||
|
|
||||||
// Try to exchange authorization code for access token
|
|
||||||
$accessToken = $provider->getAccessToken('authorization_code', [
|
|
||||||
'code' => $authorizationCode,
|
|
||||||
]);
|
|
||||||
|
|
||||||
return $this->processAccessTokenCallback($accessToken);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Do the required actions to log a user out.
|
|
||||||
*/
|
|
||||||
protected function actionLogout()
|
|
||||||
{
|
|
||||||
auth()->logout();
|
|
||||||
session()->invalidate();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Load the underlying OpenID Connect Provider.
|
|
||||||
*/
|
|
||||||
protected function getProvider(): OpenIDConnectProvider
|
|
||||||
{
|
|
||||||
// Setup settings
|
|
||||||
$settings = [
|
|
||||||
'clientId' => $this->config['client_id'],
|
|
||||||
'clientSecret' => $this->config['client_secret'],
|
|
||||||
'idTokenIssuer' => $this->config['issuer'],
|
|
||||||
'redirectUri' => url('/openid/redirect'),
|
|
||||||
'urlAuthorize' => $this->config['authorization_endpoint'],
|
|
||||||
'urlAccessToken' => $this->config['token_endpoint'],
|
|
||||||
'urlResourceOwnerDetails' => null,
|
|
||||||
'publicKey' => $this->config['jwt_public_key'],
|
|
||||||
'scopes' => 'profile email',
|
|
||||||
];
|
|
||||||
|
|
||||||
// Setup services
|
|
||||||
$services = [
|
|
||||||
'signer' => new Sha256(),
|
|
||||||
];
|
|
||||||
|
|
||||||
return new OpenIDConnectProvider($settings, $services);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Calculate the display name
|
|
||||||
*/
|
|
||||||
protected function getUserDisplayName(Token $token, string $defaultValue): string
|
|
||||||
{
|
|
||||||
$displayNameAttr = $this->config['display_name_claims'];
|
|
||||||
|
|
||||||
$displayName = [];
|
|
||||||
foreach ($displayNameAttr as $dnAttr) {
|
|
||||||
$dnComponent = $token->claims()->get($dnAttr, '');
|
|
||||||
if ($dnComponent !== '') {
|
|
||||||
$displayName[] = $dnComponent;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (count($displayName) == 0) {
|
|
||||||
$displayName[] = $defaultValue;
|
|
||||||
}
|
|
||||||
|
|
||||||
return implode(' ', $displayName);;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Extract the details of a user from an ID token.
|
|
||||||
*/
|
|
||||||
protected function getUserDetails(Token $token): array
|
|
||||||
{
|
|
||||||
$id = $token->claims()->get('sub');
|
|
||||||
return [
|
|
||||||
'external_id' => $id,
|
|
||||||
'email' => $token->claims()->get('email'),
|
|
||||||
'name' => $this->getUserDisplayName($token, $id),
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Processes a received access token for a user. Login the user when
|
|
||||||
* they exist, optionally registering them automatically.
|
|
||||||
* @throws OpenIdException
|
|
||||||
* @throws JsonDebugException
|
|
||||||
* @throws UserRegistrationException
|
|
||||||
*/
|
|
||||||
public function processAccessTokenCallback(AccessToken $accessToken): User
|
|
||||||
{
|
|
||||||
$userDetails = $this->getUserDetails($accessToken->getIdToken());
|
|
||||||
$isLoggedIn = auth()->check();
|
|
||||||
|
|
||||||
if ($this->config['dump_user_details']) {
|
|
||||||
throw new JsonDebugException($accessToken->jsonSerialize());
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($userDetails['email'] === null) {
|
|
||||||
throw new OpenIdException(trans('errors.openid_no_email_address'));
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($isLoggedIn) {
|
|
||||||
throw new OpenIdException(trans('errors.openid_already_logged_in'), '/login');
|
|
||||||
}
|
|
||||||
|
|
||||||
$user = $this->getOrRegisterUser($userDetails);
|
|
||||||
if ($user === null) {
|
|
||||||
throw new OpenIdException(trans('errors.openid_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
|
|
||||||
}
|
|
||||||
|
|
||||||
auth()->login($user);
|
|
||||||
session()->put('openid_token', json_encode($accessToken));
|
|
||||||
return $user;
|
|
||||||
}
|
|
||||||
}
|
|
@ -11,6 +11,7 @@ use BookStack\Facades\Activity;
|
|||||||
use BookStack\Facades\Theme;
|
use BookStack\Facades\Theme;
|
||||||
use BookStack\Theming\ThemeEvents;
|
use BookStack\Theming\ThemeEvents;
|
||||||
use Exception;
|
use Exception;
|
||||||
|
use Illuminate\Support\Str;
|
||||||
|
|
||||||
class RegistrationService
|
class RegistrationService
|
||||||
{
|
{
|
||||||
@ -50,6 +51,31 @@ class RegistrationService
|
|||||||
return in_array($authMethod, $authMethodsWithRegistration) && setting('registration-enabled');
|
return in_array($authMethod, $authMethodsWithRegistration) && setting('registration-enabled');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Attempt to find a user in the system otherwise register them as a new
|
||||||
|
* user. For use with external auth systems since password is auto-generated.
|
||||||
|
* @throws UserRegistrationException
|
||||||
|
*/
|
||||||
|
public function findOrRegister(string $name, string $email, string $externalId): User
|
||||||
|
{
|
||||||
|
$user = User::query()
|
||||||
|
->where('external_auth_id', '=', $externalId)
|
||||||
|
->first();
|
||||||
|
|
||||||
|
if (is_null($user)) {
|
||||||
|
$userData = [
|
||||||
|
'name' => $name,
|
||||||
|
'email' => $email,
|
||||||
|
'password' => Str::random(32),
|
||||||
|
'external_auth_id' => $externalId,
|
||||||
|
];
|
||||||
|
|
||||||
|
$user = $this->registerUser($userData, null, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $user;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The registrations flow for all users.
|
* The registrations flow for all users.
|
||||||
*
|
*
|
||||||
|
@ -17,22 +17,26 @@ use OneLogin\Saml2\ValidationError;
|
|||||||
* Class Saml2Service
|
* Class Saml2Service
|
||||||
* Handles any app-specific SAML tasks.
|
* Handles any app-specific SAML tasks.
|
||||||
*/
|
*/
|
||||||
class Saml2Service extends ExternalAuthService
|
class Saml2Service
|
||||||
{
|
{
|
||||||
protected $config;
|
protected $config;
|
||||||
protected $registrationService;
|
protected $registrationService;
|
||||||
protected $loginService;
|
protected $loginService;
|
||||||
|
protected $groupSyncService;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Saml2Service constructor.
|
* Saml2Service constructor.
|
||||||
*/
|
*/
|
||||||
public function __construct(RegistrationService $registrationService, LoginService $loginService, User $user)
|
public function __construct(
|
||||||
|
RegistrationService $registrationService,
|
||||||
|
LoginService $loginService,
|
||||||
|
GroupSyncService $groupSyncService
|
||||||
|
)
|
||||||
{
|
{
|
||||||
parent::__construct($registrationService, $user);
|
|
||||||
|
|
||||||
$this->config = config('saml2');
|
$this->config = config('saml2');
|
||||||
$this->registrationService = $registrationService;
|
$this->registrationService = $registrationService;
|
||||||
$this->loginService = $loginService;
|
$this->loginService = $loginService;
|
||||||
|
$this->groupSyncService = $groupSyncService;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -259,6 +263,7 @@ class Saml2Service extends ExternalAuthService
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract the details of a user from a SAML response.
|
* Extract the details of a user from a SAML response.
|
||||||
|
* @return array{external_id: string, name: string, email: string, saml_id: string}
|
||||||
*/
|
*/
|
||||||
protected function getUserDetails(string $samlID, $samlAttributes): array
|
protected function getUserDetails(string $samlID, $samlAttributes): array
|
||||||
{
|
{
|
||||||
@ -353,14 +358,17 @@ class Saml2Service extends ExternalAuthService
|
|||||||
throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
|
throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
|
||||||
}
|
}
|
||||||
|
|
||||||
$user = $this->getOrRegisterUser($userDetails);
|
$user = $this->registrationService->findOrRegister(
|
||||||
|
$userDetails['name'], $userDetails['email'], $userDetails['external_id']
|
||||||
|
);
|
||||||
|
|
||||||
if ($user === null) {
|
if ($user === null) {
|
||||||
throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
|
throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->shouldSyncGroups()) {
|
if ($this->shouldSyncGroups()) {
|
||||||
$groups = $this->getUserGroups($samlAttributes);
|
$groups = $this->getUserGroups($samlAttributes);
|
||||||
$this->syncWithGroups($user, $groups);
|
$this->groupSyncService->syncUserWithFoundGroups($user, $groups, $this->config['remove_from_groups']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->loginService->login($user, 'saml2');
|
$this->loginService->login($user, 'saml2');
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
return [
|
return [
|
||||||
|
|
||||||
// Method of authentication to use
|
// Method of authentication to use
|
||||||
// Options: standard, ldap, saml2
|
// Options: standard, ldap, saml2, oidc
|
||||||
'method' => env('AUTH_METHOD', 'standard'),
|
'method' => env('AUTH_METHOD', 'standard'),
|
||||||
|
|
||||||
// Authentication Defaults
|
// Authentication Defaults
|
||||||
@ -26,7 +26,7 @@ return [
|
|||||||
// All authentication drivers have a user provider. This defines how the
|
// All authentication drivers have a user provider. This defines how the
|
||||||
// users are actually retrieved out of your database or other storage
|
// users are actually retrieved out of your database or other storage
|
||||||
// mechanisms used by this application to persist your user's data.
|
// mechanisms used by this application to persist your user's data.
|
||||||
// Supported drivers: "session", "api-token", "ldap-session"
|
// Supported drivers: "session", "api-token", "ldap-session", "async-external-session"
|
||||||
'guards' => [
|
'guards' => [
|
||||||
'standard' => [
|
'standard' => [
|
||||||
'driver' => 'session',
|
'driver' => 'session',
|
||||||
@ -37,11 +37,11 @@ return [
|
|||||||
'provider' => 'external',
|
'provider' => 'external',
|
||||||
],
|
],
|
||||||
'saml2' => [
|
'saml2' => [
|
||||||
'driver' => 'saml2-session',
|
'driver' => 'async-external-session',
|
||||||
'provider' => 'external',
|
'provider' => 'external',
|
||||||
],
|
],
|
||||||
'openid' => [
|
'oidc' => [
|
||||||
'driver' => 'openid-session',
|
'driver' => 'async-external-session',
|
||||||
'provider' => 'external',
|
'provider' => 'external',
|
||||||
],
|
],
|
||||||
'api' => [
|
'api' => [
|
||||||
|
6
app/Exceptions/OpenIdConnectException.php
Normal file
6
app/Exceptions/OpenIdConnectException.php
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
<?php namespace BookStack\Exceptions;
|
||||||
|
|
||||||
|
class OpenIdConnectException extends NotifyException
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
@ -1,6 +0,0 @@
|
|||||||
<?php namespace BookStack\Exceptions;
|
|
||||||
|
|
||||||
class OpenIdException extends NotifyException
|
|
||||||
{
|
|
||||||
|
|
||||||
}
|
|
56
app/Http/Controllers/Auth/OpenIdConnectController.php
Normal file
56
app/Http/Controllers/Auth/OpenIdConnectController.php
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace BookStack\Http\Controllers\Auth;
|
||||||
|
|
||||||
|
use BookStack\Auth\Access\OpenIdConnectService;
|
||||||
|
use BookStack\Http\Controllers\Controller;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
|
||||||
|
class OpenIdConnectController extends Controller
|
||||||
|
{
|
||||||
|
|
||||||
|
protected $oidcService;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OpenIdController constructor.
|
||||||
|
*/
|
||||||
|
public function __construct(OpenIdConnectService $oidcService)
|
||||||
|
{
|
||||||
|
$this->oidcService = $oidcService;
|
||||||
|
$this->middleware('guard:oidc');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Start the authorization login flow via OIDC.
|
||||||
|
*/
|
||||||
|
public function login()
|
||||||
|
{
|
||||||
|
$loginDetails = $this->oidcService->login();
|
||||||
|
session()->flash('oidc_state', $loginDetails['state']);
|
||||||
|
|
||||||
|
return redirect($loginDetails['url']);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authorization flow redirect.
|
||||||
|
* Processes authorization response from the OIDC Authorization Server.
|
||||||
|
*/
|
||||||
|
public function redirect(Request $request)
|
||||||
|
{
|
||||||
|
$storedState = session()->pull('oidc_state');
|
||||||
|
$responseState = $request->query('state');
|
||||||
|
|
||||||
|
if ($storedState !== $responseState) {
|
||||||
|
$this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));
|
||||||
|
return redirect('/login');
|
||||||
|
}
|
||||||
|
|
||||||
|
$user = $this->oidcService->processAuthorizeResponse($request->query('code'));
|
||||||
|
if ($user === null) {
|
||||||
|
$this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));
|
||||||
|
return redirect('/login');
|
||||||
|
}
|
||||||
|
|
||||||
|
return redirect()->intended();
|
||||||
|
}
|
||||||
|
}
|
@ -1,70 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
namespace BookStack\Http\Controllers\Auth;
|
|
||||||
|
|
||||||
use BookStack\Auth\Access\OpenIdService;
|
|
||||||
use BookStack\Http\Controllers\Controller;
|
|
||||||
|
|
||||||
class OpenIdController extends Controller
|
|
||||||
{
|
|
||||||
|
|
||||||
protected $openidService;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* OpenIdController constructor.
|
|
||||||
*/
|
|
||||||
public function __construct(OpenIdService $openidService)
|
|
||||||
{
|
|
||||||
parent::__construct();
|
|
||||||
$this->openidService = $openidService;
|
|
||||||
$this->middleware('guard:openid');
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Start the authorization login flow via OpenId Connect.
|
|
||||||
*/
|
|
||||||
public function login()
|
|
||||||
{
|
|
||||||
$loginDetails = $this->openidService->login();
|
|
||||||
session()->flash('openid_state', $loginDetails['state']);
|
|
||||||
|
|
||||||
return redirect($loginDetails['url']);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Start the logout flow via OpenId Connect.
|
|
||||||
*/
|
|
||||||
public function logout()
|
|
||||||
{
|
|
||||||
$logoutDetails = $this->openidService->logout();
|
|
||||||
|
|
||||||
if ($logoutDetails['id']) {
|
|
||||||
session()->flash('saml2_logout_request_id', $logoutDetails['id']);
|
|
||||||
}
|
|
||||||
|
|
||||||
return redirect($logoutDetails['url']);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Authorization flow Redirect.
|
|
||||||
* Processes authorization response from the OpenId Connect Authorization Server.
|
|
||||||
*/
|
|
||||||
public function redirect()
|
|
||||||
{
|
|
||||||
$storedState = session()->pull('openid_state');
|
|
||||||
$responseState = request()->query('state');
|
|
||||||
|
|
||||||
if ($storedState !== $responseState) {
|
|
||||||
$this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
|
|
||||||
return redirect('/login');
|
|
||||||
}
|
|
||||||
|
|
||||||
$user = $this->openidService->processAuthorizeResponse(request()->query('code'));
|
|
||||||
if ($user === null) {
|
|
||||||
$this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
|
|
||||||
return redirect('/login');
|
|
||||||
}
|
|
||||||
|
|
||||||
return redirect()->intended();
|
|
||||||
}
|
|
||||||
}
|
|
@ -20,6 +20,5 @@ class VerifyCsrfToken extends Middleware
|
|||||||
*/
|
*/
|
||||||
protected $except = [
|
protected $except = [
|
||||||
'saml2/*',
|
'saml2/*',
|
||||||
'openid/*',
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
@ -5,11 +5,9 @@ namespace BookStack\Providers;
|
|||||||
use BookStack\Api\ApiTokenGuard;
|
use BookStack\Api\ApiTokenGuard;
|
||||||
use BookStack\Auth\Access\ExternalBaseUserProvider;
|
use BookStack\Auth\Access\ExternalBaseUserProvider;
|
||||||
use BookStack\Auth\Access\Guards\LdapSessionGuard;
|
use BookStack\Auth\Access\Guards\LdapSessionGuard;
|
||||||
use BookStack\Auth\Access\Guards\Saml2SessionGuard;
|
use BookStack\Auth\Access\Guards\AsyncExternalBaseSessionGuard;
|
||||||
use BookStack\Auth\Access\Guards\OpenIdSessionGuard;
|
|
||||||
use BookStack\Auth\Access\LdapService;
|
use BookStack\Auth\Access\LdapService;
|
||||||
use BookStack\Auth\Access\LoginService;
|
use BookStack\Auth\Access\LoginService;
|
||||||
use BookStack\Auth\Access\OpenIdService;
|
|
||||||
use BookStack\Auth\Access\RegistrationService;
|
use BookStack\Auth\Access\RegistrationService;
|
||||||
use Illuminate\Support\Facades\Auth;
|
use Illuminate\Support\Facades\Auth;
|
||||||
use Illuminate\Support\ServiceProvider;
|
use Illuminate\Support\ServiceProvider;
|
||||||
@ -39,27 +37,16 @@ class AuthServiceProvider extends ServiceProvider
|
|||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
Auth::extend('saml2-session', function ($app, $name, array $config) {
|
Auth::extend('async-external-session', function ($app, $name, array $config) {
|
||||||
$provider = Auth::createUserProvider($config['provider']);
|
$provider = Auth::createUserProvider($config['provider']);
|
||||||
|
|
||||||
return new Saml2SessionGuard(
|
return new AsyncExternalBaseSessionGuard(
|
||||||
$name,
|
$name,
|
||||||
$provider,
|
$provider,
|
||||||
$app['session.store'],
|
$app['session.store'],
|
||||||
$app[RegistrationService::class]
|
$app[RegistrationService::class]
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
Auth::extend('openid-session', function ($app, $name, array $config) {
|
|
||||||
$provider = Auth::createUserProvider($config['provider']);
|
|
||||||
return new OpenIdSessionGuard(
|
|
||||||
$name,
|
|
||||||
$provider,
|
|
||||||
$this->app['session.store'],
|
|
||||||
$app[OpenIdService::class],
|
|
||||||
$app[RegistrationService::class]
|
|
||||||
);
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
4
resources/icons/oidc.svg
Normal file
4
resources/icons/oidc.svg
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
<svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
|
||||||
|
<path d="M0 0h24v24H0z" fill="none"/>
|
||||||
|
<path d="M12.65 10C11.83 7.67 9.61 6 7 6c-3.31 0-6 2.69-6 6s2.69 6 6 6c2.61 0 4.83-1.67 5.65-4H17v4h4v-4h2v-4H12.65zM7 14c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2z"/>
|
||||||
|
</svg>
|
After Width: | Height: | Size: 282 B |
@ -23,10 +23,10 @@ return [
|
|||||||
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
||||||
'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
|
'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
|
||||||
'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
||||||
'openid_already_logged_in' => 'Already logged in',
|
'oidc_already_logged_in' => 'Already logged in',
|
||||||
'openid_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
|
'oidc_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
|
||||||
'openid_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
'oidc_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
||||||
'openid_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
'oidc_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
||||||
'social_no_action_defined' => 'No action defined',
|
'social_no_action_defined' => 'No action defined',
|
||||||
'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
|
'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
|
||||||
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',
|
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',
|
||||||
|
11
resources/views/auth/parts/login-form-oidc.blade.php
Normal file
11
resources/views/auth/parts/login-form-oidc.blade.php
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
<form action="{{ url('/oidc/login') }}" method="POST" id="login-form" class="mt-l">
|
||||||
|
{!! csrf_field() !!}
|
||||||
|
|
||||||
|
<div>
|
||||||
|
<button id="oidc-login" class="button outline svg">
|
||||||
|
@icon('oidc')
|
||||||
|
<span>{{ trans('auth.log_in_with', ['socialDriver' => config('oidc.name')]) }}</span>
|
||||||
|
</button>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
</form>
|
@ -1,11 +0,0 @@
|
|||||||
<form action="{{ url('/openid/login') }}" method="POST" id="login-form" class="mt-l">
|
|
||||||
{!! csrf_field() !!}
|
|
||||||
|
|
||||||
<div>
|
|
||||||
<button id="saml-login" class="button outline block svg">
|
|
||||||
@icon('saml2')
|
|
||||||
<span>{{ trans('auth.log_in_with', ['socialDriver' => config('openid.name')]) }}</span>
|
|
||||||
</button>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
</form>
|
|
@ -73,8 +73,6 @@
|
|||||||
<li>
|
<li>
|
||||||
@if(config('auth.method') === 'saml2')
|
@if(config('auth.method') === 'saml2')
|
||||||
<a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
<a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
||||||
@elseif(config('auth.method') === 'openid')
|
|
||||||
<a href="{{ url('/openid/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
|
||||||
@else
|
@else
|
||||||
<a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
<a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
||||||
@endif
|
@endif
|
||||||
|
@ -221,7 +221,7 @@
|
|||||||
'label' => trans('settings.reg_enable_toggle')
|
'label' => trans('settings.reg_enable_toggle')
|
||||||
])
|
])
|
||||||
|
|
||||||
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'openid']))
|
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'oidc']))
|
||||||
<div class="text-warn text-small mb-l">{{ trans('settings.reg_enable_external_warning') }}</div>
|
<div class="text-warn text-small mb-l">{{ trans('settings.reg_enable_external_warning') }}</div>
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
@include('form.checkbox', ['name' => 'mfa_enforced', 'label' => trans('settings.role_mfa_enforced') ])
|
@include('form.checkbox', ['name' => 'mfa_enforced', 'label' => trans('settings.role_mfa_enforced') ])
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'openid']))
|
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'oidc']))
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<label for="name">{{ trans('settings.role_external_auth_id') }}</label>
|
<label for="name">{{ trans('settings.role_external_auth_id') }}</label>
|
||||||
@include('form.text', ['name' => 'external_auth_id'])
|
@include('form.text', ['name' => 'external_auth_id'])
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@if(in_array($authMethod, ['ldap', 'saml2', 'openid']) && userCan('users-manage'))
|
@if(in_array($authMethod, ['ldap', 'saml2', 'oidc']) && userCan('users-manage'))
|
||||||
<div class="grid half gap-xl v-center">
|
<div class="grid half gap-xl v-center">
|
||||||
<div>
|
<div>
|
||||||
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>
|
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>
|
||||||
|
@ -267,10 +267,9 @@ Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
|
|||||||
Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
|
Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
|
||||||
Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
|
Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
|
||||||
|
|
||||||
// OpenId routes
|
// OIDC routes
|
||||||
Route::post('/openid/login', 'Auth\OpenIdController@login');
|
Route::post('/oidc/login', 'Auth\OpenIdConnectController@login');
|
||||||
Route::get('/openid/logout', 'Auth\OpenIdController@logout');
|
Route::get('/oidc/redirect', 'Auth\OpenIdConnectController@redirect');
|
||||||
Route::get('/openid/redirect', 'Auth\OpenIdController@redirect');
|
|
||||||
|
|
||||||
// User invitation routes
|
// User invitation routes
|
||||||
Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
|
Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
|
||||||
|
Loading…
Reference in New Issue
Block a user