Skip to content

Commit 39cdcb0

Browse files
memuratsmemurats
committed
Merge #29 [V33] Backchannel logout fix
2 parents 681472c + 5a2ffd1 commit 39cdcb0

File tree

1 file changed

+50
-16
lines changed

1 file changed

+50
-16
lines changed

lib/Controller/LoginController.php

Lines changed: 50 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -172,12 +172,26 @@ public function login(int $providerId, ?string $redirectUrl = null) {
172172
return $this->buildErrorTemplateResponse($message, Http::STATUS_NOT_FOUND, ['reason' => 'provider unreachable']);
173173
}
174174

175-
$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
176-
$this->session->set(self::STATE, $state);
177-
$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
175+
// $state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
176+
// $this->session->set(self::STATE, $state);
177+
// $this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
178178

179-
$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
180-
$this->session->set(self::NONCE, $nonce);
179+
// $nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
180+
// $this->session->set(self::NONCE, $nonce);
181+
182+
// check if oidc state is present in session data
183+
if ($this->session->exists(self::STATE)) {
184+
$state = $this->session->get(self::STATE);
185+
$nonce = $this->session->get(self::NONCE);
186+
} else {
187+
$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
188+
$this->session->set(self::STATE, $state);
189+
$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
190+
191+
$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
192+
$this->session->set(self::NONCE, $nonce);
193+
$this->session->set(self::PROVIDERID, $providerId);
194+
}
181195

182196
$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
183197
$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
@@ -189,7 +203,7 @@ public function login(int $providerId, ?string $redirectUrl = null) {
189203
$this->session->set(self::CODE_VERIFIER, $code_verifier);
190204
}
191205

192-
$this->session->set(self::PROVIDERID, $providerId);
206+
// $this->session->set(self::PROVIDERID, $providerId);
193207
$this->session->close();
194208

195209
// get attribute mapping settings
@@ -625,16 +639,20 @@ public function code(string $state = '', string $code = '', string $scope = '',
625639
$this->eventDispatcher->dispatchTyped(new UserLoggedInEvent($user, $user->getUID(), null, false));
626640
}
627641

628-
$storeLoginTokenEnabled = $this->appConfig->getValueString(Application::APP_ID, 'store_login_token', '0') === '1';
629-
if ($storeLoginTokenEnabled) {
642+
// $storeLoginTokenEnabled = $this->appConfig->getValueString(Application::APP_ID, 'store_login_token', '0') === '1';
643+
// if ($storeLoginTokenEnabled) {
630644
// store all token information for potential token exchange requests
631-
$tokenData = array_merge(
632-
$data,
633-
['provider_id' => $providerId],
634-
);
635-
$this->tokenService->storeToken($tokenData);
636-
}
637-
$this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
645+
// $tokenData = array_merge(
646+
// $data,
647+
// ['provider_id' => $providerId],
648+
// );
649+
// $this->tokenService->storeToken($tokenData);
650+
// }
651+
// $this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
652+
653+
// remove code login session values
654+
$this->session->remove(self::STATE);
655+
$this->session->remove(self::NONCE);
638656

639657
// Set last password confirm to the future as we don't have passwords to confirm against with SSO
640658
$this->session->set('last-password-confirm', strtotime('+4 year', time()));
@@ -643,7 +661,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
643661
try {
644662
$authToken = $this->authTokenProvider->getToken($this->session->getId());
645663
$this->sessionMapper->createOrUpdateSession(
646-
$idTokenPayload->sid ?? 'fallback-sid',
664+
$idTokenPayload->{'urn:telekom.com:session_token'} ?? 'fallback-sid',
647665
$idTokenPayload->sub ?? 'fallback-sub',
648666
$idTokenPayload->iss ?? 'fallback-iss',
649667
$authToken->getId(),
@@ -925,6 +943,22 @@ private function getBackchannelLogoutErrorResponse(
925943
);
926944
}
927945

946+
/**
947+
* Backward compatible function for MagentaCLOUD to smoothly transition to new config
948+
*
949+
* @PublicPage
950+
* @NoCSRFRequired
951+
* @BruteForceProtection(action=userOidcBackchannelLogout)
952+
*
953+
* @param string $logout_token
954+
* @return JSONResponse
955+
* @throws Exception
956+
* @throws \JsonException
957+
*/
958+
public function telekomBackChannelLogout(string $logout_token = '') {
959+
return $this->backChannelLogout('Telekom', $logout_token);
960+
}
961+
928962
private function toCodeChallenge(string $data): string {
929963
// Basically one big work around for the base64url decode being weird
930964
$h = pack('H*', hash('sha256', $data));

0 commit comments

Comments
 (0)