Skip to content

Commit 8625dc6

Browse files
memuratsmemurats
committed
Merge #29 [V33] Backchannel logout fix
2 parents 803c251 + 5a2ffd1 commit 8625dc6

File tree

1 file changed

+50
-16
lines changed

1 file changed

+50
-16
lines changed

lib/Controller/LoginController.php

Lines changed: 50 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -171,12 +171,26 @@ public function login(int $providerId, ?string $redirectUrl = null) {
171171
return $this->buildErrorTemplateResponse($message, Http::STATUS_NOT_FOUND, ['reason' => 'provider unreachable']);
172172
}
173173

174-
$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
175-
$this->session->set(self::STATE, $state);
176-
$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
174+
// $state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
175+
// $this->session->set(self::STATE, $state);
176+
// $this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
177177

178-
$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
179-
$this->session->set(self::NONCE, $nonce);
178+
// $nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
179+
// $this->session->set(self::NONCE, $nonce);
180+
181+
// check if oidc state is present in session data
182+
if ($this->session->exists(self::STATE)) {
183+
$state = $this->session->get(self::STATE);
184+
$nonce = $this->session->get(self::NONCE);
185+
} else {
186+
$state = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
187+
$this->session->set(self::STATE, $state);
188+
$this->session->set(self::REDIRECT_AFTER_LOGIN, $redirectUrl);
189+
190+
$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
191+
$this->session->set(self::NONCE, $nonce);
192+
$this->session->set(self::PROVIDERID, $providerId);
193+
}
180194

181195
$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
182196
$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
@@ -188,7 +202,7 @@ public function login(int $providerId, ?string $redirectUrl = null) {
188202
$this->session->set(self::CODE_VERIFIER, $code_verifier);
189203
}
190204

191-
$this->session->set(self::PROVIDERID, $providerId);
205+
// $this->session->set(self::PROVIDERID, $providerId);
192206
$this->session->close();
193207

194208
// get attribute mapping settings
@@ -601,16 +615,20 @@ public function code(string $state = '', string $code = '', string $scope = '',
601615
$this->eventDispatcher->dispatchTyped(new UserLoggedInEvent($user, $user->getUID(), null, false));
602616
}
603617

604-
$storeLoginTokenEnabled = $this->appConfig->getValueString(Application::APP_ID, 'store_login_token', '0') === '1';
605-
if ($storeLoginTokenEnabled) {
618+
// $storeLoginTokenEnabled = $this->appConfig->getValueString(Application::APP_ID, 'store_login_token', '0') === '1';
619+
// if ($storeLoginTokenEnabled) {
606620
// store all token information for potential token exchange requests
607-
$tokenData = array_merge(
608-
$data,
609-
['provider_id' => $providerId],
610-
);
611-
$this->tokenService->storeToken($tokenData);
612-
}
613-
$this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
621+
// $tokenData = array_merge(
622+
// $data,
623+
// ['provider_id' => $providerId],
624+
// );
625+
// $this->tokenService->storeToken($tokenData);
626+
// }
627+
// $this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
628+
629+
// remove code login session values
630+
$this->session->remove(self::STATE);
631+
$this->session->remove(self::NONCE);
614632

615633
// Set last password confirm to the future as we don't have passwords to confirm against with SSO
616634
$this->session->set('last-password-confirm', strtotime('+4 year', time()));
@@ -619,7 +637,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
619637
try {
620638
$authToken = $this->authTokenProvider->getToken($this->session->getId());
621639
$this->sessionMapper->createOrUpdateSession(
622-
$idTokenPayload->sid ?? 'fallback-sid',
640+
$idTokenPayload->{'urn:telekom.com:session_token'} ?? 'fallback-sid',
623641
$idTokenPayload->sub ?? 'fallback-sub',
624642
$idTokenPayload->iss ?? 'fallback-iss',
625643
$authToken->getId(),
@@ -901,6 +919,22 @@ private function getBackchannelLogoutErrorResponse(
901919
);
902920
}
903921

922+
/**
923+
* Backward compatible function for MagentaCLOUD to smoothly transition to new config
924+
*
925+
* @PublicPage
926+
* @NoCSRFRequired
927+
* @BruteForceProtection(action=userOidcBackchannelLogout)
928+
*
929+
* @param string $logout_token
930+
* @return JSONResponse
931+
* @throws Exception
932+
* @throws \JsonException
933+
*/
934+
public function telekomBackChannelLogout(string $logout_token = '') {
935+
return $this->backChannelLogout('Telekom', $logout_token);
936+
}
937+
904938
private function toCodeChallenge(string $data): string {
905939
// Basically one big work around for the base64url decode being weird
906940
$h = pack('H*', hash('sha256', $data));

0 commit comments

Comments
 (0)