First basic OpenID Connect implementation

diff --git a/.env.example.complete b/.env.example.complete
index 472ca051b336388715aab7781c8ec7ab5658978c..b211ad939cacb96acfcbf87c6469dd5a95b3cb1e 100644 (file)
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -228,6 +228,14 @@ SAML2_USER_TO_GROUPS=false
 SAML2_GROUP_ATTRIBUTE=group
 SAML2_REMOVE_FROM_GROUPS=false
 
 SAML2_GROUP_ATTRIBUTE=group
 SAML2_REMOVE_FROM_GROUPS=false
 

+# OpenID Connect authentication configuration
+OPENID_CLIENT_ID=null
+OPENID_CLIENT_SECRET=null
+OPENID_ISSUER=https://example.com
+OPENID_PUBLIC_KEY=file:///my/public.key
+OPENID_URL_AUTHORIZE=https://example.com/authorize
+OPENID_URL_TOKEN=https://example.com/token
+

 # Disable default third-party services such as Gravatar and Draw.IO
 # Service-specific options will override this option
 DISABLE_EXTERNAL_SERVICES=false
 # Disable default third-party services such as Gravatar and Draw.IO
 # Service-specific options will override this option
 DISABLE_EXTERNAL_SERVICES=false

diff --git a/app/Auth/Access/Guards/OpenIdSessionGuard.php b/app/Auth/Access/Guards/OpenIdSessionGuard.php
new file mode 100644 (file)
index 0000000..0dfbb67
--- /dev/null
+++ b/app/Auth/Access/Guards/OpenIdSessionGuard.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace BookStack\Auth\Access\Guards;
+
+/**
+ * OpenId Session Guard
+ *
+ * The OpenId login process is async in nature meaning it does not fit very well
+ * into the default laravel 'Guard' auth flow. Instead most of the logic is done
+ * via the OpenId controller & OpenIdService. This class provides a safer, thin
+ * version of SessionGuard.
+ *
+ * @package BookStack\Auth\Access\Guards
+ */
+class OpenIdSessionGuard extends ExternalBaseSessionGuard
+{
+    /**
+     * Validate a user's credentials.
+     *
+     * @param array $credentials
+     * @return bool
+     */
+    public function validate(array $credentials = [])
+    {
+        return false;
+    }
+
+    /**
+     * Attempt to authenticate a user using the given credentials.
+     *
+     * @param array $credentials
+     * @param bool $remember
+     * @return bool
+     */
+    public function attempt(array $credentials = [], $remember = false)
+    {
+        return false;
+    }
+}

diff --git a/app/Auth/Access/OpenIdService.php b/app/Auth/Access/OpenIdService.php
new file mode 100644 (file)
index 0000000..870299a
--- /dev/null
+++ b/app/Auth/Access/OpenIdService.php
@@ -0,0 +1,235 @@
+<?php namespace BookStack\Auth\Access;
+
+use BookStack\Auth\User;
+use BookStack\Exceptions\JsonDebugException;
+use BookStack\Exceptions\OpenIdException;
+use BookStack\Exceptions\UserRegistrationException;
+use Exception;
+use Illuminate\Support\Str;
+use Lcobucci\JWT\Token;
+use OpenIDConnectClient\AccessToken;
+use OpenIDConnectClient\OpenIDConnectProvider;
+
+/**
+ * Class OpenIdService
+ * Handles any app-specific OpenId tasks.
+ */
+class OpenIdService extends ExternalAuthService
+{
+    protected $config;
+    protected $registrationService;
+    protected $user;
+
+    /**
+     * OpenIdService constructor.
+     */
+    public function __construct(RegistrationService $registrationService, User $user)
+    {
+        $this->config = config('openid');
+        $this->registrationService = $registrationService;
+        $this->user = $user;
+    }
+
+    /**
+     * Initiate a authorization flow.
+     * @throws Error
+     */
+    public function login(): array
+    {
+        $provider = $this->getProvider();
+        return [
+            'url' => $provider->getAuthorizationUrl(),
+            'state' => $provider->getState(),
+        ];
+    }
+
+    /**
+     * Initiate a logout flow.
+     * @throws Error
+     */
+    public function logout(): array
+    {
+        $this->actionLogout();
+        $url = '/';
+        $id = null;
+
+        return ['url' => $url, 'id' => $id];
+    }
+
+    /**
+     * Process the Authorization response from the authorization server and
+     * return the matching, or new if registration active, user matched to
+     * the authorization server.
+     * Returns null if not authenticated.
+     * @throws Error
+     * @throws OpenIdException
+     * @throws ValidationError
+     * @throws JsonDebugException
+     * @throws UserRegistrationException
+     */
+    public function processAuthorizeResponse(?string $authorizationCode): ?User
+    {
+        $provider = $this->getProvider();
+
+        // Try to exchange authorization code for access token
+        $accessToken = $provider->getAccessToken('authorization_code', [
+            'code' => $authorizationCode,
+        ]);
+
+        return $this->processAccessTokenCallback($accessToken);
+    }
+
+    /**
+     * Do the required actions to log a user out.
+     */
+    protected function actionLogout()
+    {
+        auth()->logout();
+        session()->invalidate();
+    }
+
+    /**
+     * Load the underlying Onelogin SAML2 toolkit.
+     * @throws Error
+     * @throws Exception
+     */
+    protected function getProvider(): OpenIDConnectProvider
+    {
+        $settings = $this->config['openid'];
+        $overrides = $this->config['openid_overrides'] ?? [];
+
+        if ($overrides && is_string($overrides)) {
+            $overrides = json_decode($overrides, true);
+        }
+
+        $openIdSettings = $this->loadOpenIdDetails();
+        $settings = array_replace_recursive($settings, $openIdSettings, $overrides);
+
+        $signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
+        return new OpenIDConnectProvider($settings, ['signer' => $signer]);
+    }
+
+    /**
+     * Load dynamic service provider options required by the onelogin toolkit.
+     */
+    protected function loadOpenIdDetails(): array
+    {
+        return [
+            'redirectUri' => url('/openid/redirect'),
+        ];
+    }
+
+    /**
+     * Calculate the display name
+     */
+    protected function getUserDisplayName(Token $token, string $defaultValue): string
+    {
+        $displayNameAttr = $this->config['display_name_attributes'];
+
+        $displayName = [];
+        foreach ($displayNameAttr as $dnAttr) {
+            $dnComponent = $token->getClaim($dnAttr, '');
+            if ($dnComponent !== '') {
+                $displayName[] = $dnComponent;
+            }
+        }
+
+        if (count($displayName) == 0) {
+            $displayName = $defaultValue;
+        } else {
+            $displayName = implode(' ', $displayName);
+        }
+
+        return $displayName;
+    }
+
+    /**
+     * Get the value to use as the external id saved in BookStack
+     * used to link the user to an existing BookStack DB user.
+     */
+    protected function getExternalId(Token $token, string $defaultValue)
+    {
+        $userNameAttr = $this->config['external_id_attribute'];
+        if ($userNameAttr === null) {
+            return $defaultValue;
+        }
+
+        return $token->getClaim($userNameAttr, $defaultValue);
+    }
+
+    /**
+     * Extract the details of a user from a SAML response.
+     */
+    protected function getUserDetails(Token $token): array
+    {
+        $email = null;
+        $emailAttr = $this->config['email_attribute'];
+        if ($token->hasClaim($emailAttr)) {
+            $email = $token->getClaim($emailAttr);
+        }
+
+        return [
+            'external_id' => $token->getClaim('sub'),
+            'email' => $email,
+            'name' => $this->getUserDisplayName($token, $email),
+        ];
+    }
+
+    /**
+     * Get the user from the database for the specified details.
+     * @throws OpenIdException
+     * @throws UserRegistrationException
+     */
+    protected function getOrRegisterUser(array $userDetails): ?User
+    {
+        $user = $this->user->newQuery()
+          ->where('external_auth_id', '=', $userDetails['external_id'])
+          ->first();
+
+        if (is_null($user)) {
+            $userData = [
+                'name' => $userDetails['name'],
+                'email' => $userDetails['email'],
+                'password' => Str::random(32),
+                'external_auth_id' => $userDetails['external_id'],
+            ];
+
+            $user = $this->registrationService->registerUser($userData, null, false);
+        }
+
+        return $user;
+    }
+
+    /**
+     * Processes a received access token for a user. Login the user when
+     * they exist, optionally registering them automatically.
+     * @throws OpenIdException
+     * @throws JsonDebugException
+     * @throws UserRegistrationException
+     */
+    public function processAccessTokenCallback(AccessToken $accessToken): User
+    {
+        $userDetails = $this->getUserDetails($accessToken->getIdToken());
+        $isLoggedIn = auth()->check();
+
+        if ($this->config['dump_user_details']) {
+            throw new JsonDebugException($accessToken->jsonSerialize());
+        }
+
+        if ($userDetails['email'] === null) {
+            throw new OpenIdException(trans('errors.openid_no_email_address'));
+        }
+
+        if ($isLoggedIn) {
+            throw new OpenIdException(trans('errors.openid_already_logged_in'), '/login');
+        }
+
+        $user = $this->getOrRegisterUser($userDetails);
+        if ($user === null) {
+            throw new OpenIdException(trans('errors.openid_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
+        }
+
+        auth()->login($user);
+        return $user;
+    }
+}

diff --git a/app/Config/auth.php b/app/Config/auth.php
index 51b152ff184805e67e5addd1573a6e2258c51e9d..a1824bc78292858468b54cb090b775538c3d2ef7 100644 (file)
--- a/app/Config/auth.php
+++ b/app/Config/auth.php
@@ -40,6 +40,10 @@ return [
             'driver' => 'saml2-session',
             'provider' => 'external',
         ],
             'driver' => 'saml2-session',
             'provider' => 'external',
         ],

+        'openid' => [
+            'driver' => 'openid-session',
+            'provider' => 'external',
+        ],

         'api' => [
             'driver' => 'api-token',
         ],
         'api' => [
             'driver' => 'api-token',
         ],

diff --git a/app/Config/openid.php b/app/Config/openid.php
new file mode 100644 (file)
index 0000000..2232ba7
--- /dev/null
+++ b/app/Config/openid.php
@@ -0,0 +1,43 @@
+<?php
+
+return [
+
+    // Display name, shown to users, for OpenId option
+    'name' => env('OPENID_NAME', 'SSO'),
+
+    // Dump user details after a login request for debugging purposes
+    'dump_user_details' => env('OPENID_DUMP_USER_DETAILS', false),
+
+    // Attribute, within a OpenId token, to find the user's email address
+    'email_attribute' => env('OPENID_EMAIL_ATTRIBUTE', 'email'),
+    // Attribute, within a OpenId token, to find the user's display name
+    'display_name_attributes' => explode('|', env('OPENID_DISPLAY_NAME_ATTRIBUTES', 'username')),
+    // Attribute, within a OpenId token, to use to connect a BookStack user to the OpenId user.
+    'external_id_attribute' => env('OPENID_EXTERNAL_ID_ATTRIBUTE', null),
+
+    // Overrides, in JSON format, to the configuration passed to underlying OpenIDConnectProvider library.
+    'openid_overrides' => env('OPENID_OVERRIDES', null),
+
+    'openid' => [
+        // OAuth2/OpenId client id, as configured in your Authorization server.
+        'clientId'                => env('OPENID_CLIENT_ID', ''),
+
+        // OAuth2/OpenId client secret, as configured in your Authorization server.
+        'clientSecret'            => env('OPENID_CLIENT_SECRET', ''),
+
+        // OAuth2 scopes that are request, by default the OpenId-native profile and email scopes.
+        'scopes'                  => 'profile email',
+
+        // The issuer of the identity token (id_token) this will be compared with what is returned in the token.
+        'idTokenIssuer'           => env('OPENID_ISSUER', ''),
+
+        // Public key that's used to verify the JWT token with.
+        'publicKey'               => env('OPENID_PUBLIC_KEY', ''),
+
+        // OAuth2 endpoints.
+        'urlAuthorize'            => env('OPENID_URL_AUTHORIZE', ''),
+        'urlAccessToken'          => env('OPENID_URL_TOKEN', ''),
+        'urlResourceOwnerDetails' => env('OPENID_URL_RESOURCE', ''),
+    ],
+
+];

diff --git a/app/Exceptions/OpenIdException.php b/app/Exceptions/OpenIdException.php
new file mode 100644 (file)
index 0000000..056f95c
--- /dev/null
+++ b/app/Exceptions/OpenIdException.php
@@ -0,0 +1,6 @@
+<?php namespace BookStack\Exceptions;
+
+class OpenIdException extends NotifyException
+{
+
+}

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index fb2573b5cc2f32abc3f3b70f7b8eeeb0c8d125ab..7ec7176468eea762fd5618e00e47d0fd7d7667b1 100644 (file)
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -136,7 +136,7 @@ class LoginController extends Controller
     {
         // Authenticate on all session guards if a likely admin
         if ($user->can('users-manage') && $user->can('user-roles-manage')) {
     {
         // Authenticate on all session guards if a likely admin
         if ($user->can('users-manage') && $user->can('user-roles-manage')) {

-            $guards = ['standard', 'ldap', 'saml2'];
+            $guards = ['standard', 'ldap', 'saml2', 'openid'];

             foreach ($guards as $guard) {
                 auth($guard)->login($user);
             }
             foreach ($guards as $guard) {
                 auth($guard)->login($user);
             }


@@ -186,5 +186,4 @@ class LoginController extends Controller
 
         return redirect('/login');
     }
 
         return redirect('/login');
     }

-

 }
 }

diff --git a/app/Http/Controllers/Auth/OpenIdController.php b/app/Http/Controllers/Auth/OpenIdController.php
new file mode 100644 (file)
index 0000000..8e475ff
--- /dev/null
+++ b/app/Http/Controllers/Auth/OpenIdController.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace BookStack\Http\Controllers\Auth;
+
+use BookStack\Auth\Access\OpenIdService;
+use BookStack\Http\Controllers\Controller;
+
+class OpenIdController extends Controller
+{
+
+    protected $openidService;
+
+    /**
+     * OpenIdController constructor.
+     */
+    public function __construct(OpenIdService $openidService)
+    {
+        parent::__construct();
+        $this->openidService = $openidService;
+        $this->middleware('guard:openid');
+    }
+
+    /**
+     * Start the authorization login flow via OpenId Connect.
+     */
+    public function login()
+    {
+        $loginDetails = $this->openidService->login();
+        session()->flash('openid_state', $loginDetails['state']);
+
+        return redirect($loginDetails['url']);
+    }
+
+    /**
+     * Start the logout flow via OpenId Connect.
+     */
+    public function logout()
+    {
+        $logoutDetails = $this->openidService->logout();
+
+        if ($logoutDetails['id']) {
+            session()->flash('saml2_logout_request_id', $logoutDetails['id']);
+        }
+
+        return redirect($logoutDetails['url']);
+    }
+
+    /**
+     * Authorization flow Redirect.
+     * Processes authorization response from the OpenId Connect Authorization Server.
+     */
+    public function redirect()
+    {
+        $storedState = session()->pull('openid_state');
+        $responseState = request()->query('state');
+
+        if ($storedState !== $responseState) {
+            $this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
+            return redirect('/login');
+        }
+
+        $user = $this->openidService->processAuthorizeResponse(request()->query('code'));
+        if ($user === null) {
+            $this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
+            return redirect('/login');
+        }
+
+        return redirect()->intended();
+    }
+}

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 97ec31dcce0b2dfa2a539319afe126f23eb79788..5db3c59bd0f3b55220f815942e2d7189222d3138 100644 (file)
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -76,7 +76,7 @@ class UserController extends Controller
         if ($authMethod === 'standard' && !$sendInvite) {
             $validationRules['password'] = 'required|min:6';
             $validationRules['password-confirm'] = 'required|same:password';
         if ($authMethod === 'standard' && !$sendInvite) {
             $validationRules['password'] = 'required|min:6';
             $validationRules['password-confirm'] = 'required|same:password';

-        } elseif ($authMethod === 'ldap' || $authMethod === 'saml2') {
+        } elseif ($authMethod === 'ldap' || $authMethod === 'saml2' || $authMethod === 'openid') {

             $validationRules['external_auth_id'] = 'required';
         }
         $this->validate($request, $validationRules);
             $validationRules['external_auth_id'] = 'required';
         }
         $this->validate($request, $validationRules);


@@ -85,7 +85,7 @@ class UserController extends Controller
 
         if ($authMethod === 'standard') {
             $user->password = bcrypt($request->get('password', Str::random(32)));
 
         if ($authMethod === 'standard') {
             $user->password = bcrypt($request->get('password', Str::random(32)));

-        } elseif ($authMethod === 'ldap' || $authMethod === 'saml2') {
+        } elseif ($authMethod === 'ldap' || $authMethod === 'saml2' || $authMethod === 'openid') {

             $user->external_auth_id = $request->get('external_auth_id');
         }
 
             $user->external_auth_id = $request->get('external_auth_id');
         }
 

diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
index bdeb265540a9bde5c6d53f6ffef8b5e8f1ca3711..007564eb3ada1826e38e25a1ca62ff1a04e855ba 100644 (file)
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -19,6 +19,7 @@ class VerifyCsrfToken extends Middleware
      * @var array
      */
     protected $except = [
      * @var array
      */
     protected $except = [

-        'saml2/*'
+        'saml2/*',
+        'openid/*'

     ];
 }
     ];
 }

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index fe52df1686cec7ac00bcd82ba14a1c74b0b5f3dd..1b3f169ae5ff5a410e0057176c42d1474dbe7495 100644 (file)
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -7,6 +7,7 @@ use BookStack\Api\ApiTokenGuard;
 use BookStack\Auth\Access\ExternalBaseUserProvider;
 use BookStack\Auth\Access\Guards\LdapSessionGuard;
 use BookStack\Auth\Access\Guards\Saml2SessionGuard;
 use BookStack\Auth\Access\ExternalBaseUserProvider;
 use BookStack\Auth\Access\Guards\LdapSessionGuard;
 use BookStack\Auth\Access\Guards\Saml2SessionGuard;

+use BookStack\Auth\Access\Guards\OpenIdSessionGuard;

 use BookStack\Auth\Access\LdapService;
 use BookStack\Auth\Access\RegistrationService;
 use BookStack\Auth\UserRepo;
 use BookStack\Auth\Access\LdapService;
 use BookStack\Auth\Access\RegistrationService;
 use BookStack\Auth\UserRepo;


@@ -45,6 +46,16 @@ class AuthServiceProvider extends ServiceProvider
                 $app[RegistrationService::class]
             );
         });
                 $app[RegistrationService::class]
             );
         });

+
+        Auth::extend('openid-session', function ($app, $name, array $config) {
+            $provider = Auth::createUserProvider($config['provider']);
+            return new OpenIdSessionGuard(
+                $name,
+                $provider,
+                $this->app['session.store'],
+                $app[RegistrationService::class]
+            );
+        });

     }
 
     /**
     }
 
     /**

diff --git a/composer.json b/composer.json
index 59fc909d6b1e9f2298a510db246246c06bd46ebd..7b1a3d5928973b53dd7f675648972f77b3fc9f2c 100644 (file)
--- a/composer.json
+++ b/composer.json
@@ -32,7 +32,8 @@
         "socialiteproviders/microsoft-azure": "^3.0",
         "socialiteproviders/okta": "^1.0",
         "socialiteproviders/slack": "^3.0",
         "socialiteproviders/microsoft-azure": "^3.0",
         "socialiteproviders/okta": "^1.0",
         "socialiteproviders/slack": "^3.0",

-        "socialiteproviders/twitch": "^5.0"
+        "socialiteproviders/twitch": "^5.0",
+        "steverhoades/oauth2-openid-connect-client": "^0.3.0"

     },
     "require-dev": {
         "barryvdh/laravel-debugbar": "^3.2.8",
     },
     "require-dev": {
         "barryvdh/laravel-debugbar": "^3.2.8",

diff --git a/composer.lock b/composer.lock
index a8c3b1e50bb500c5b737dc857739e489a4b93ca5..0f5e29792e950d09396f9365a8f28cacc0bb5e40 100644 (file)
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],

-    "content-hash": "34390536dd685e0bc49b179babaa06ec",
+    "content-hash": "f9d604c2456771f9b939f04492dde182",

     "packages": [
         {
             "name": "aws/aws-sdk-php",
     "packages": [
         {
             "name": "aws/aws-sdk-php",


@@ -1814,6 +1814,71 @@
             ],
             "time": "2020-02-04T15:30:01+00:00"
         },
             ],
             "time": "2020-02-04T15:30:01+00:00"
         },

+        {
+            "name": "lcobucci/jwt",
+            "version": "3.3.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/lcobucci/jwt.git",
+                "reference": "56f10808089e38623345e28af2f2d5e4eb579455"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/56f10808089e38623345e28af2f2d5e4eb579455",
+                "reference": "56f10808089e38623345e28af2f2d5e4eb579455",
+                "shasum": ""
+            },
+            "require": {
+                "ext-mbstring": "*",
+                "ext-openssl": "*",
+                "php": "^5.6 || ^7.0"
+            },
+            "require-dev": {
+                "mikey179/vfsstream": "~1.5",
+                "phpmd/phpmd": "~2.2",
+                "phpunit/php-invoker": "~1.1",
+                "phpunit/phpunit": "^5.7 || ^7.3",
+                "squizlabs/php_codesniffer": "~2.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.1-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Lcobucci\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Luís Otávio Cobucci Oblonczyk",
+                    "email": "[email protected]",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+            "keywords": [
+                "JWS",
+                "jwt"
+            ],
+            "funding": [
+                {
+                    "url": "https://github.com/lcobucci",
+                    "type": "github"
+                },
+                {
+                    "url": "https://www.patreon.com/lcobucci",
+                    "type": "patreon"
+                }
+            ],
+            "time": "2020-05-22T08:21:12+00:00"
+        },

         {
             "name": "league/commonmark",
             "version": "1.4.3",
         {
             "name": "league/commonmark",
             "version": "1.4.3",


@@ -2114,6 +2179,73 @@
             ],
             "time": "2016-08-17T00:36:58+00:00"
         },
             ],
             "time": "2016-08-17T00:36:58+00:00"
         },

+        {
+            "name": "league/oauth2-client",
+            "version": "2.4.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/oauth2-client.git",
+                "reference": "cc114abc622a53af969e8664722e84ca36257530"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/cc114abc622a53af969e8664722e84ca36257530",
+                "reference": "cc114abc622a53af969e8664722e84ca36257530",
+                "shasum": ""
+            },
+            "require": {
+                "guzzlehttp/guzzle": "^6.0",
+                "paragonie/random_compat": "^1|^2|^9.99",
+                "php": "^5.6|^7.0"
+            },
+            "require-dev": {
+                "eloquent/liberator": "^2.0",
+                "eloquent/phony-phpunit": "^1.0|^3.0",
+                "jakub-onderka/php-parallel-lint": "^0.9.2",
+                "phpunit/phpunit": "^5.7|^6.0",
+                "squizlabs/php_codesniffer": "^2.3|^3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-2.x": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Client\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "[email protected]",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Woody Gilk",
+                    "homepage": "https://github.com/shadowhand",
+                    "role": "Contributor"
+                }
+            ],
+            "description": "OAuth 2.0 Client Library",
+            "keywords": [
+                "Authentication",
+                "SSO",
+                "authorization",
+                "identity",
+                "idp",
+                "oauth",
+                "oauth2",
+                "single sign on"
+            ],
+            "time": "2018-11-22T18:33:57+00:00"
+        },

         {
             "name": "monolog/monolog",
             "version": "2.1.0",
         {
             "name": "monolog/monolog",
             "version": "2.1.0",


@@ -3502,6 +3634,49 @@
             "description": "Twitch OAuth2 Provider for Laravel Socialite",
             "time": "2020-05-06T22:51:30+00:00"
         },
             "description": "Twitch OAuth2 Provider for Laravel Socialite",
             "time": "2020-05-06T22:51:30+00:00"
         },

+        {
+            "name": "steverhoades/oauth2-openid-connect-client",
+            "version": "v0.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/steverhoades/oauth2-openid-connect-client.git",
+                "reference": "0159471487540a4620b8d0b693f5f215503a8d75"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/steverhoades/oauth2-openid-connect-client/zipball/0159471487540a4620b8d0b693f5f215503a8d75",
+                "reference": "0159471487540a4620b8d0b693f5f215503a8d75",
+                "shasum": ""
+            },
+            "require": {
+                "lcobucci/jwt": "^3.2",
+                "league/oauth2-client": "^2.0"
+            },
+            "require-dev": {
+                "phpmd/phpmd": "~2.2",
+                "phpunit/php-invoker": "~1.1",
+                "phpunit/phpunit": "~4.5",
+                "squizlabs/php_codesniffer": "~2.3"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "OpenIDConnectClient\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steve Rhoades",
+                    "email": "[email protected]"
+                }
+            ],
+            "description": "OAuth2 OpenID Connect Client that utilizes the PHP Leagues OAuth2 Client",
+            "time": "2020-05-19T23:06:36+00:00"
+        },

         {
             "name": "swiftmailer/swiftmailer",
             "version": "v6.2.3",
         {
             "name": "swiftmailer/swiftmailer",
             "version": "v6.2.3",

diff --git a/resources/lang/en/errors.php b/resources/lang/en/errors.php
index 06a5285f56fc4ce11e6642549a1002b1bacae698..ec4ce813ea67c3e58d407d753a43bbe6710d2a67 100644 (file)
--- a/resources/lang/en/errors.php
+++ b/resources/lang/en/errors.php
@@ -23,6 +23,10 @@ return [
     'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
     'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
     'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
     'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
     'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
     'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',

+    'openid_already_logged_in' => 'Already logged in',
+    'openid_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
+    'openid_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
+    'openid_fail_authed' => 'Login using :system failed, system did not provide successful authorization',

     'social_no_action_defined' => 'No action defined',
     'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
     'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',
     'social_no_action_defined' => 'No action defined',
     'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
     'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',

diff --git a/resources/views/auth/forms/login/openid.blade.php b/resources/views/auth/forms/login/openid.blade.php
new file mode 100644 (file)
index 0000000..b1ef51d
--- /dev/null
+++ b/resources/views/auth/forms/login/openid.blade.php
@@ -0,0 +1,11 @@
+<form action="{{ url('/openid/login') }}" method="POST" id="login-form" class="mt-l">
+    {!! csrf_field() !!}
+
+    <div>
+        <button id="saml-login" class="button outline block svg">
+            @icon('saml2')
+            <span>{{ trans('auth.log_in_with', ['socialDriver' => config('openid.name')]) }}</span>
+        </button>
+    </div>
+
+</form>
\ No newline at end of file

diff --git a/resources/views/common/header.blade.php b/resources/views/common/header.blade.php
index 827abcac601d8d6e4276880085a1a27aadb7a960..996d44d27a2f635f31a8a47d0518cbe34abe4b4b 100644 (file)
--- a/resources/views/common/header.blade.php
+++ b/resources/views/common/header.blade.php
@@ -66,6 +66,8 @@
                             <li>
                                 @if(config('auth.method') === 'saml2')
                                     <a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
                             <li>
                                 @if(config('auth.method') === 'saml2')
                                     <a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>

+                                @elseif(config('auth.method') === 'openid')
+                                    <a href="{{ url('/openid/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>

                                 @else
                                     <a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
                                 @endif
                                 @else
                                     <a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
                                 @endif

diff --git a/resources/views/settings/index.blade.php b/resources/views/settings/index.blade.php
index 6ccb8d8f9d1d50aabf1290991aaccdcab9f2858b..500db64e6554dac4fcb0856f68f4b02d0cb2b2da 100644 (file)
--- a/resources/views/settings/index.blade.php
+++ b/resources/views/settings/index.blade.php
@@ -224,7 +224,7 @@
                                 'label' => trans('settings.reg_enable_toggle')
                             ])
 
                                 'label' => trans('settings.reg_enable_toggle')
                             ])
 

-                            @if(in_array(config('auth.method'), ['ldap', 'saml2']))
+                            @if(in_array(config('auth.method'), ['ldap', 'saml2', 'openid']))

                                 <div class="text-warn text-small mb-l">{{ trans('settings.reg_enable_external_warning') }}</div>
                             @endif
 
                                 <div class="text-warn text-small mb-l">{{ trans('settings.reg_enable_external_warning') }}</div>
                             @endif
 

diff --git a/resources/views/settings/roles/form.blade.php b/resources/views/settings/roles/form.blade.php
index ed57ad94401feb18417fc72a6b843ea1095c287e..b5aa96911e36e699e893fed8d9a3c81d0689d6fa 100644 (file)
--- a/resources/views/settings/roles/form.blade.php
+++ b/resources/views/settings/roles/form.blade.php
@@ -19,7 +19,7 @@
                     @include('form.text', ['name' => 'description'])
                 </div>
 
                     @include('form.text', ['name' => 'description'])
                 </div>
 

-                @if(config('auth.method') === 'ldap' || config('auth.method') === 'saml2')
+                @if(config('auth.method') === 'ldap' || config('auth.method') === 'saml2' || config('auth.method') === 'openid')

                     <div class="form-group">
                         <label for="name">{{ trans('settings.role_external_auth_id') }}</label>
                         @include('form.text', ['name' => 'external_auth_id'])
                     <div class="form-group">
                         <label for="name">{{ trans('settings.role_external_auth_id') }}</label>
                         @include('form.text', ['name' => 'external_auth_id'])

diff --git a/resources/views/users/form.blade.php b/resources/views/users/form.blade.php
index df3d06c2f34f232b17fe033472d4078f293285cb..f3e8cedff7f4fb151a908669efab605a26226ca5 100644 (file)
--- a/resources/views/users/form.blade.php
+++ b/resources/views/users/form.blade.php
@@ -25,7 +25,7 @@
     </div>
 </div>
 
     </div>
 </div>
 

-@if(($authMethod === 'ldap' || $authMethod === 'saml2') && userCan('users-manage'))
+@if(($authMethod === 'ldap' || $authMethod === 'saml2' || $authMethod === 'openid') && userCan('users-manage'))

     <div class="grid half gap-xl v-center">
         <div>
             <label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>
     <div class="grid half gap-xl v-center">
         <div>
             <label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>

diff --git a/routes/web.php b/routes/web.php
index 6b7911825c57d5cce5e79dfc52d53e7ccd958665..a47080e8e1516906a4ade8c294afe939fd3b4098 100644 (file)
--- a/routes/web.php
+++ b/routes/web.php
@@ -234,6 +234,11 @@ Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
 Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
 Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
 
 Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
 Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
 

+// OpenId routes
+Route::post('/openid/login', 'Auth\OpenIdController@login');
+Route::get('/openid/logout', 'Auth\OpenIdController@logout');
+Route::get('/openid/redirect', 'Auth\OpenIdController@redirect');
+

 // User invitation routes
 Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
 Route::post('/register/invite/{token}', 'Auth\UserInviteController@setPassword');
 // User invitation routes
 Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
 Route::post('/register/invite/{token}', 'Auth\UserInviteController@setPassword');

diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index f1f47696641ac4978f2dc33c87a93b5b8805a3e6..779d5e70fc228ba3c631c014160b8e01347c4ce5 100644 (file)
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -387,6 +387,7 @@ class AuthTest extends BrowserKitTest
         $this->assertTrue(auth()->check());
         $this->assertTrue(auth('ldap')->check());
         $this->assertTrue(auth('saml2')->check());
         $this->assertTrue(auth()->check());
         $this->assertTrue(auth('ldap')->check());
         $this->assertTrue(auth('saml2')->check());

+        $this->assertTrue(auth('openid')->check());

     }
 
     public function test_login_authenticates_nonadmins_on_default_guard_only()
     }
 
     public function test_login_authenticates_nonadmins_on_default_guard_only()


@@ -399,6 +400,7 @@ class AuthTest extends BrowserKitTest
         $this->assertTrue(auth()->check());
         $this->assertFalse(auth('ldap')->check());
         $this->assertFalse(auth('saml2')->check());
         $this->assertTrue(auth()->check());
         $this->assertFalse(auth('ldap')->check());
         $this->assertFalse(auth('saml2')->check());

+        $this->assertFalse(auth('openid')->check());

     }
 
     /**
     }
 
     /**