3 namespace BookStack\Auth\Access\Oidc;
5 use League\OAuth2\Client\Grant\AbstractGrant;
6 use League\OAuth2\Client\Provider\AbstractProvider;
7 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
8 use League\OAuth2\Client\Provider\GenericResourceOwner;
9 use League\OAuth2\Client\Provider\ResourceOwnerInterface;
10 use League\OAuth2\Client\Token\AccessToken;
11 use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
12 use Psr\Http\Message\ResponseInterface;
15 * Extended OAuth2Provider for using with OIDC.
16 * Credit to the https://github.com/steverhoades/oauth2-openid-connect-client
17 * project for the idea of extending a League\OAuth2 client for this use-case.
19 class OidcOAuthProvider extends AbstractProvider
21 use BearerAuthorizationTrait;
26 protected $authorizationEndpoint;
31 protected $tokenEndpoint;
34 * Scopes to use for the OIDC authorization call
36 protected array $scopes = ['openid', 'profile', 'email'];
39 * Returns the base URL for authorizing a client.
41 public function getBaseAuthorizationUrl(): string
43 return $this->authorizationEndpoint;
47 * Returns the base URL for requesting an access token.
49 public function getBaseAccessTokenUrl(array $params): string
51 return $this->tokenEndpoint;
55 * Returns the URL for requesting the resource owner's details.
57 public function getResourceOwnerDetailsUrl(AccessToken $token): string
63 * Add an additional scope to this provider upon the default.
65 public function addScope(string $scope): void
67 $this->scopes[] = $scope;
68 $this->scopes = array_unique($this->scopes);
72 * Returns the default scopes used by this provider.
74 * This should only be the scopes that are required to request the details
75 * of the resource owner, rather than all the available scopes.
77 protected function getDefaultScopes(): array
83 * Returns the string that should be used to separate scopes when building
84 * the URL for requesting an access token.
86 protected function getScopeSeparator(): string
92 * Checks a provider response for errors.
94 * @param ResponseInterface $response
95 * @param array|string $data Parsed response data
97 * @throws IdentityProviderException
101 protected function checkResponse(ResponseInterface $response, $data)
103 if ($response->getStatusCode() >= 400 || isset($data['error'])) {
104 throw new IdentityProviderException(
105 $data['error'] ?? $response->getReasonPhrase(),
106 $response->getStatusCode(),
107 (string) $response->getBody()
113 * Generates a resource owner object from a successful resource owner
116 * @param array $response
117 * @param AccessToken $token
119 * @return ResourceOwnerInterface
121 protected function createResourceOwner(array $response, AccessToken $token)
123 return new GenericResourceOwner($response, '');
127 * Creates an access token from a response.
129 * The grant that was used to fetch the response can be used to provide
130 * additional context.
132 * @param array $response
133 * @param AbstractGrant $grant
135 * @return OidcAccessToken
137 protected function createAccessToken(array $response, AbstractGrant $grant)
139 return new OidcAccessToken($response);