-
Notifications
You must be signed in to change notification settings - Fork 4
/
login.php
146 lines (120 loc) · 3.66 KB
/
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<?php
// Register an OAuth app at
// https://developer.okta.com/signup/
$client_id = '';
$client_secret = '';
$metadata = http('https://dev-123456.oktapreview.com/oauth2/default/.well-known/oauth-authorization-server');
$ip = '127.0.0.1';
$port = '8080';
$redirect_uri = 'http://'.$ip.':'.$port.'/authorization-code/callback';
$socket_str = 'tcp://'.$ip.':'.$port;
$state = bin2hex(random_bytes(5));
$authorize_url = $metadata->authorization_endpoint.'?'.http_build_query([
'response_type' => 'code',
'client_id' => $client_id,
'redirect_uri' => $redirect_uri,
'state' => $state,
]);
echo "Open the following URL in a browser to continue\n";
echo $authorize_url."\n";
shell_exec("open '".$authorize_url."'");
// Start the mini HTTP server and wait for their browser to hit the redirect URL
// Store the query string parameters in a variable
$auth = startHttpServer($socket_str);
if($auth['state'] != $state) {
echo "Wrong 'state' parameter returned\n";
exit(2);
}
$code = $auth['code'];
echo "Received code=$code state=$state\n";
echo "Getting an access token...\n";
$response = http($metadata->token_endpoint, [
'grant_type' => 'authorization_code',
'code' => $code,
'redirect_uri' => $redirect_uri,
'client_id' => $client_id,
'client_secret' => $client_secret,
]);
if(!isset($response->access_token)) {
echo "Error fetching access token\n";
exit(2);
}
$access_token = $response->access_token;
echo "Getting the username...\n";
$token = http($metadata->introspection_endpoint, [
'token' => $access_token,
'client_id' => $client_id,
'client_secret' => $client_secret,
]);
if($token->active == 1) {
echo "Logged in as ".$token->username."\n";
die();
}
function startHttpServer($socketStr) {
// Adapted from http://cweiske.de/shpub.htm
$responseOk = "HTTP/1.0 200 OK\r\n"
. "Content-Type: text/plain\r\n"
. "\r\n"
. "Ok. You may close this tab and return to the shell.\r\n";
$responseErr = "HTTP/1.0 400 Bad Request\r\n"
. "Content-Type: text/plain\r\n"
. "\r\n"
. "Bad Request\r\n";
ini_set('default_socket_timeout', 60 * 5);
$server = stream_socket_server($socketStr, $errno, $errstr);
if(!$server) {
Log::err('Error starting HTTP server');
return false;
}
do {
$sock = stream_socket_accept($server);
if(!$sock) {
Log::err('Error accepting socket connection');
exit(1);
}
$headers = [];
$body = null;
$content_length = 0;
//read request headers
while(false !== ($line = trim(fgets($sock)))) {
if('' === $line) {
break;
}
$regex = '#^Content-Length:\s*([[:digit:]]+)\s*$#i';
if(preg_match($regex, $line, $matches)) {
$content_length = (int)$matches[1];
}
$headers[] = $line;
}
// read content/body
if($content_length > 0) {
$body = fread($sock, $content_length);
}
// send response
list($method, $url, $httpver) = explode(' ', $headers[0]);
if($method == 'GET') {
#echo "Redirected to $url\n";
$parts = parse_url($url);
#print_r($parts);
if(isset($parts['path']) && $parts['path'] == '/authorization-code/callback'
&& isset($parts['query'])
) {
parse_str($parts['query'], $query);
if(isset($query['code']) && isset($query['state'])) {
fwrite($sock, $responseOk);
fclose($sock);
return $query;
}
}
}
fwrite($sock, $responseErr);
fclose($sock);
} while (true);
}
function http($url, $params=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
if($params)
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
return json_decode(curl_exec($ch));
}