From 79beba858a3f98a93da8bca00fffe2973f8e630c Mon Sep 17 00:00:00 2001 From: Danilo Abbasciano Date: Thu, 4 Nov 2021 11:47:50 +0100 Subject: [PATCH 1/5] add login_hint as method to identify end-user in signOut --- src/OpenIDConnectClient.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ee81b02c..7eeed5c2 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -430,23 +430,28 @@ public function authenticate() { * Connect provider that the end-user has logged out of the relying party site * (the client application). * - * @param string $accessToken ID token (obtained at login) + * @param string $enduserIdentification ID token (obtained at login) or username for $method like as "login_hint" * @param string|null $redirect URL to which the RP is requesting that the End-User's User Agent * be redirected after a logout has been performed. The value MUST have been previously * registered with the OP. Value can be null. + * @param string $method The way of identifying the end-user for whom authentication is being requested. + * The default setting is "id_token_hint". There are two modes supported: "login_hint" and "id_token_hint" * * @throws OpenIDConnectClientException */ - public function signOut($accessToken, $redirect) { - $signout_endpoint = $this->getProviderConfigValue('end_session_endpoint'); + public function signOut($enduserIdentification, $redirect, $method = "id_token_hint") { + if (!in_array($method, array("id_token_hint", "login_hint"))) + throw new OpenIDConnectClientException('method must be "id_token_hint" or "login_hint"'); + + $signout_endpoint = $this->getProviderConfigValue("end_session_endpoint"); $signout_params = null; if($redirect === null){ - $signout_params = array('id_token_hint' => $accessToken); + $signout_params = array($method => $enduserIdentification); } else { $signout_params = array( - 'id_token_hint' => $accessToken, + $method => $enduserIdentification, 'post_logout_redirect_uri' => $redirect); } From 1bc3dc7edebd6085125f896ef72c48e056693d55 Mon Sep 17 00:00:00 2001 From: Danilo Abbasciano Date: Wed, 24 Nov 2021 15:51:41 +0100 Subject: [PATCH 2/5] fix: getState() return empty string --- src/OpenIDConnectClient.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 7eeed5c2..ba64bca3 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -307,6 +307,11 @@ public function authenticate() { throw new OpenIDConnectClientException('Got response: ' . $token_json->error); } + // Sometime getState() return an empty string + // and the authentication process fail + if ($this->getState() == "") + $this->setState($_REQUEST['state']); + // Do an OpenID Connect session check if ($_REQUEST['state'] !== $this->getState()) { throw new OpenIDConnectClientException('Unable to determine state'); From 7cb2f693a22ea48df042b572425d9afd590bf8f9 Mon Sep 17 00:00:00 2001 From: Danilo Date: Wed, 24 Nov 2021 16:04:11 +0100 Subject: [PATCH 3/5] fix: getState() return empty string --- src/OpenIDConnectClient.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 7eeed5c2..a5d9fb56 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -307,6 +307,11 @@ public function authenticate() { throw new OpenIDConnectClientException('Got response: ' . $token_json->error); } + // Sometime getState() return an empty string + // and the authentication process fail + if ($this->getState() == "") + $this->setState($_REQUEST['state']); + // Do an OpenID Connect session check if ($_REQUEST['state'] !== $this->getState()) { throw new OpenIDConnectClientException('Unable to determine state'); From d2c116ef7ac1439cd54b1c1f378160782c229454 Mon Sep 17 00:00:00 2001 From: Aladdin Date: Thu, 15 Jun 2023 12:48:50 +0200 Subject: [PATCH 4/5] Fix: setNonce when it's empty --- src/OpenIDConnectClient.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index a5d9fb56..3d09d666 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -307,7 +307,7 @@ public function authenticate() { throw new OpenIDConnectClientException('Got response: ' . $token_json->error); } - // Sometime getState() return an empty string + // Sometime getState() return an empty string // and the authentication process fail if ($this->getState() == "") $this->setState($_REQUEST['state']); @@ -344,6 +344,13 @@ public function authenticate() { // Save the access token $this->accessToken = $token_json->access_token; + // During verifyJWTclaims sometime return an empty string (probably caused by the session timeout between KC and Client) + // Which cause issue in the *_auth.php, this should "patch" the randomic emptiness. + if ($this->getNonce() == "") { + $this->setNonce($claims->nonce); + user_error('Warning: Function getNonce return empty, setting in the session!'); + }; + // If this is a valid claim if ($this->verifyJWTclaims($claims, $token_json->access_token)) { From b493b44fad08617670b70638889c73a87a9a4f31 Mon Sep 17 00:00:00 2001 From: Danilo Abbasciano Date: Wed, 8 Nov 2023 14:36:51 +0100 Subject: [PATCH 5/5] fix: http_build_query(): Passing null to parameter #2 ($numeric_prefix) of type string is deprecated --- src/OpenIDConnectClient.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 3d09d666..2568b44a 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -307,11 +307,11 @@ public function authenticate() { throw new OpenIDConnectClientException('Got response: ' . $token_json->error); } - // Sometime getState() return an empty string + // Sometime getState() return an empty string // and the authentication process fail if ($this->getState() == "") $this->setState($_REQUEST['state']); - + // Do an OpenID Connect session check if ($_REQUEST['state'] !== $this->getState()) { throw new OpenIDConnectClientException('Unable to determine state'); @@ -350,7 +350,7 @@ public function authenticate() { $this->setNonce($claims->nonce); user_error('Warning: Function getNonce return empty, setting in the session!'); }; - + // If this is a valid claim if ($this->verifyJWTclaims($claims, $token_json->access_token)) { @@ -467,7 +467,7 @@ public function signOut($enduserIdentification, $redirect, $method = "id_token_h 'post_logout_redirect_uri' => $redirect); } - $signout_endpoint .= (strpos($signout_endpoint, '?') === false ? '?' : '&') . http_build_query( $signout_params, null, '&', $this->enc_type); + $signout_endpoint .= (strpos($signout_endpoint, '?') === false ? '?' : '&') . http_build_query( $signout_params, '', '&', $this->enc_type); $this->redirect($signout_endpoint); } @@ -692,7 +692,7 @@ private function requestAuthorization() { )); } - $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, null, '&', $this->enc_type); + $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, '', '&', $this->enc_type); $this->commitSession(); $this->redirect($auth_endpoint); @@ -718,7 +718,7 @@ public function requestClientCredentialsToken() { ); // Convert token params to string format - $post_params = http_build_query($post_data, null, '&', $this->enc_type); + $post_params = http_build_query($post_data, '', '&', $this->enc_type); return json_decode($this->fetchURL($token_endpoint, $post_params, $headers)); } @@ -753,7 +753,7 @@ public function requestResourceOwnerToken($bClientAuth = FALSE) { } // Convert token params to string format - $post_params = http_build_query($post_data, null, '&', $this->enc_type); + $post_params = http_build_query($post_data, '', '&', $this->enc_type); return json_decode($this->fetchURL($token_endpoint, $post_params, $headers)); } @@ -799,7 +799,7 @@ protected function requestTokens($code) { } // Convert token params to string format - $token_params = http_build_query($token_params, null, '&', $this->enc_type); + $token_params = http_build_query($token_params, '', '&', $this->enc_type); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers)); @@ -826,7 +826,7 @@ public function refreshToken($refresh_token) { ); // Convert token params to string format - $token_params = http_build_query($token_params, null, '&', $this->enc_type); + $token_params = http_build_query($token_params, '', '&', $this->enc_type); $json = json_decode($this->fetchURL($token_endpoint, $token_params)); @@ -1441,7 +1441,7 @@ public function introspectToken($token, $token_type_hint = '', $clientId = null, $clientSecret = $clientSecret !== null ? $clientSecret : $this->clientSecret; // Convert token params to string format - $post_params = http_build_query($post_data, null, '&'); + $post_params = http_build_query($post_data, '', '&'); $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)), 'Accept: application/json']; @@ -1472,7 +1472,7 @@ public function revokeToken($token, $token_type_hint = '', $clientId = null, $cl $clientSecret = $clientSecret !== null ? $clientSecret : $this->clientSecret; // Convert token params to string format - $post_params = http_build_query($post_data, null, '&'); + $post_params = http_build_query($post_data, '', '&'); $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)), 'Accept: application/json'];