Merge pull request #11 from cuzy-app/back-channel

Back channel and OpenId Connect

Author: marc-farre

.gitignore

@@ -0,0 +1,3 @@
+/composer.lock
+/composer.phar
+/vendor/

authclient/Keycloak.php

@@ -8,6 +8,7 @@
 
 namespace humhub\modules\authKeycloak\authclient;
 
+use humhub\modules\authKeycloak\models\AuthKeycloak;
 use humhub\modules\authKeycloak\models\ConfigureForm;
 use humhub\modules\authKeycloak\Module;
 use humhub\modules\user\authclient\interfaces\PrimaryClient;
@@ -17,53 +18,40 @@
 use PDOException;
 use Yii;
 use yii\authclient\InvalidResponseException;
-use yii\authclient\OAuth2;
+use yii\authclient\OpenIdConnect;
+use yii\base\InvalidConfigException;
 use yii\db\StaleObjectException;
 use yii\helpers\BaseInflector;
 
 /**
  * With PrimaryClient, the user will have the `auth_mode` field in the `user` table set to 'Keycloak'.
  * This will avoid showing the "Change Password" tab when logged in with Keycloak
  */
-class Keycloak extends OAuth2 implements PrimaryClient
+class Keycloak extends OpenIdConnect implements PrimaryClient
 {
     public const DEFAULT_NAME = 'Keycloak';
 
-    /**
-     * @inheritdoc
-     */
-    public $authUrl;
-
-    /**
-     * @inheritdoc
-     */
-    public $tokenUrl;
-
     /**
      * @inheritdoc
      */
     public $apiBaseUrl;
-
     /**
      * @var bool
      */
     protected $_userSynced = false;
 
-    /**
-     * @inheridoc
-     */
-    public $scope = 'openid';
-
     /**
      * @inheritdoc
      */
     public function init()
     {
-        $config = new ConfigureForm();
+        if (!class_exists('Jose\Component\KeyManagement\JWKFactory')) {
+            require_once Yii::getAlias('@auth-keycloak/vendor/autoload.php');
+        }
 
-        $this->apiBaseUrl = $config->baseUrl . '/realms/' . $config->realm . '/protocol/openid-connect';
-        $this->authUrl = $this->apiBaseUrl . '/auth';
-        $this->tokenUrl = $this->apiBaseUrl . '/token';
+        $config = new ConfigureForm();
+        $this->issuerUrl = $config->baseUrl . '/realms/' . $config->realm;
+        $this->apiBaseUrl = $this->issuerUrl . '/protocol/openid-connect';
 
         parent::init();
     }
@@ -80,18 +68,6 @@ public function applyAccessTokenToRequest($request, $accessToken)
         $request->setHeaders($data);
     }
 
-    /**
-     * @inheridoc
-     */
-    protected function initUserAttributes()
-    {
-        try {
-            return $this->api('userinfo');
-        } catch (InvalidResponseException|\Exception $e) {
-            return [];
-        }
-    }
-
     /**
      * @inheritdoc
      */
@@ -100,87 +76,6 @@ public function getId()
         return self::DEFAULT_NAME;
     }
 
-    /**
-     * @inheritdoc
-     */
-    protected function defaultName()
-    {
-        return self::DEFAULT_NAME;
-    }
-
-    /**
-     * @inheridoc
-     */
-    protected function defaultTitle()
-    {
-        /** @var Module $module */
-        $module = Yii::$app->getModule('auth-keycloak');
-        $settings = $module->settings;
-
-        return $settings->get('title', Yii::t('AuthKeycloakModule.base', ConfigureForm::DEFAULT_TITLE));
-    }
-
-    protected function defaultViewOptions()
-    {
-        return [
-            'cssIcon' => 'fa fa-sign-in',
-            'buttonBackgroundColor' => '#e0492f',
-        ];
-    }
-
-    protected function defaultNormalizeUserAttributeMap()
-    {
-        /** @var Module $module */
-        $module = Yii::$app->getModule('auth-keycloak');
-        $settings = $module->settings;
-
-        return [
-            'id' => 'sub',
-            'username' => $settings->get('usernameMapper'),
-            'firstname' => 'given_name',
-            'lastname' => 'family_name',
-            'email' => 'email',
-        ];
-    }
-
-    /**
-     * If the username sent by Keycloak is the user's email, it is replaced by a username auto-generated from the first and last name (CamelCase formatted)
-     * @inerhitdoc
-     */
-    protected function normalizeUserAttributes($attributes)
-    {
-        $attributes = parent::normalizeUserAttributes($attributes);
-        if (
-            isset($attributes['username'], $attributes['email'])
-            && $attributes['username'] === $attributes['email']
-        ) {
-            /* @var $userModule \humhub\modules\user\Module */
-            $userModule = Yii::$app->getModule('user');
-            $attributes['username'] = BaseInflector::id2camel(
-                BaseInflector::slug(
-                    $attributes['firstname'] . ' ' . $attributes['lastname']
-                )
-            );
-        }
-        return $attributes;
-    }
-
-    /**
-     * Called among others by `user/controllers/AuthController::authSuccess()`
-     * @inheridoc
-     */
-    public function getUserAttributes()
-    {
-        // Avoid looping getUserAttributes()
-        if (!$this->_userSynced) {
-            $this->_userSynced = true;
-            $this->syncUserAttributes();
-        }
-
-        return parent::getUserAttributes();
-    }
-
-
     /**
      * @inheridoc
      */
@@ -212,6 +107,21 @@ public function getUser()
         return null;
     }
 
+    /**
+     * Called among others by `user/controllers/AuthController::authSuccess()`
+     * @inheridoc
+     */
+    public function getUserAttributes()
+    {
+        // Avoid looping getUserAttributes()
+        if (!$this->_userSynced) {
+            $this->_userSynced = true;
+            $this->syncUserAttributes();
+        }
+
+        return parent::getUserAttributes();
+    }
+
     /**
      * @inheridoc
      * @throws StaleObjectException
@@ -230,7 +140,36 @@ public function syncUserAttributes()
             (new AuthClientUserService($user))->add($this);
         } catch (PDOException $e) {
         }
-        KeycloakHelpers::storeAndGetAuthSourceId($user, $userAttributes['id'] ?? null);
+
+        $sourceId = $userAttributes['id'] ?? null;
+        if ($sourceId) {
+            $auth = AuthKeycloak::findOne([
+                'source' => self::DEFAULT_NAME,
+                'source_id' => $sourceId,
+            ]);
+
+            // Make sure authClient is not doubly assigned
+            if ($auth !== null && $auth->user_id !== $user->id) {
+                $auth->delete();
+                $auth = null;
+            }
+
+            // Get Keycloak shared session identifier
+            $sid = Yii::$app->request->get('session_state');
+
+            if ($auth === null) {
+                $auth = new AuthKeycloak([
+                    'user_id' => $user->id,
+                    'source' => self::DEFAULT_NAME,
+                    'source_id' => (string)$sourceId,
+                    'keycloak_sid' => $sid,
+                ]);
+                $auth->save();
+            } elseif ($auth->keycloak_sid !== $sid) {
+                $auth->keycloak_sid = $sid;
+                $auth->save();
+            }
+        }
 
         /** @var Module $module */
         $module = Yii::$app->getModule('auth-keycloak');
@@ -255,4 +194,79 @@ public function syncUserAttributes()
             $user->save();
         }
     }
+
+    /**
+     * @inheridoc
+     */
+    protected function initUserAttributes()
+    {
+        try {
+            return $this->api('userinfo');
+        } catch (InvalidResponseException|\Exception $e) {
+            return [];
+        }
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function defaultName()
+    {
+        return self::DEFAULT_NAME;
+    }
+
+    /**
+     * @inheridoc
+     */
+    protected function defaultTitle()
+    {
+        /** @var Module $module */
+        $module = Yii::$app->getModule('auth-keycloak');
+        return $module->settings->get('title', Yii::t('AuthKeycloakModule.base', ConfigureForm::DEFAULT_TITLE));
+    }
+
+    protected function defaultViewOptions()
+    {
+        return [
+            'cssIcon' => 'fa fa-sign-in',
+            'buttonBackgroundColor' => '#e0492f',
+        ];
+    }
+
+    protected function defaultNormalizeUserAttributeMap()
+    {
+        /** @var Module $module */
+        $module = Yii::$app->getModule('auth-keycloak');
+
+        return [
+            'id' => 'sub',
+            'username' => $module->settings->get('usernameMapper'),
+            'firstname' => 'given_name',
+            'lastname' => 'family_name',
+            'email' => 'email',
+        ];
+    }
+
+    /**
+     * If the username sent by Keycloak is the user's email, it is replaced by a username auto-generated from the first and last name (CamelCase formatted)
+     * @inerhitdoc
+     * @throws InvalidConfigException
+     */
+    protected function normalizeUserAttributes($attributes)
+    {
+        $attributes = parent::normalizeUserAttributes($attributes);
+        if (
+            isset($attributes['username'], $attributes['email'])
+            && $attributes['username'] === $attributes['email']
+        ) {
+            /* @var $userModule \humhub\modules\user\Module */
+            $userModule = Yii::$app->getModule('user');
+            $attributes['username'] = BaseInflector::id2camel(
+                BaseInflector::slug(
+                    $attributes['firstname'] . ' ' . $attributes['lastname']
+                )
+            );
+        }
+        return $attributes;
+    }
 }