mkrieger/byos_laravel
1
0
Fork 0
mirror of https://github.com/usetrmnl/byos_laravel.git synced 2026-01-13 23:18:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat: add OIDC support

Browse source
This commit is contained in:
Carlos Quintana 2025-08-03 11:58:00 +02:00 committed by Benjamin Nussbaum
parent d6dd1c5f31
commit e8a076438e
12 changed files with 1256 additions and 644 deletions
Download patch file Download diff file Expand all files Collapse all files

90
app/Console/Commands/OidcTestCommand.php Normal file
View file

@ -0,0 +1,90 @@
<?php
namespace App\Console\Commands;
use Illuminate\Console\Command;
use Laravel\Socialite\Facades\Socialite;
class OidcTestCommand extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'oidc:test';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Test OIDC configuration and driver registration';
/**
* Execute the console command.
*/
public function handle()
{
$this->info('Testing OIDC Configuration...');
$this->newLine();
// Check if OIDC is enabled
$enabled = config('services.oidc.enabled');
$this->line("OIDC Enabled: " . ($enabled ? '✅ Yes' : '❌ No'));
// Check configuration values
$endpoint = config('services.oidc.endpoint');
$clientId = config('services.oidc.client_id');
$clientSecret = config('services.oidc.client_secret');
$redirect = config('services.oidc.redirect');
$scopes = config('services.oidc.scopes', []);
$this->line("OIDC Endpoint: " . ($endpoint ? "{$endpoint}" : '❌ Not set'));
$this->line("Client ID: " . ($clientId ? "{$clientId}" : '❌ Not set'));
$this->line("Client Secret: " . ($clientSecret ? '✅ Set' : '❌ Not set'));
$this->line("Redirect URL: " . ($redirect ? "{$redirect}" : '❌ Not set'));
$this->line("Scopes: " . (empty($scopes) ? '❌ Not set' : '✅ ' . implode(', ', $scopes)));
$this->newLine();
// Test driver registration
try {
// Only test driver if we have basic configuration
if ($endpoint && $clientId && $clientSecret) {
$driver = Socialite::driver('oidc');
$this->line("OIDC Driver: ✅ Successfully registered and accessible");
if ($enabled) {
$this->info("✅ OIDC is fully configured and ready to use!");
$this->line("You can test the login flow at: /auth/oidc/redirect");
} else {
$this->warn("⚠️ OIDC driver is working but OIDC_ENABLED is false.");
}
} else {
$this->line("OIDC Driver: ✅ Registered (configuration test skipped due to missing values)");
$this->warn("⚠️ OIDC driver is registered but missing required configuration.");
$this->line("Please set the following environment variables:");
if (!$enabled) $this->line(" - OIDC_ENABLED=true");
if (!$endpoint) {
$this->line(" - OIDC_ENDPOINT=https://your-oidc-provider.com (base URL)");
$this->line(" OR");
$this->line(" - OIDC_ENDPOINT=https://your-oidc-provider.com/.well-known/openid-configuration (full URL)");
}
if (!$clientId) $this->line(" - OIDC_CLIENT_ID=your-client-id");
if (!$clientSecret) $this->line(" - OIDC_CLIENT_SECRET=your-client-secret");
}
} catch (\InvalidArgumentException $e) {
if (str_contains($e->getMessage(), 'Driver [oidc] not supported')) {
$this->error("❌ OIDC Driver registration failed: Driver not supported");
} else {
$this->error("❌ OIDC Driver error: " . $e->getMessage());
}
} catch (\Exception $e) {
$this->warn("⚠️ OIDC Driver registered but configuration error: " . $e->getMessage());
}
$this->newLine();
return Command::SUCCESS;
}
}

116
app/Http/Controllers/Auth/OidcController.php Normal file
View file

@ -0,0 +1,116 @@
<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Str;
use Laravel\Socialite\Facades\Socialite;
class OidcController extends Controller
{
/**
* Redirect the user to the OIDC provider authentication page.
*/
public function redirect()
{
if (!config('services.oidc.enabled')) {
return redirect()->route('login')->withErrors(['oidc' => 'OIDC authentication is not enabled.']);
}
// Check if all required OIDC configuration is present
$requiredConfig = ['endpoint', 'client_id', 'client_secret'];
foreach ($requiredConfig as $key) {
if (!config("services.oidc.{$key}")) {
Log::error("OIDC configuration missing: {$key}");
return redirect()->route('login')->withErrors(['oidc' => 'OIDC is not properly configured.']);
}
}
try {
return Socialite::driver('oidc')->redirect();
} catch (\Exception $e) {
Log::error('OIDC redirect error: ' . $e->getMessage());
return redirect()->route('login')->withErrors(['oidc' => 'Failed to initiate OIDC authentication.']);
}
}
/**
* Obtain the user information from the OIDC provider.
*/
public function callback(Request $request)
{
if (!config('services.oidc.enabled')) {
return redirect()->route('login')->withErrors(['oidc' => 'OIDC authentication is not enabled.']);
}
// Check if all required OIDC configuration is present
$requiredConfig = ['endpoint', 'client_id', 'client_secret'];
foreach ($requiredConfig as $key) {
if (!config("services.oidc.{$key}")) {
Log::error("OIDC configuration missing: {$key}");
return redirect()->route('login')->withErrors(['oidc' => 'OIDC is not properly configured.']);
}
}
try {
$oidcUser = Socialite::driver('oidc')->user();
// Find or create the user
$user = $this->findOrCreateUser($oidcUser);
// Log the user in
Auth::login($user, true);
return redirect()->intended(route('dashboard', absolute: false));
} catch (\Exception $e) {
Log::error('OIDC callback error: ' . $e->getMessage());
return redirect()->route('login')->withErrors(['oidc' => 'Failed to authenticate with OIDC provider.']);
}
}
/**
* Find or create a user based on OIDC information.
*/
protected function findOrCreateUser($oidcUser)
{
// First, try to find user by OIDC subject ID
$user = User::where('oidc_sub', $oidcUser->getId())->first();
if ($user) {
// Update user information from OIDC
$user->update([
'name' => $oidcUser->getName() ?: $user->name,
'email' => $oidcUser->getEmail() ?: $user->email,
]);
return $user;
}
// If not found by OIDC sub, try to find by email
if ($oidcUser->getEmail()) {
$user = User::where('email', $oidcUser->getEmail())->first();
if ($user) {
// Link the existing user with OIDC
$user->update([
'oidc_sub' => $oidcUser->getId(),
'name' => $oidcUser->getName() ?: $user->name,
]);
return $user;
}
}
// Create new user
return User::create([
'oidc_sub' => $oidcUser->getId(),
'name' => $oidcUser->getName() ?: 'OIDC User',
'email' => $oidcUser->getEmail() ?: $oidcUser->getId() . '@oidc.local',
'password' => bcrypt(Str::random(32)), // Random password since we're using OIDC
'email_verified_at' => now(), // OIDC users are considered verified
]);
}
}

1
app/Models/User.php
View file

@ -26,6 +26,7 @@ class User extends Authenticatable // implements MustVerifyEmail
'password',
'assign_new_devices',
'assign_new_device_id',
'oidc_sub',
];
/**

16
app/Providers/AppServiceProvider.php
View file

@ -2,8 +2,10 @@
namespace App\Providers;
use App\Services\OidcProvider;
use Illuminate\Support\Facades\URL;
use Illuminate\Support\ServiceProvider;
use URL;
use Laravel\Socialite\Facades\Socialite;
class AppServiceProvider extends ServiceProvider
{
@ -23,5 +25,17 @@ class AppServiceProvider extends ServiceProvider
if (app()->isProduction() && config('app.force_https')) {
URL::forceScheme('https');
}
// Register OIDC provider with Socialite
Socialite::extend('oidc', function ($app) {
$config = $app['config']['services.oidc'] ?? [];
return new OidcProvider(
$app['request'],
$config['client_id'] ?? null,
$config['client_secret'] ?? null,
$config['redirect'] ?? null,
$config['scopes'] ?? ['openid', 'profile', 'email']
);
});
}
}

156
app/Services/OidcProvider.php Normal file
View file

@ -0,0 +1,156 @@
<?php
namespace App\Services;
use Laravel\Socialite\Two\AbstractProvider;
use Laravel\Socialite\Two\ProviderInterface;
use Laravel\Socialite\Two\User;
use GuzzleHttp\Client;
use Illuminate\Support\Arr;
class OidcProvider extends AbstractProvider implements ProviderInterface
{
/**
* The scopes being requested.
*/
protected $scopes = [];
/**
* The separating character for the requested scopes.
*/
protected $scopeSeparator = ' ';
/**
* The OIDC configuration.
*/
protected $oidcConfig;
/**
* The base URL for OIDC endpoints.
*/
protected $baseUrl;
/**
* Create a new provider instance.
*/
public function __construct($request, $clientId, $clientSecret, $redirectUrl, $scopes = [], $guzzle = [])
{
parent::__construct($request, $clientId, $clientSecret, $redirectUrl, $guzzle);
$endpoint = config('services.oidc.endpoint');
if (!$endpoint) {
throw new \Exception('OIDC endpoint is not configured. Please set OIDC_ENDPOINT environment variable.');
}
// Handle both full well-known URL and base URL
if (str_ends_with($endpoint, '/.well-known/openid-configuration')) {
$this->baseUrl = str_replace('/.well-known/openid-configuration', '', $endpoint);
} else {
$this->baseUrl = rtrim($endpoint, '/');
}
$this->scopes = $scopes ?: ['openid', 'profile', 'email'];
$this->loadOidcConfiguration();
}
/**
* Load OIDC configuration from the well-known endpoint.
*/
protected function loadOidcConfiguration()
{
try {
$url = $this->baseUrl . '/.well-known/openid-configuration';
$client = new Client();
$response = $client->get($url);
$this->oidcConfig = json_decode($response->getBody()->getContents(), true);
if (!$this->oidcConfig) {
throw new \Exception('OIDC configuration is empty or invalid JSON');
}
if (!isset($this->oidcConfig['authorization_endpoint'])) {
throw new \Exception('authorization_endpoint not found in OIDC configuration');
}
} catch (\Exception $e) {
throw new \Exception('Failed to load OIDC configuration: ' . $e->getMessage());
}
}
/**
* Get the authentication URL for the provider.
*/
protected function getAuthUrl($state)
{
if (!$this->oidcConfig || !isset($this->oidcConfig['authorization_endpoint'])) {
throw new \Exception('OIDC configuration not loaded or authorization_endpoint not found.');
}
return $this->buildAuthUrlFromBase($this->oidcConfig['authorization_endpoint'], $state);
}
/**
* Get the token URL for the provider.
*/
protected function getTokenUrl()
{
if (!$this->oidcConfig || !isset($this->oidcConfig['token_endpoint'])) {
throw new \Exception('OIDC configuration not loaded or token_endpoint not found.');
}
return $this->oidcConfig['token_endpoint'];
}
/**
* Get the raw user for the given access token.
*/
protected function getUserByToken($token)
{
if (!$this->oidcConfig || !isset($this->oidcConfig['userinfo_endpoint'])) {
throw new \Exception('OIDC configuration not loaded or userinfo_endpoint not found.');
}
$response = $this->getHttpClient()->get($this->oidcConfig['userinfo_endpoint'], [
'headers' => [
'Authorization' => 'Bearer ' . $token,
],
]);
return json_decode($response->getBody(), true);
}
/**
* Map the raw user array to a Socialite User instance.
*/
protected function mapUserToObject(array $user)
{
return (new User)->setRaw($user)->map([
'id' => $user['sub'],
'nickname' => $user['preferred_username'] ?? null,
'name' => $user['name'] ?? null,
'email' => $user['email'] ?? null,
'avatar' => $user['picture'] ?? null,
]);
}
/**
* Get the access token response for the given code.
*/
public function getAccessTokenResponse($code)
{
$response = $this->getHttpClient()->post($this->getTokenUrl(), [
'headers' => ['Accept' => 'application/json'],
'form_params' => $this->getTokenFields($code),
]);
return json_decode($response->getBody(), true);
}
/**
* Get the POST fields for the token request.
*/
protected function getTokenFields($code)
{
return array_merge(parent::getTokenFields($code), [
'grant_type' => 'authorization_code',
]);
}
}