39 global $db, $conf, $langs;
42 $entity = $entitytotest;
43 if (isModEnabled(
'multicompany') && !empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
49 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect usertotest=".$usertotest.
" passwordtotest=".preg_replace(
'/./',
'*', $passwordtotest).
" entitytotest=".$entitytotest);
53 if (GETPOSTISSET(
'username')) {
55 $_SESSION[
"dol_loginmesg"] =
"Not an OpenID Connect flow";
56 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect not an OIDC flow");
57 } elseif (GETPOSTISSET(
'code')) {
58 $auth_code =
GETPOST(
'code',
'aZ09');
59 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect code=".$auth_code);
63 'grant_type' =>
'authorization_code',
64 'client_id' => $conf->global->MAIN_AUTHENTICATION_OIDC_CLIENT_ID,
65 'client_secret' => $conf->global->MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET,
67 'redirect_uri' => $conf->global->MAIN_AUTHENTICATION_OIDC_REDIRECT_URL
70 $token_response =
getURLContent($conf->global->MAIN_AUTHENTICATION_OIDC_TOKEN_URL,
'POST', http_build_query($auth_param));
71 $token_content = json_decode($token_response[
'content']);
72 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect /token=".print_r($token_response,
true), LOG_DEBUG);
74 if (property_exists($token_content,
'access_token')) {
76 $userinfo_headers = array(
'Authorization: Bearer '.$token_content->access_token);
77 $userinfo_response =
getURLContent($conf->global->MAIN_AUTHENTICATION_OIDC_USERINFO_URL,
'GET',
'', 1, $userinfo_headers);
78 $userinfo_content = json_decode($userinfo_response[
'content']);
80 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect /userinfo=".print_r($userinfo_response,
true), LOG_DEBUG);
83 $login_claim =
'email';
84 if (!empty($conf->global->MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM)) {
85 $login_claim = $conf->global->MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM;
88 if (property_exists($userinfo_content, $login_claim)) {
90 $sql =
'SELECT login, entity, datestartvalidity, dateendvalidity';
91 $sql .=
' FROM '.MAIN_DB_PREFIX.
'user';
92 $sql .=
" WHERE login = '".$db->escape($userinfo_content->$login_claim).
"'";
93 $sql .=
' AND entity IN (0,'.(array_key_exists(
'dol_entity', $_SESSION) ? ((int) $_SESSION[
"dol_entity"]) : 1).
')';
95 dol_syslog(
"functions_openid::check_user_password_openid", LOG_DEBUG);
97 $resql = $db->query($sql);
99 $obj = $db->fetch_object($resql);
115 $login = $obj->login;
118 } elseif ($userinfo_content->error) {
120 $_SESSION[
"dol_loginmesg"] =
"Error in OAuth 2.0 flow (".$userinfo_content->error_description.
")";
121 } elseif ($userinfo_response[
'http_code'] == 200) {
123 $_SESSION[
"dol_loginmesg"] =
"OpenID Connect claim not found: ".$login_claim;
124 } elseif ($userinfo_response[
'curl_error_no']) {
126 $_SESSION[
"dol_loginmesg"] =
"Network error: ".$userinfo_response[
'curl_error_msg'].
" (".$userinfo_response[
'curl_error_no'].
")";
129 $_SESSION[
"dol_loginmesg"] =
"Userinfo request error (".$userinfo_response[
'http_code'].
")";
131 } elseif ($token_content->error) {
133 $_SESSION[
"dol_loginmesg"] =
"Error in OAuth 2.0 flow (".$token_content->error_description.
")";
134 } elseif ($token_response[
'curl_error_no']) {
136 $_SESSION[
"dol_loginmesg"] =
"Network error: ".$token_response[
'curl_error_msg'].
" (".$token_response[
'curl_error_no'].
")";
139 $_SESSION[
"dol_loginmesg"] =
"Token request error (".$token_response[
'http_code'].
")";
143 $_SESSION[
"dol_loginmesg"] =
"Error in OAuth 2.0 flow (no code received)";
146 dol_syslog(
"functions_openid_connect::check_user_password_openid_connect END");
148 return !empty($login) ? $login :
false;
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
check_user_password_openid_connect($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION["dol_login...
getURLContent($url, $postorget='GET', $param='', $followlocation=1, $addheaders=array(), $allowedschemes=array('http', 'https'), $localurl=0, $ssl_verifypeer=-1)
Function to get a content from an URL (use proxy if proxy defined).