dolibarr 21.0.0-alpha
microsoft2_oauthcallback.php
1<?php
2/* Copyright (C) 2022 Laurent Destailleur <eldy@users.sourceforge.net>
3 * Copyright (C) 2015 Frederic France <frederic.france@free.fr>
4 * Copyright (C) 2024 MDW <mdeweerd@users.noreply.github.com>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <https://www.gnu.org/licenses/>.
18 */
19
26// Load Dolibarr environment
27require '../../../main.inc.php';
28require_once DOL_DOCUMENT_ROOT.'/includes/OAuth/bootstrap.php';
29use OAuth\Common\Storage\DoliStorage;
30use OAuth\Common\Consumer\Credentials;
31
32// Define $urlwithroot
33$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
34$urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
35//$urlwithroot=DOL_MAIN_URL_ROOT; // This is to use same domain name than current
36
37
38$action = GETPOST('action', 'aZ09');
39$backtourl = GETPOST('backtourl', 'alpha');
40$keyforprovider = GETPOST('keyforprovider', 'aZ09');
41if (empty($keyforprovider) && !empty($_SESSION["oauthkeyforproviderbeforeoauthjump"]) && (GETPOST('code') || $action == 'delete')) {
42 $keyforprovider = $_SESSION["oauthkeyforproviderbeforeoauthjump"];
43}
44$genericstring = 'MICROSOFT2';
45
46
50$uriFactory = new \OAuth\Common\Http\Uri\UriFactory();
51//$currentUri = $uriFactory->createFromSuperGlobalArray($_SERVER);
52//$currentUri->setQuery('');
53$currentUri = $uriFactory->createFromAbsolute($urlwithroot.'/core/modules/oauth/microsoft_oauthcallback.php');
54
55
61$serviceFactory = new \OAuth\ServiceFactory();
62$httpClient = new \OAuth\Common\Http\Client\CurlClient();
63// TODO Set options for proxy and timeout
64// $params=array('CURLXXX'=>value, ...)
65//$httpClient->setCurlParameters($params);
66$serviceFactory->setHttpClient($httpClient);
67
68// Dolibarr storage
69$storage = new DoliStorage($db, $conf, $keyforprovider);
70
71// Setup the credentials for the requests
72$keyforparamid = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_ID';
73$keyforparamsecret = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_SECRET';
74$keyforparamtenant = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_TENANT';
75$credentials = new Credentials(
76 getDolGlobalString($keyforparamid),
77 getDolGlobalString($keyforparamsecret),
78 $currentUri->getAbsoluteUri()
79);
80
81$state = GETPOST('state');
82
83$requestedpermissionsarray = array();
84if ($state) {
85 $requestedpermissionsarray = explode(',', $state); // Example: 'user'. 'state' parameter is standard to retrieve some parameters back
86}
87if ($action != 'delete' && empty($requestedpermissionsarray)) {
88 print 'Error, parameter state is not defined';
89 exit;
90}
91//var_dump($requestedpermissionsarray);exit;
92
93// Instantiate the Api service using the credentials, http client and storage mechanism for the token
94// ucfirst(strtolower($genericstring)) must be the name of a class into OAuth/OAuth2/Services/Xxxx
95// $requestedpermissionsarray contains list of scopes.
96// Conversion into URL is done by Reflection on constant with name SCOPE_scope_in_uppercase
97try {
98 $apiService = $serviceFactory->createService(ucfirst(strtolower($genericstring)), $credentials, $storage, $requestedpermissionsarray);
99 '@phan-var-force OAuth\OAuth2\Service\AbstractService|OAuth\OAuth1\Service\AbstractService $apiService'; // createService is only ServiceInterface
100} catch (Exception $e) {
101 print $e->getMessage();
102 exit;
103}
104/*
105var_dump($genericstring.($keyforprovider ? '-'.$keyforprovider : ''));
106var_dump($credentials);
107var_dump($storage);
108var_dump($requestedpermissionsarray);
109*/
110
111if (empty($apiService)) {
112 print 'Error, failed to create serviceFactory';
113 exit;
114}
115
116// access type needed to have oauth provider refreshing token
117//$apiService->setAccessType('offline');
118
119$langs->load("oauth");
120
121if (!getDolGlobalString($keyforparamid)) {
122 accessforbidden('Setup of service is not complete. Customer ID is missing');
123}
124if (!getDolGlobalString($keyforparamsecret)) {
125 accessforbidden('Setup of service is not complete. Secret key is missing');
126}
127
128
129/*
130 * Actions
131 */
132
133if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
134 $storage->userid = GETPOSTINT('userid');
135 $storage->clearToken($genericstring);
136
137 setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');
138
139 if (empty($backtourl)) {
140 $backtourl = DOL_URL_ROOT.'/';
141 }
142
143 header('Location: '.$backtourl);
144 exit();
145}
146
147//dol_syslog("GET=".join(',', $_GET));
148
149
150if (GETPOST('code') || GETPOST('error')) { // We are coming from oauth provider page
151 // We should have
152 //$_GET=array('code' => string 'aaaaaaaaaaaaaa' (length=20), 'state' => string 'user,public_repo' (length=16))
153
154 dol_syslog("We are coming from the oauth provider page code=".dol_trunc(GETPOST('code'), 5)." error=".GETPOST('error'));
155
156 // This was a callback request from service, get the token
157 try {
158 //var_dump($state);
159 //var_dump($apiService); // OAuth\OAuth2\Service\Microsoft
160
161 if (GETPOST('error')) {
162 setEventMessages(GETPOST('error').' '.GETPOST('error_description'), null, 'errors');
163 } else {
164 //print GETPOST('code');exit;
165
166 //$token = $apiService->requestAccessToken(GETPOST('code'), $state);
167 $token = $apiService->requestAccessToken(GETPOST('code'));
168 // Microsoft is a service that does not need state to be stored as second parameter of requestAccessToken
169
170 //print $token->getAccessToken().'<br><br>';
171 //print $token->getExtraParams()['id_token'].'<br>';
172 //print $token->getRefreshToken().'<br>';exit;
173
174 setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs'); // Stored into object managed by class DoliStorage so into table oauth_token
175 }
176
177 $backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
178 unset($_SESSION["backtourlsavedbeforeoauthjump"]);
179
180 header('Location: '.$backtourl);
181 exit();
182 } catch (Exception $e) {
183 print $e->getMessage();
184 }
185} else {
186 // If we enter this page without 'code' parameter, we arrive here. This is the case when we want to get the redirect
187 // to the OAuth provider login page.
188 $_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl;
189 $_SESSION["oauthkeyforproviderbeforeoauthjump"] = $keyforprovider;
190 $_SESSION['oauthstateanticsrf'] = $state;
191
192 //if (!preg_match('/^forlogin/', $state)) {
193 // $apiService->setApprouvalPrompt('auto');
194 //}
195
196 // This may create record into oauth_state before the header redirect.
197 // Creation of record with state in this tables depend on the Provider used (see its constructor).
198 if ($state) {
199 $url = $apiService->getAuthorizationUri(array('state' => $state));
200 } else {
201 $url = $apiService->getAuthorizationUri(); // Parameter state will be randomly generated
202 }
203
204 // Show url to get authorization
205 //var_dump((string) $url);exit;
206 dol_syslog("Redirect to url=".$url);
207
208 // we go on oauth provider authorization page
209 header('Location: '.$url);
210 exit();
211}
212
213
214/*
215 * View
216 */
217
218// No view at all, just actions
219
220$db->close();
setEventMessages($mesg, $mesgs, $style='mesgs', $messagekey='', $noduplicate=0, $attop=0)
Set event messages in dol_events session object.
GETPOSTINT($paramname, $method=0)
Return the value of a $_GET or $_POST supervariable, converted into integer.
GETPOST($paramname, $check='alphanohtml', $method=0, $filter=null, $options=null, $noreplace=0)
Return value of a param into GET or POST supervariable.
dol_trunc($string, $size=40, $trunc='right', $stringencoding='UTF-8', $nodot=0, $display=0)
Truncate a string to a particular length adding '…' if string larger than length.
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
$uriFactory
Create a new instance of the URI class with the current URI, stripping the query string.
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.