Skip to content

Commit

Permalink
SSO: Fix provider configuration to use KnpUOAuthClient defaults
Browse files Browse the repository at this point in the history 
Corrected provider parameters to align with default configuration values provided by the KnpUOAuthClient package
  • Loading branch information
@AngelFQC
AngelFQC committed Dec 14, 2024
1 parent 7cefa50 commit e7f5812
Show file tree
Hide file tree
Showing 5 changed files with 87 additions and 50 deletions.
28 changes: 3 additions & 25 deletions config/authentication.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,7 @@ parameters:
urlAccessToken: ''
urlResourceOwnerDetails: ''
responseResourceOwnerId: 'sub'
# accessTokenMethod: 'POST'
# responseError: 'error'
# responseCode: ''
# scopeSeparator: ' '
scopes:
- openid
accessTokenMethod: 'GET'
allow_create_new_users: true
allow_update_user_info: false
resource_owner_username_field: null
Expand All @@ -38,8 +33,7 @@ parameters:
title: 'Facebook'
client_id: ''
client_secret: ''
graph_api_version: 'v20.0'
redirect_params: { }
#graph_api_version: 'v20.0'

keycloak:
enabled: false
Expand All @@ -48,26 +42,10 @@ parameters:
client_secret: ''
auth_server_url: ''
realm: ''
version: ''
encryption_algorithm: null
encryption_key_path: null
encryption_key: null
redirect_params: { }
#version: ''

azure:
enabled: false
title: 'Azure'
client_id: ''
client_secret: ''
tenant: 'common'
client_certificate_private_key: ''
client_certificate_thumbprint: ''
url_login: 'https://login.microsoftonline.com/'
path_authorize: '/oauth2/authorize'
path_token: '/oauth2/token'
scope: {}
url_api: 'https://graph.windows.net/'
resource: null
api_version: '1.6'
auth_with_resource: true
default_end_point_version: '1.0'
11 changes: 5 additions & 6 deletions config/packages/knpu_oauth2_client.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,31 @@ knpu_oauth2_client:
provider_class: League\OAuth2\Client\Provider\GenericProvider
client_id: ''
client_secret: ''
provider_options:
responseResourceOwnerId: 'sub'
scopes:
- openid
redirect_route: chamilo.oauth2_generic_check

facebook:
type: facebook
client_id: ''
client_secret: ''
redirect_route: chamilo.oauth2_facebook_check
graph_api_version: ''
redirect_params: { }
graph_api_version: 'v20.0'

keycloak:
type: keycloak
client_id: ''
client_secret: ''
redirect_route: chamilo.oauth2_keycloak_check
redirect_params: { }
auth_server_url: null
realm: null

azure:
type: azure
client_id: ''
# a route name you'll create
redirect_route: chamilo.oauth2_azure_check
redirect_params: { }
# The shared client secret if you don't use a certificate
client_secret: ' '

# configure your clients as described here: https://github.com/knpuniversity/oauth2-client-bundle#configuration
38 changes: 22 additions & 16 deletions src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,7 @@
namespace Chamilo\CoreBundle\Decorator;

use Chamilo\CoreBundle\ServiceHelper\AuthenticationConfigHelper;
use KnpU\OAuth2ClientBundle\DependencyInjection\KnpUOAuth2ClientExtension;
use KnpU\OAuth2ClientBundle\DependencyInjection\ProviderFactory;
use KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Facebook;
use League\OAuth2\Client\Provider\GenericProvider;
Expand All @@ -34,23 +32,31 @@ public function createProvider(
array $redirectParams = [],
array $collaborators = []
): AbstractProvider {
$options = match ($class) {
GenericProvider::class => $this->getProviderOptions('generic'),
Facebook::class => $this->getProviderOptions('facebook'),
Keycloak::class => $this->getProviderOptions('keycloak'),
Azure::class => $this->getProviderOptions('azure'),
$customConfig = match ($class) {

Check failure on line 35 in src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php

View workflow job for this annotation

GitHub Actions / PHP 8.2 Test on ubuntu-latest

UnhandledMatchCondition 

src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php:35:32: UnhandledMatchCondition: This match expression is not exhaustive - consider values League\OAuth2\Client\Provider\Facebook::class|League\OAuth2\Client\Provider\GenericProvider::class|Stevenmaguire\OAuth2\Client\Provider\Keycloak::class|TheNetworg\OAuth2\Client\Provider\Azure::class|mixed (see https://psalm.dev/236)
GenericProvider::class => $this->authenticationConfigHelper->getProviderConfig('generic'),
Facebook::class => $this->authenticationConfigHelper->getProviderConfig('facebook'),
Keycloak::class => $this->authenticationConfigHelper->getProviderConfig('keycloak'),
Azure::class => $this->authenticationConfigHelper->getProviderConfig('azure'),
};

return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators);
}

private function getProviderOptions(string $providerName): array
{
/** @var KnpUOAuth2ClientExtension $extension */
$extension = (new KnpUOAuth2ClientBundle())->getContainerExtension();
$redirectParams = $customConfig['redirect_params'] ?? [];

$customOptions = match ($class) {

Check failure on line 44 in src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php

View workflow job for this annotation

GitHub Actions / PHP 8.2 Test on ubuntu-latest

UnhandledMatchCondition 

src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php:44:33: UnhandledMatchCondition: This match expression is not exhaustive - consider values League\OAuth2\Client\Provider\Facebook::class|League\OAuth2\Client\Provider\GenericProvider::class|Stevenmaguire\OAuth2\Client\Provider\Keycloak::class|TheNetworg\OAuth2\Client\Provider\Azure::class|mixed (see https://psalm.dev/236)
GenericProvider::class => $this->authenticationConfigHelper->getProviderOptions(
'generic',
[
'client_id' => $customConfig['client_id'],
'client_secret' => $customConfig['client_secret'],
...$customConfig['provider_options'],
],
),
Facebook::class => $this->authenticationConfigHelper->getProviderOptions('facebook', $customConfig),
Keycloak::class => $this->authenticationConfigHelper->getProviderOptions('keycloak', $customConfig),
Azure::class => $this->authenticationConfigHelper->getProviderOptions('azure', $customConfig),
};

$configParams = $this->authenticationConfigHelper->getParams($providerName);
$options = $customOptions + $options;

return $extension->getConfigurator($providerName)->getProviderOptions($configParams);
return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators);
}
}
2 changes: 1 addition & 1 deletion src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ public function supports(Request $request): ?bool

protected function userLoader(AccessToken $accessToken): User
{
$providerParams = $this->authenticationConfigHelper->getParams('generic');
$providerParams = $this->authenticationConfigHelper->getProviderConfig('generic');

/** @var GenericResourceOwner $resourceOwner */
$resourceOwner = $this->client->fetchUserFromToken($accessToken);
Expand Down
58 changes: 56 additions & 2 deletions src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ public function __construct(
private UrlGeneratorInterface $urlGenerator,
) {}

public function getParams(string $providerName, ?AccessUrl $url = null): array
public function getProviderConfig(string $providerName, ?AccessUrl $url = null): array
{
$providers = $this->getProvidersForUrl($url);

Expand All @@ -34,7 +34,7 @@ public function getParams(string $providerName, ?AccessUrl $url = null): array

public function isEnabled(string $methodName, ?AccessUrl $url = null): bool
{
$configParams = $this->getParams($methodName, $url);
$configParams = $this->getProviderConfig($methodName, $url);

return $configParams['enabled'] ?? false;
}
Expand Down Expand Up @@ -74,4 +74,58 @@ private function getProvidersForUrl(?AccessUrl $url): array

throw new InvalidArgumentException('Invalid access URL configuration');
}

public function getProviderOptions(string $providerType, array $config): array
{
$defaults = match($providerType) {
'generic' => [
'clientId' => $config['client_id'],
'clientSecret' => $config['client_secret'],
'urlAuthorize' => $config['urlAuthorize'],
'urlAccessToken' => $config['urlAccessToken'],
'urlResourceOwnerDetails' => $config['urlResourceOwnerDetails'],
'accessTokenMethod' => $config['accessTokenMethod'] ?? null,
'accessTokenResourceOwnerId' => $config['accessTokenResourceOwnerId'] ?? null,
'scopeSeparator' => $config['scopeSeparator'] ?? null,
'responseError' => $config['responseError'] ?? null,
'responseCode' => $config['responseCode'] ?? null,
'responseResourceOwnerId' => $config['responseResourceOwnerId'] ?? null,
'scopes' => $config['scopes'] ?? null,
'pkceMethod' => $config['pkceMethod'] ?? null,
],
'facebook' => [
'clientId' => $config['client_id'],
'clientSecret' => $config['client_secret'],
'graphApiVersion' => $config['graph_api_version'] ?? null,
],
'keycloak' => [
'clientId' => $config['client_id'],
'clientSecret' => $config['client_secret'],
'authServerUrl' => $config['auth_server_url'],
'realm' => $config['realm'],
'version' => $config['version'] ?? null,
'encryptionAlgorithm' => $config['encryption_algorithm'] ?? null,
'encryptionKeyPath' => $config['encryption_key_path'] ?? null,
'encryptionKey' => $config['encryption_key'] ?? null,
],
'azure' => [
'clientId' => $config['client_id'],
'clientSecret' => $config['client_secret'],
'clientCertificatePrivateKey' => $config['client_certificate_private_key'] ?? null,
'clientCertificateThumbprint' => $config['client_certificate_thumbprint'] ?? null,
'urlLogin' => $config['url_login'] ?? null,
'pathAuthorize' => $config['path_authorize'] ?? null,
'pathToken' => $config['path_token'] ?? null,
'scope' => $config['scope'] ?? null,
'tenant' => $config['tenant'] ?? null,
'urlAPI' => $config['url_api'] ?? null,
'resource' => $config['resource'] ?? null,
'API_VERSION' => $config['api_version'] ?? null,
'authWithResource' => $config['auth_with_resource'] ?? null,
'defaultEndPointVersion' => $config['default_end_point_version'] ?? null,
],
};

return array_filter($defaults, fn($value) => $value !== null);
}
}

0 comments on commit e7f5812

Please sign in to comment.