AIRAVATA-2342 Callback to handle Keycloak response
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/8b483beb Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/8b483beb Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/8b483beb Branch: refs/heads/develop Commit: 8b483bebadb3df6e34e520dc4b7da40b73a61a99 Parents: 5b0b285 Author: Marcus Christie <[email protected]> Authored: Wed Mar 22 14:13:59 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Wed Mar 22 14:13:59 2017 -0400 ---------------------------------------------------------------------- app/controllers/AccountController.php | 4 +- app/libraries/Keycloak/Keycloak.php | 69 +++++++++++++++++++++++++++++- 2 files changed, 70 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/8b483beb/app/controllers/AccountController.php ---------------------------------------------------------------------- diff --git a/app/controllers/AccountController.php b/app/controllers/AccountController.php index 5c0de05..e98db86 100644 --- a/app/controllers/AccountController.php +++ b/app/controllers/AccountController.php @@ -177,7 +177,7 @@ class AccountController extends BaseController } $code = $_GET["code"]; - $response = WSIS::getOAuthToken($code); + $response = Keycloak::getOAuthToken($code); if(!isset($response->access_token)){ return Redirect::to('home'); } @@ -186,7 +186,7 @@ class AccountController extends BaseController $refreshToken = $response->refresh_token; $expirationTime = time() + $response->expires_in - 5; //5 seconds safe margin - $userProfile = WSIS::getUserProfileFromOAuthToken($accessToken); + $userProfile = Keycloak::getUserProfileFromOAuthToken($accessToken); $username = $userProfile['username']; $userRoles = $userProfile['roles']; http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/8b483beb/app/libraries/Keycloak/Keycloak.php ---------------------------------------------------------------------- diff --git a/app/libraries/Keycloak/Keycloak.php b/app/libraries/Keycloak/Keycloak.php index f28600c..c1c6f33 100644 --- a/app/libraries/Keycloak/Keycloak.php +++ b/app/libraries/Keycloak/Keycloak.php @@ -38,13 +38,80 @@ class Keycloak { return $url; } + public function getOAuthToken($code){ + + $config = $this->getOpenIDConnectDiscoveryConfiguration(); + $token_endpoint = $config->token_endpoint; + + // Init cUrl. + $r = curl_init($token_endpoint); + curl_setopt($r, CURLOPT_RETURNTRANSFER, 1); + // Decode compressed responses. + curl_setopt($r, CURLOPT_ENCODING, 1); + curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + + // Add client ID and client secret to the headers. + curl_setopt($r, CURLOPT_HTTPHEADER, array( + "Authorization: Basic " . base64_encode($this->client_id . ":" . $this->client_secret), + )); + + // Assemble POST parameters for the request. + $post_fields = "code=" . urlencode($code) . "&grant_type=authorization_code&redirect_uri=" . urlencode($this->callback_url); + + // Obtain and return the access token from the response. + curl_setopt($r, CURLOPT_POST, true); + curl_setopt($r, CURLOPT_POSTFIELDS, $post_fields); + + $response = curl_exec($r); + if ($response == false) { + die("curl_exec() failed. Error: " . curl_error($r)); + } + + //Parse JSON return object. + $result = json_decode($response); + Log::debug("getOAuthToken response", array($result)); + + return $result; + } + + public function getUserProfileFromOAuthToken($token){ + + $config = $this->getOpenIDConnectDiscoveryConfiguration(); + $userinfo_endpoint = $config->userinfo_endpoint; + + $r = curl_init($userinfo_endpoint); + curl_setopt($r, CURLOPT_RETURNTRANSFER, 1); + // Decode compressed responses. + curl_setopt($r, CURLOPT_ENCODING, 1); + curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); + curl_setopt($r, CURLOPT_HTTPHEADER, array( + "Authorization: Bearer " . $token + )); + + $response = curl_exec($r); + if ($response == false) { + die("curl_exec() failed. Error: " . curl_error($r)); + } + + //Parse JSON return object. + $userinfo = json_decode($response); + Log::debug("Keycloak userinfo", array($userinfo)); + $username = $userinfo->preferred_username; + $firstname = $userinfo->given_name; + $lastname = $userinfo->family_name; + $email = $userinfo->email; + // TODO: get roles from Keycloak API + return array('username'=>$username, 'firstname'=>$firstname, 'lastname'=>$lastname, 'email'=>$email, 'roles'=>array()); + } + private function getOpenIDConnectDiscoveryConfiguration() { + // TODO: cache the result of the request $r = curl_init($this->openid_connect_discovery_url); curl_setopt($r, CURLOPT_RETURNTRANSFER, 1); // Decode compressed responses. curl_setopt($r, CURLOPT_ENCODING, 1); - curl_setopt($r, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($r, CURLOPT_SSL_VERIFYPEER, $this->verify_peer); $result = curl_exec($r);
