Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clubhouse SSO support. #1655

Merged
merged 3 commits into from
Dec 10, 2023
Merged

Clubhouse SSO support. #1655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1055b70
Clubhouse SSO support.
mikeburg Dec 9, 2023
0f4eecc
Added oauth code expiry command, and cron job.
mikeburg Dec 9, 2023
1568f70
Added APP_KEY to test_docker.
mikeburg Dec 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions app/Console/Commands/ClubhouseExpireOauthCodes.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<?php

namespace App\Console\Commands;

use App\Models\OauthCode;
use Illuminate\Console\Command;

class ClubhouseExpireOauthCodes extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'clubhouse:expire-oauth-codes';

/**
* The console command description.
*
* @var string
*/
protected $description = 'Delete expired oauth codes';

/**
* Execute the console command.
*/

public function handle(): void
{
OauthCode::deleteExpired();
}
}
3 changes: 3 additions & 0 deletions app/Console/Kernel.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ protected function schedule(Schedule $schedule): void
// Cleanup the mail log
$schedule->command('clubhouse:cleanup-maillog')->dailyAt('03:30')->onOneServer();

// Cleanup oauth codes
$schedule->command('clubhouse:expire-oauth-codes')->dailyAt('03:00')->onOneServer();

// Sign out timesheets
$schedule->job(new SignOutTimesheetsJob())->cron('0,10,20,30,40,50 * 15-31 8 *')->onOneServer();
$schedule->job(new SignOutTimesheetsJob())->cron('0,10,20,30,40,50 * 1-10 9 *')->onOneServer();
Expand Down
6 changes: 5 additions & 1 deletion app/Http/Controllers/AuthController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,18 @@
use App\Mail\ResetPassword;
use App\Models\ActionLog;
use App\Models\ErrorLog;
use App\Models\OauthClient;
use App\Models\OauthCode;
use App\Models\Person;
use Carbon\Carbon;
use Exception;
use GuzzleHttp;
use GuzzleHttp\Exception\RequestException;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\Auth;
use InvalidArgumentException;
use Okta\JwtVerifier\JwtVerifierBuilder;

class AuthController extends Controller
Expand Down Expand Up @@ -113,7 +117,7 @@ private function attemptLogin(Person $person, $actionData): JsonResponse

ActionLog::record($person, 'auth-login', 'User login', $actionData);

$token = $this->groundHogDayWrap(fn() => auth()->login($person));
$token = $this->groundHogDayWrap(fn() => Auth::login($person));

return $this->respondWithToken($token);
}
Expand Down
174 changes: 174 additions & 0 deletions app/Http/Controllers/OAuth2Controller.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
<?php

namespace App\Http\Controllers;

use App\Models\OauthClient;
use App\Models\OauthCode;
use App\Models\Person;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\Auth;

class OAuth2Controller extends ApiController
{
public function openIdDiscovery(): JsonResponse
{
return response()->json([
"issuer" => "https://ranger-clubhouse.burningman.org",
"authorization_endpoint" => "http://127.0.0.1:4200/me/oauth2-grant",
"token_endpoint" => "http://docker.for.mac.localhost:8000/auth/oauth2/token",
"userinfo_endpoint" => "http://docker.for.mac.localhost:8000/auth/oauth2/userinfo",
"response_types_supported" => [
"code",
"token",
"none"
],
"subject_types_supported" => [
"public"
],
"id_token_signing_alg_values_supported" => [
"RS256"
],
"scopes_supported" => [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported" => [
"client_secret_post",
"client_secret_basic"
],
"claims_supported" => [
"aud",
"email",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"sub"
],
"code_challenge_methods_supported" => [
"plain",
"S256"
],
"grant_types_supported" => [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
]);
}

/**
* Create a grant code and build the callback url for the frontend handling the login form.
* Unlike the other methods in this controller, this one has to called by a logged-in user.
*
*/

public function grantOAuthCode(): JsonResponse
{
$params = request()->validate([
'response_type' => 'required|string',
'redirect_uri' => 'required|string',
'client_id' => 'required|string|exists:oauth_client,client_id',
'scope' => 'required|string',
'state' => 'sometimes|string',
]);


if ($params['response_type'] != 'code') {
throw new InvalidArgumentException('Unsupported response type');
}

$client = OauthClient::findForClientId($params['client_id']);
$code = OauthCode::createCodeForClient($client, Auth::user(), $params['scope']);

$callbackParams = ['code' => $code];
if (!empty($params['state'])) {
$callbackParams['state'] = $params['state'];
}

return response()->json([
'callback_url' => $params['redirect_uri'] . '?' . http_build_query($callbackParams),
'client_description' => $client->description,
]);
}

/**
* Response to an OAuth2 token request
*
* @return JsonResponse
*/

public function grantOAuthToken(): JsonResponse
{
$params = request()->validate([
'grant_type' => 'required|string',
'client_id' => 'required|string',
'client_secret' => 'required|string',
'code' => 'required|string',
]);

if ($params['grant_type'] != 'authorization_code') {
throw new InvalidArgumentException('Grant type not supported.');
}

$client = OauthClient::findForClientId($params['client_id']);
if (!$client) {
throw new InvalidArgumentException('Client ID not registered.');
}

if ($client->secret != $params['client_secret']) {
throw new InvalidArgumentException('Invalid client secret');
}

$oc = OAuthCode::findForClientCode($client, $params['code']);
if (!$oc) {
throw new InvalidArgumentException('Code not found.');
}

$person = Person::findOrFail($oc->person_id);

$claims = [];
if (!empty($oc->scope)) {
foreach (explode(' ', $oc->scope) as $scope) {
switch ($scope) {
case 'email':
$claims['email'] = $person->email;
break;
case 'profile':
$claims['given_name'] = $person->desired_first_name();
$claims['family_name'] = $person->last_name;
break;
}
}
}

$token = auth()->claims($claims)->login($person);
return response()->json([
'token_type' => 'Bearer',
'access_token' => $token,
'expires_in' => (string)now()->addSeconds(config('jwt.ttl'))
]);
}

/**
* Return basic user information for oauth2 tokens
*
* @return JsonResponse
*/

public function oauthUserInfo(): JsonResponse
{
$person = Auth::user();

return response()->json([
'email' => $person->email,
'given_name' => $person->desired_first_name(),
'family_name' => $person->last_name
]);
}
}
93 changes: 93 additions & 0 deletions app/Http/Controllers/OauthClientController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
<?php

namespace App\Http\Controllers;

use App\Models\OauthClient;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Http\JsonResponse;
use Illuminate\Validation\ValidationException;

class OauthClientController extends ApiController
{
/**
* Display a listing of the OAuth Clients.
*
* @return JsonResponse
* @throws AuthorizationException
*/

public function index(): JsonResponse
{
$this->authorize('index', OauthClient::class);
return $this->success(OauthClient::findAll());
}

/***
* Create an OAuth Client record
*
* @return JsonResponse
* @throws AuthorizationException|ValidationException
*/

public function store(): JsonResponse
{
$this->authorize('store', OauthClient::class);
$client = new OauthClient;
$this->fromRest($client);

if ($client->save()) {
return $this->success($client);
}

return $this->restError($client);
}

/**
* Display the specified OAuth Client.
*
* @param OauthClient $client
* @return JsonResponse
* @throws AuthorizationException
*/

public function show(OauthClient $client): JsonResponse
{
$this->authorize('show', $client);
return $this->success($client);
}

/**
* Update the specified OAuth Client in storage.
*
* @param OauthClient $client
* @return JsonResponse
* @throws AuthorizationException|ValidationException
*/

public function update(OauthClient $client): JsonResponse
{
$this->authorize('update', $client);
$this->fromRest($client);

if ($client->save()) {
return $this->success($client);
}

return $this->restError($client);
}

/**
* Delete an OAuth Client record
*
* @param OauthClient $client
* @return JsonResponse
* @throws AuthorizationException
*/

public function destroy(OauthClient $client): JsonResponse
{
$this->authorize('destroy', $client);
$client->delete();
return $this->restDeleteSuccess();
}
}
Loading