From e7f5812e95a371e7981e36339c8b02bc705a9db1 Mon Sep 17 00:00:00 2001 From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com> Date: Sat, 14 Dec 2024 00:48:19 -0500 Subject: [PATCH] SSO: Fix provider configuration to use KnpUOAuthClient defaults Corrected provider parameters to align with default configuration values provided by the KnpUOAuthClient package --- config/authentication.yaml | 28 +-------- config/packages/knpu_oauth2_client.yaml | 11 ++-- .../OAuth2ProviderFactoryDecorator.php | 38 +++++++----- .../OAuth2/GenericAuthenticator.php | 2 +- .../AuthenticationConfigHelper.php | 58 ++++++++++++++++++- 5 files changed, 87 insertions(+), 50 deletions(-) diff --git a/config/authentication.yaml b/config/authentication.yaml index 072d65db689..438a08df9a2 100644 --- a/config/authentication.yaml +++ b/config/authentication.yaml @@ -13,12 +13,7 @@ parameters: urlAccessToken: '' urlResourceOwnerDetails: '' responseResourceOwnerId: 'sub' - # accessTokenMethod: 'POST' - # responseError: 'error' - # responseCode: '' - # scopeSeparator: ' ' - scopes: - - openid + accessTokenMethod: 'GET' allow_create_new_users: true allow_update_user_info: false resource_owner_username_field: null @@ -38,8 +33,7 @@ parameters: title: 'Facebook' client_id: '' client_secret: '' - graph_api_version: 'v20.0' - redirect_params: { } + #graph_api_version: 'v20.0' keycloak: enabled: false @@ -48,26 +42,10 @@ parameters: client_secret: '' auth_server_url: '' realm: '' - version: '' - encryption_algorithm: null - encryption_key_path: null - encryption_key: null - redirect_params: { } + #version: '' azure: enabled: false title: 'Azure' client_id: '' client_secret: '' - tenant: 'common' - client_certificate_private_key: '' - client_certificate_thumbprint: '' - url_login: 'https://login.microsoftonline.com/' - path_authorize: '/oauth2/authorize' - path_token: '/oauth2/token' - scope: {} - url_api: 'https://graph.windows.net/' - resource: null - api_version: '1.6' - auth_with_resource: true - default_end_point_version: '1.0' diff --git a/config/packages/knpu_oauth2_client.yaml b/config/packages/knpu_oauth2_client.yaml index 849f3105676..862b46b5ed4 100644 --- a/config/packages/knpu_oauth2_client.yaml +++ b/config/packages/knpu_oauth2_client.yaml @@ -5,6 +5,10 @@ knpu_oauth2_client: provider_class: League\OAuth2\Client\Provider\GenericProvider client_id: '' client_secret: '' + provider_options: + responseResourceOwnerId: 'sub' + scopes: + - openid redirect_route: chamilo.oauth2_generic_check facebook: @@ -12,25 +16,20 @@ knpu_oauth2_client: client_id: '' client_secret: '' redirect_route: chamilo.oauth2_facebook_check - graph_api_version: '' - redirect_params: { } + graph_api_version: 'v20.0' keycloak: type: keycloak client_id: '' client_secret: '' redirect_route: chamilo.oauth2_keycloak_check - redirect_params: { } auth_server_url: null realm: null azure: type: azure client_id: '' - # a route name you'll create redirect_route: chamilo.oauth2_azure_check - redirect_params: { } - # The shared client secret if you don't use a certificate client_secret: ' ' # configure your clients as described here: https://github.com/knpuniversity/oauth2-client-bundle#configuration diff --git a/src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php b/src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php index fbe4edaf094..430f4ed51bb 100644 --- a/src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php +++ b/src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php @@ -7,9 +7,7 @@ namespace Chamilo\CoreBundle\Decorator; use Chamilo\CoreBundle\ServiceHelper\AuthenticationConfigHelper; -use KnpU\OAuth2ClientBundle\DependencyInjection\KnpUOAuth2ClientExtension; use KnpU\OAuth2ClientBundle\DependencyInjection\ProviderFactory; -use KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle; use League\OAuth2\Client\Provider\AbstractProvider; use League\OAuth2\Client\Provider\Facebook; use League\OAuth2\Client\Provider\GenericProvider; @@ -34,23 +32,31 @@ public function createProvider( array $redirectParams = [], array $collaborators = [] ): AbstractProvider { - $options = match ($class) { - GenericProvider::class => $this->getProviderOptions('generic'), - Facebook::class => $this->getProviderOptions('facebook'), - Keycloak::class => $this->getProviderOptions('keycloak'), - Azure::class => $this->getProviderOptions('azure'), + $customConfig = match ($class) { + GenericProvider::class => $this->authenticationConfigHelper->getProviderConfig('generic'), + Facebook::class => $this->authenticationConfigHelper->getProviderConfig('facebook'), + Keycloak::class => $this->authenticationConfigHelper->getProviderConfig('keycloak'), + Azure::class => $this->authenticationConfigHelper->getProviderConfig('azure'), }; - return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators); - } - - private function getProviderOptions(string $providerName): array - { - /** @var KnpUOAuth2ClientExtension $extension */ - $extension = (new KnpUOAuth2ClientBundle())->getContainerExtension(); + $redirectParams = $customConfig['redirect_params'] ?? []; + + $customOptions = match ($class) { + GenericProvider::class => $this->authenticationConfigHelper->getProviderOptions( + 'generic', + [ + 'client_id' => $customConfig['client_id'], + 'client_secret' => $customConfig['client_secret'], + ...$customConfig['provider_options'], + ], + ), + Facebook::class => $this->authenticationConfigHelper->getProviderOptions('facebook', $customConfig), + Keycloak::class => $this->authenticationConfigHelper->getProviderOptions('keycloak', $customConfig), + Azure::class => $this->authenticationConfigHelper->getProviderOptions('azure', $customConfig), + }; - $configParams = $this->authenticationConfigHelper->getParams($providerName); + $options = $customOptions + $options; - return $extension->getConfigurator($providerName)->getProviderOptions($configParams); + return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators); } } diff --git a/src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php b/src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php index 165968b5446..bb87d3b5da3 100644 --- a/src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php +++ b/src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php @@ -62,7 +62,7 @@ public function supports(Request $request): ?bool protected function userLoader(AccessToken $accessToken): User { - $providerParams = $this->authenticationConfigHelper->getParams('generic'); + $providerParams = $this->authenticationConfigHelper->getProviderConfig('generic'); /** @var GenericResourceOwner $resourceOwner */ $resourceOwner = $this->client->fetchUserFromToken($accessToken); diff --git a/src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php b/src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php index ef029f6737b..270b8bd9d1f 100644 --- a/src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php +++ b/src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php @@ -21,7 +21,7 @@ public function __construct( private UrlGeneratorInterface $urlGenerator, ) {} - public function getParams(string $providerName, ?AccessUrl $url = null): array + public function getProviderConfig(string $providerName, ?AccessUrl $url = null): array { $providers = $this->getProvidersForUrl($url); @@ -34,7 +34,7 @@ public function getParams(string $providerName, ?AccessUrl $url = null): array public function isEnabled(string $methodName, ?AccessUrl $url = null): bool { - $configParams = $this->getParams($methodName, $url); + $configParams = $this->getProviderConfig($methodName, $url); return $configParams['enabled'] ?? false; } @@ -74,4 +74,58 @@ private function getProvidersForUrl(?AccessUrl $url): array throw new InvalidArgumentException('Invalid access URL configuration'); } + + public function getProviderOptions(string $providerType, array $config): array + { + $defaults = match($providerType) { + 'generic' => [ + 'clientId' => $config['client_id'], + 'clientSecret' => $config['client_secret'], + 'urlAuthorize' => $config['urlAuthorize'], + 'urlAccessToken' => $config['urlAccessToken'], + 'urlResourceOwnerDetails' => $config['urlResourceOwnerDetails'], + 'accessTokenMethod' => $config['accessTokenMethod'] ?? null, + 'accessTokenResourceOwnerId' => $config['accessTokenResourceOwnerId'] ?? null, + 'scopeSeparator' => $config['scopeSeparator'] ?? null, + 'responseError' => $config['responseError'] ?? null, + 'responseCode' => $config['responseCode'] ?? null, + 'responseResourceOwnerId' => $config['responseResourceOwnerId'] ?? null, + 'scopes' => $config['scopes'] ?? null, + 'pkceMethod' => $config['pkceMethod'] ?? null, + ], + 'facebook' => [ + 'clientId' => $config['client_id'], + 'clientSecret' => $config['client_secret'], + 'graphApiVersion' => $config['graph_api_version'] ?? null, + ], + 'keycloak' => [ + 'clientId' => $config['client_id'], + 'clientSecret' => $config['client_secret'], + 'authServerUrl' => $config['auth_server_url'], + 'realm' => $config['realm'], + 'version' => $config['version'] ?? null, + 'encryptionAlgorithm' => $config['encryption_algorithm'] ?? null, + 'encryptionKeyPath' => $config['encryption_key_path'] ?? null, + 'encryptionKey' => $config['encryption_key'] ?? null, + ], + 'azure' => [ + 'clientId' => $config['client_id'], + 'clientSecret' => $config['client_secret'], + 'clientCertificatePrivateKey' => $config['client_certificate_private_key'] ?? null, + 'clientCertificateThumbprint' => $config['client_certificate_thumbprint'] ?? null, + 'urlLogin' => $config['url_login'] ?? null, + 'pathAuthorize' => $config['path_authorize'] ?? null, + 'pathToken' => $config['path_token'] ?? null, + 'scope' => $config['scope'] ?? null, + 'tenant' => $config['tenant'] ?? null, + 'urlAPI' => $config['url_api'] ?? null, + 'resource' => $config['resource'] ?? null, + 'API_VERSION' => $config['api_version'] ?? null, + 'authWithResource' => $config['auth_with_resource'] ?? null, + 'defaultEndPointVersion' => $config['default_end_point_version'] ?? null, + ], + }; + + return array_filter($defaults, fn($value) => $value !== null); + } }