See Release Notes
Long Term Support Release
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Configurable OAuth2 client class. 19 * 20 * @package core_badges 21 * @subpackage badges 22 * @copyright 2020 Tung Thai 23 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 24 * @author Tung Thai <Tung.ThaiDuc@nashtechglobal.com> 25 */ 26 27 namespace core_badges\oauth2; 28 29 defined('MOODLE_INTERNAL') || die(); 30 31 require_once($CFG->libdir . '/oauthlib.php'); 32 require_once($CFG->libdir . '/filelib.php'); 33 require_once ('badge_backpack_oauth2.php'); 34 35 use moodle_url; 36 use moodle_exception; 37 use stdClass; 38 39 define('BACKPACK_CHALLENGE_METHOD', 'S256'); 40 define('BACKPACK_CODE_VERIFIER_TIME', 60); 41 42 /** 43 * Configurable OAuth2 client to request authorization and store token. Use the PKCE method to verifier authorization. 44 * 45 * @copyright 2020 Tung Thai 46 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 47 * @author Tung Thai <Tung.ThaiDuc@nashtechglobal.com> 48 */ 49 class client extends \core\oauth2\client { 50 51 /** @var \core\oauth2\issuer */ 52 private $issuer; 53 54 /** @var string $clientid client identifier issued to the client */ 55 private $clientid = ''; 56 57 /** @var string $clientsecret The client secret. */ 58 private $clientsecret = ''; 59 60 /** @var moodle_url $returnurl URL to return to after authenticating */ 61 private $returnurl = null; 62 63 /** @var string $grantscope */ 64 protected $grantscope = ''; 65 66 /** @var string $scope */ 67 protected $scope = ''; 68 69 /** @var bool basicauth */ 70 protected $basicauth = true; 71 72 /** @var string|null backpack object */ 73 public $backpack = ''; 74 75 /** 76 * client constructor. 77 * 78 * @param issuer $issuer oauth2 service. 79 * @param string $returnurl return url after login 80 * @param string $additionalscopes the scopes has been granted 81 * @param null $backpack backpack object. 82 * @throws \coding_exception error message. 83 */ 84 public function __construct(\core\oauth2\issuer $issuer, $returnurl = '', $additionalscopes = '', 85 $backpack = null) { 86 $this->issuer = $issuer; 87 $this->clientid = $issuer->get('clientid'); 88 $this->returnurl = $returnurl; 89 $this->clientsecret = $issuer->get('clientsecret'); 90 $this->backpack = $backpack; 91 $this->grantscope = $additionalscopes; 92 $this->scope = $additionalscopes; 93 parent::__construct($issuer, $returnurl, $additionalscopes, false); 94 } 95 96 /** 97 * Get login url. 98 * 99 * @return moodle_url 100 * @throws \coding_exception 101 * @throws moodle_exception 102 */ 103 public function get_login_url() { 104 $callbackurl = self::callback_url(); 105 $scopes = $this->issuer->get('scopessupported'); 106 107 // Removed the scopes does not support in authorization. 108 $excludescopes = ['profile', 'openid']; 109 $arrascopes = explode(' ', $scopes); 110 foreach ($excludescopes as $exscope) { 111 $key = array_search($exscope, $arrascopes); 112 if (isset($key)) { 113 unset($arrascopes[$key]); 114 } 115 } 116 $scopes = implode(' ', $arrascopes); 117 118 $params = array_merge( 119 [ 120 'client_id' => $this->clientid, 121 'response_type' => 'code', 122 'redirect_uri' => $callbackurl->out(false), 123 'state' => $this->returnurl->out_as_local_url(false), 124 'scope' => $scopes, 125 'code_challenge' => $this->code_challenge(), 126 'code_challenge_method' => BACKPACK_CHALLENGE_METHOD, 127 ] 128 ); 129 return new moodle_url($this->auth_url(), $params); 130 } 131 132 /** 133 * Generate code challenge. 134 * 135 * @return string 136 */ 137 public function code_challenge() { 138 $random = bin2hex(openssl_random_pseudo_bytes(43)); 139 $verifier = $this->base64url_encode(pack('H*', $random)); 140 $challenge = $this->base64url_encode(pack('H*', hash('sha256', $verifier))); 141 $_SESSION['SESSION']->code_verifier = $verifier; 142 return $challenge; 143 } 144 145 /** 146 * Get code verifier. 147 * 148 * @return bool 149 */ 150 public function code_verifier() { 151 if (isset($_SESSION['SESSION']) && !empty($_SESSION['SESSION']->code_verifier)) { 152 return $_SESSION['SESSION']->code_verifier; 153 } 154 return false; 155 } 156 157 /** 158 * Generate base64url encode. 159 * 160 * @param string $plaintext text to convert. 161 * @return string 162 */ 163 public function base64url_encode($plaintext) { 164 $base64 = base64_encode($plaintext); 165 $base64 = trim($base64, "="); 166 $base64url = strtr($base64, '+/', '-_'); 167 return ($base64url); 168 } 169 170 /** 171 * Callback url where the request is returned to. 172 * 173 * @return moodle_url url of callback 174 */ 175 public static function callback_url() { 176 return new moodle_url('/admin/oauth2callback.php'); 177 } 178 179 /** 180 * Check and refresh token to keep login on backpack site. 181 * 182 * @return bool 183 * @throws \coding_exception 184 * @throws moodle_exception 185 */ 186 public function is_logged_in() { 187 188 // Has the token expired? 189 if (isset($this->accesstoken->expires) && time() >= $this->accesstoken->expires) { 190 if (isset($this->accesstoken->refreshtoken)) { 191 return $this->upgrade_token($this->accesstoken->refreshtoken, 'refresh_token'); 192 } else { 193 throw new moodle_exception('Could not refresh oauth token, please try again.'); 194 } 195 } 196 197 if (isset($this->accesstoken->token) && isset($this->accesstoken->scope)) { 198 return true; 199 } 200 201 // If we've been passed then authorization code generated by the 202 // authorization server try and upgrade the token to an access token. 203 $code = optional_param('oauth2code', null, PARAM_RAW); 204 // Note - sometimes we may call is_logged_in twice in the same request - we don't want to attempt 205 // to upgrade the same token twice. 206 if ($code && $this->upgrade_token($code, 'authorization_code')) { 207 return true; 208 } 209 210 return false; 211 } 212 213 /** 214 * Request new token. 215 * 216 * @param string $code code verify from Auth site. 217 * @param string $granttype grant type. 218 * @return bool 219 * @throws moodle_exception 220 */ 221 public function upgrade_token($code, $granttype = 'authorization_code') { 222 $callbackurl = self::callback_url(); 223 224 if ($granttype == 'authorization_code') { 225 $this->basicauth = true; 226 $params = array('code' => $code, 227 'grant_type' => $granttype, 228 'redirect_uri' => $callbackurl->out(false), 229 'scope' => $this->get_scopes(), 230 'code_verifier' => $this->code_verifier() 231 ); 232 } else if ($granttype == 'refresh_token') { 233 $this->basicauth = false; 234 $params = array('refresh_token' => $code, 235 'grant_type' => $granttype, 236 'scope' => $this->get_scopes(), 237 ); 238 } 239 if ($this->basicauth) { 240 $idsecret = $this->clientid . ':' . $this->clientsecret; 241 $this->setHeader('Authorization: Basic ' . base64_encode($idsecret)); 242 } else { 243 $params['client_id'] = $this->clientid; 244 $params['client_secret'] = $this->clientsecret; 245 } 246 // Requests can either use http GET or POST. 247 $response = $this->post($this->token_url(), $this->build_post_data($params)); 248 if ($this->info['http_code'] !== 200) { 249 $debuginfo = !empty($this->error) ? $this->error : $response; 250 throw new moodle_exception('oauth2refreshtokenerror', 'core_error', '', $this->info['http_code'], $debuginfo); 251 } 252 253 $r = json_decode($response); 254 255 if (is_null($r)) { 256 throw new moodle_exception("Could not decode JSON token response"); 257 } 258 259 if (!empty($r->error)) { 260 throw new moodle_exception($r->error . ' ' . $r->error_description); 261 } 262 263 if (!isset($r->access_token)) { 264 return false; 265 } 266 267 // Store the token an expiry time. 268 $accesstoken = new stdClass; 269 $accesstoken->token = $r->access_token; 270 if (isset($r->expires_in)) { 271 // Expires 10 seconds before actual expiry. 272 $accesstoken->expires = (time() + ($r->expires_in - 10)); 273 } 274 if (isset($r->refresh_token)) { 275 $this->refreshtoken = $r->refresh_token; 276 $accesstoken->refreshtoken = $r->refresh_token; 277 } 278 $accesstoken->scope = $r->scope; 279 280 // Also add the scopes. 281 $this->store_token($accesstoken); 282 283 return true; 284 } 285 286 /** 287 * Store a token to verify for send request. 288 * 289 * @param null|stdClass $token 290 */ 291 protected function store_token($token) { 292 global $USER; 293 294 $this->accesstoken = $token; 295 // Create or update a DB record with the new token. 296 $persistedtoken = badge_backpack_oauth2::get_record(['externalbackpackid' => $this->backpack->id, 'userid' => $USER->id]); 297 if ($token !== null) { 298 if (!$persistedtoken) { 299 $persistedtoken = new badge_backpack_oauth2(); 300 $persistedtoken->set('issuerid', $this->backpack->oauth2_issuerid); 301 $persistedtoken->set('externalbackpackid', $this->backpack->id); 302 $persistedtoken->set('userid', $USER->id); 303 } else { 304 $persistedtoken->set('timemodified', time()); 305 } 306 // Update values from $token. Don't use from_record because that would skip validation. 307 $persistedtoken->set('usermodified', $USER->id); 308 $persistedtoken->set('token', $token->token); 309 $persistedtoken->set('refreshtoken', $token->refreshtoken); 310 $persistedtoken->set('expires', $token->expires); 311 $persistedtoken->set('scope', $token->scope); 312 $persistedtoken->save(); 313 } else { 314 if ($persistedtoken) { 315 $persistedtoken->delete(); 316 } 317 } 318 } 319 320 /** 321 * Get token of current user. 322 * 323 * @return stdClass|null token object 324 */ 325 protected function get_stored_token() { 326 global $USER; 327 328 $token = badge_backpack_oauth2::get_record(['externalbackpackid' => $this->backpack->id, 'userid' => $USER->id]); 329 if ($token !== false) { 330 $token = $token->to_record(); 331 return $token; 332 } 333 return null; 334 } 335 336 /** 337 * Get scopes granted. 338 * 339 * @return null|string 340 */ 341 protected function get_scopes() { 342 if (!empty($this->grantscope)) { 343 return $this->grantscope; 344 } 345 $token = $this->get_stored_token(); 346 if ($token) { 347 return $token->scope; 348 } 349 return null; 350 } 351 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body