mirror of
https://github.com/itflow-org/itflow
synced 2026-02-28 10:54:52 +00:00
Client portal updates
This commit is contained in:
Marcus Hill
136
portal/login_microsoft.php
Normal file
136
portal/login_microsoft.php
Normal file
@@ -0,0 +1,136 @@
|
||||
<?php
|
||||
/*
|
||||
* Client Portal
|
||||
* OAuth Login via Microsoft IDP
|
||||
*/
|
||||
|
||||
include('../config.php');
|
||||
include('../functions.php');
|
||||
|
||||
if(!isset($_SESSION)){
|
||||
// HTTP Only cookies
|
||||
ini_set("session.cookie_httponly", True);
|
||||
if($config_https_only){
|
||||
// Tell client to only send cookie(s) over HTTPS
|
||||
ini_set("session.cookie_secure", True);
|
||||
}
|
||||
session_start();
|
||||
}
|
||||
|
||||
$sql_settings = mysqli_query($mysqli,"SELECT config_azure_client_id, config_azure_client_secret FROM settings WHERE company_id = '1'");
|
||||
$settings = mysqli_fetch_array($sql_settings);
|
||||
|
||||
//$client_id = "e821e3a6-02c8-40e8-9f22-b84d951a62e7";
|
||||
//$client_secret = "axL7Q~hKbmIwqa3DoxJLy4p88AdBz96XAcNZW";
|
||||
|
||||
$client_id = $settings['config_azure_client_id'];
|
||||
$client_secret = $settings['config_azure_client_secret'];
|
||||
|
||||
//$redirect_uri = "https://$config_base_url/portal/login_microsoft.php";
|
||||
$redirect_uri = "http://localhost/itflow/portal/login_microsoft.php";
|
||||
|
||||
# https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
|
||||
## {tenant} is set to organistions to allow any MS Work/School account - See above for valid values. Must be used in conjunction with the correct setting on the App Registration
|
||||
$auth_code_url = "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize";
|
||||
$token_grant_url = "https://login.microsoftonline.com/organizations/oauth2/v2.0/token";
|
||||
|
||||
// Initial Login Request, via Microsoft
|
||||
// Returns a authorization code if login was successful
|
||||
if ($_SERVER['REQUEST_METHOD'] == "GET"){
|
||||
//if ($_GET['action'] == 'login'){
|
||||
|
||||
$params = array (
|
||||
'client_id' => $client_id,
|
||||
'redirect_uri' => $redirect_uri,
|
||||
|
||||
#'response_type' =>'token',
|
||||
'response_type' => 'code',
|
||||
|
||||
'response_mode' =>'form_post',
|
||||
'scope' => 'https://graph.microsoft.com/User.Read',
|
||||
'state' => session_id());
|
||||
|
||||
header ('Location: '.$auth_code_url.'?'.http_build_query ($params));
|
||||
|
||||
}
|
||||
|
||||
// Login was successful, Microsoft has returned us a authorization code via POST
|
||||
// Request an access token using authorization code (& client secret) (server side)
|
||||
if (isset($_POST['code']) && $_POST['state'] == session_id()){
|
||||
|
||||
$params = array (
|
||||
'client_id' =>$client_id,
|
||||
'code' => $_POST['code'],
|
||||
'redirect_uri' => $redirect_uri,
|
||||
'grant_type' => 'authorization_code',
|
||||
'client_secret' => $client_secret
|
||||
);
|
||||
|
||||
// Send request via CURL (server side) so user cannot see the client secret
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch, CURLOPT_URL,$token_grant_url);
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS,
|
||||
http_build_query($params));
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
|
||||
|
||||
$access_token_response = json_decode(curl_exec($ch),1);
|
||||
//curl_close ($ch);
|
||||
//var_dump($ch);
|
||||
//var_dump($access_token_response);
|
||||
|
||||
// Check if we have an access token
|
||||
// If we do, send a request to Microsoft Graph API to get user info
|
||||
if (isset($access_token_response['access_token'])){
|
||||
|
||||
$ch = curl_init();
|
||||
curl_setopt ($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$access_token_response['access_token'],
|
||||
'Content-type: application/json'));
|
||||
curl_setopt ($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
|
||||
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // DEBUG ONLY - WAMP
|
||||
|
||||
$msgraph_response = json_decode (curl_exec ($ch), 1);
|
||||
|
||||
if (isset($msgraph_response['error'])){
|
||||
// Something went wrong verifying the token/using the Graph API - quit
|
||||
echo "Error with MS Graph API. Details:";
|
||||
var_dump ($msgraph_response['error']);
|
||||
exit();
|
||||
}
|
||||
|
||||
elseif(isset($msgraph_response['id'])){
|
||||
|
||||
$upn = mysqli_real_escape_string($mysqli, $msgraph_response["userPrincipalName"]);
|
||||
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$upn' LIMIT 1");
|
||||
$row = mysqli_fetch_array($sql);
|
||||
if($row['contact_auth_method'] == 'azure'){
|
||||
|
||||
$_SESSION['client_logged_in'] = TRUE;
|
||||
$_SESSION['client_id'] = $row['contact_client_id'];
|
||||
$_SESSION['contact_id'] = $row['contact_id'];
|
||||
$_SESSION['company_id'] = $row['company_id'];
|
||||
$_SESSION['login_method'] = "azure";
|
||||
|
||||
header("Location: index.php");
|
||||
|
||||
}
|
||||
else{
|
||||
$_SESSION['login_message'] = 'Something went wrong with login. Ensure you are setup for SSO.';
|
||||
header("Location: index.php");
|
||||
}
|
||||
}
|
||||
header ('Location: index.php');
|
||||
}
|
||||
else{
|
||||
echo "Error getting access_token";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// If the user is just sat on the page, redirect them to login to try again
|
||||
if(empty($_GET)){
|
||||
echo "<script> setTimeout(function(){ window.location = \"login.php\"; },1000);</script>";
|
||||
}
|
||||
Reference in New Issue
Block a user