add basic oidc support

2 files changed, 68 insertions, 3 deletions

diff --git a/classes/Config.php b/classes/Config.php
index b445973..3fc8358 100644
--- a/classes/Config.php
+++ b/classes/Config.php
@@ -15,6 +15,10 @@ class Config {
 	const DICT_SERVER = "DICT_SERVER";
 	const SESSION_LIFETIME = "SESSION_LIFETIME";
 	const SESSION_NAME = "SESSION_NAME";
+	const OIDC_NAME = "OIDC_NAME";
+	const OIDC_URL = "OIDC_URL";
+	const OIDC_CLIENT_ID = "OIDC_CLIENT_ID";
+	const OIDC_CLIENT_SECRET = "OIDC_CLIENT_SECRET";
 
 	private const _DEFAULTS = [
 		Config::DB_TYPE => [ "sqlite", Config::T_STRING ],
@@ -24,6 +28,10 @@ class Config {
 		Config::DICT_SERVER => [ "", Config::T_STRING ],
 		Config::SESSION_LIFETIME => [ 86400*30, Config::T_INT ],
 		Config::SESSION_NAME => [ "epube_sid", Config::T_STRING ],
+		Config::OIDC_NAME => [ "OIDC", Config::T_STRING ],
+		Config::OIDC_URL => [ "", Config::T_STRING ],
+		Config::OIDC_CLIENT_ID => [ "", Config::T_STRING ],
+		Config::OIDC_CLIENT_SECRET => [ "", Config::T_STRING ],
 	];
 
 	private static ?Config $instance = null;
diff --git a/login.php b/login.php
index 37bed4b..a8df8ac 100644
--- a/login.php
+++ b/login.php
@@ -1,10 +1,11 @@
 <?php
-	set_include_path(__DIR__ ."/include" . PATH_SEPARATOR .
-	get_include_path());
+	set_include_path(__DIR__ . "/include" . PATH_SEPARATOR . get_include_path());
 
 	require_once "common.php";
 	require_once "sessions.php";
 
+	use Jumbojett\OpenIDConnectClient;
+
 	Config::sanity_check();
 
 	$op = $_REQUEST["op"] ?? "";
@@ -36,6 +37,54 @@
 		} else {
 			$login_notice = "Incorrect username or password";
 		}
+	} else if ($op == "perform-oidc-login") {
+      $oidc = new OpenIDConnectClient(Config::get(Config::OIDC_URL),
+         Config::get(Config::OIDC_CLIENT_ID),
+         Config::get(Config::OIDC_CLIENT_SECRET));
+
+      $oidc->setRedirectURL(Config::make_self_url() . "/login.php");
+      $oidc->addScope(['openid', 'profile', 'email']);
+      $oidc->authenticate();
+
+		exit;
+	} else if ($_REQUEST['code'] ?? false) {
+
+      $oidc = new OpenIDConnectClient(Config::get(Config::OIDC_URL),
+         Config::get(Config::OIDC_CLIENT_ID),
+         Config::get(Config::OIDC_CLIENT_SECRET));
+
+		try {
+			$oidc->setRedirectURL(Config::make_self_url() . "/login.php");
+			$oidc->addScope(['openid', 'profile', 'email']);
+			$oidc->authenticate();
+
+			$username = trim(mb_strtolower($oidc->requestUserInfo("preferred_username")));
+
+			if ($username) {
+				$user = ORM::for_table('epube_users')
+					->where('user', $username)
+					->find_one();
+
+				if ($user) {
+					if (session_status() != PHP_SESSION_ACTIVE)
+						session_start();
+
+					session_regenerate_id(true);
+
+					$_SESSION["owner"] = $username;
+					$_SESSION["pass_hash"] = sha1($user->pass);
+					$_SESSION["csrf_token"] = bin2hex(random_bytes(16));
+
+					header("Location: index.php");
+					exit;
+				}
+			}
+
+		} catch (Exception $e) {
+			$login_notice = 'OIDC Error: ' . $e->getMessage();
+		}
+
+		logout_user();
 	} else {
 		logout_user();
 	}
@@ -54,6 +103,11 @@
 		<link rel="manifest" href="manifest.json">
 		<meta name="mobile-web-app-capable" content="yes">
 		<script type="text/javascript">
+			function oidc_login() {
+				window.location.href = '?op=perform-oidc-login';
+				return false;
+			}
+
 			$(document).ready(function() {
 					/* global EpubeApp */
 
@@ -88,7 +142,10 @@
 					<label>Password</label>
 					<input type="password" class="form-control" name="password" required="true">
 				</div>
-				<button type="submit" class="btn btn-default">Log in</button>
+				<button type="submit" class="btn btn-primary">Log in</button>
+				<?php if (Config::get(Config::OIDC_URL) != "") { ?>
+					<button type="submit" onclick="return oidc_login()" class="btn btn-default">Log in with <?= Config::get(Config::OIDC_NAME) ?></button>
+				<?php } ?>
 			</form>
 		</div>
 	</body>