diff options
| author | Andrew Dolgov <[email protected]> | 2024-02-21 22:18:27 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2024-02-21 22:18:27 +0300 |
| commit | 7ed2364a6f317a2a51ee5c0dfffcb021bda8c0c1 (patch) | |
| tree | cb6f1aa062f8b9d26d7b47d9ff147573e5fc582a | |
| parent | d8fe6bdaac881524a54f3c7b9b188b667bdf34de (diff) | |
periodically validate OIDC refresh token
| -rw-r--r-- | init.php | 31 |
1 files changed, 31 insertions, 0 deletions
@@ -14,6 +14,8 @@ class Auth_OIDC extends Auth_Base { const AUTH_OIDC_CLIENT_ID = "AUTH_OIDC_CLIENT_ID"; const AUTH_OIDC_CLIENT_SECRET = "AUTH_OIDC_CLIENT_SECRET"; + // in seconds + const AUTH_OIDC_VALIDATE_INTERVAL = "AUTH_OIDC_VALIDATE_INTERVAL"; /** @var PluginHost $host */ private $host; @@ -31,10 +33,12 @@ class Auth_OIDC extends Auth_Base { Config::add(self::AUTH_OIDC_URL, "", Config::T_STRING); Config::add(self::AUTH_OIDC_CLIENT_ID, "", Config::T_STRING); Config::add(self::AUTH_OIDC_CLIENT_SECRET, "", Config::T_STRING); + Config::add(self::AUTH_OIDC_VALIDATE_INTERVAL, "3600", Config::T_INT); if (Config::get(self::AUTH_OIDC_URL)) { $host->add_hook($host::HOOK_AUTH_USER, $this); $host->add_hook($host::HOOK_LOGINFORM_ADDITIONAL_BUTTONS, $this); + $host->add_hook($host::HOOK_VALIDATE_SESSION, $this); if (Config::get(self::AUTH_OIDC_POST_LOGOUT_URL) != "") $host->add_hook($host::HOOK_POST_LOGOUT, $this); @@ -89,6 +93,9 @@ class Auth_OIDC extends Auth_Base { } } + $_SESSION["auth_oidc:refresh_token"] = $oidc->getRefreshToken(); + $_SESSION["auth_oidc:refresh_token_last_check"] = time(); + return $user_id; } catch (Exception $e) { @@ -99,6 +106,30 @@ class Auth_OIDC extends Auth_Base { return false; } + function hook_validate_session(): bool { + $refresh_token = $_SESSION["auth_oidc:refresh_token"] ?? false; + + if ($refresh_token && $_SESSION["auth_oidc:refresh_token_last_check"] < time() - Config::get(self::AUTH_OIDC_VALIDATE_INTERVAL)) { + $oidc = new OpenIDConnectClient(Config::get(self::AUTH_OIDC_URL), + Config::get(self::AUTH_OIDC_CLIENT_ID), + Config::get(self::AUTH_OIDC_CLIENT_SECRET)); + + try { + $result = $oidc->introspectToken($refresh_token); + + if ($result->active) + $_SESSION["auth_oidc:refresh_token_last_check"] = time(); + + return $result->active; + } catch (Exception $e) { + $_SESSION["login_error_msg"] = 'OIDC: ' . $e->getMessage(); + return false; + } + } + + return true; + } + function get_login_js() { return file_get_contents(__DIR__ . "/init.js"); } |