diff options
-rw-r--r-- | README.md | 33 | ||||
-rw-r--r-- | init.js | 9 | ||||
-rw-r--r-- | init.php | 55 |
3 files changed, 81 insertions, 16 deletions
@@ -0,0 +1,33 @@ +# OIDC authentication plugin + +This is a system plugin, it has to be enabled globally through `TTRSS_PLUGINS`. + +Sample Authelia configuration: + +```yml +identity_providers: +... +- id: test-ttrss + secret: your-secret-token + public: false + scopes: + - openid + - email + - profile + redirect_uris: + - "https://example.com/tt-rss" + userinfo_signing_algorithm: none + #pre_configured_consent_duration: 30d +``` + +Plugin configuration (`.env`): + +```properties +TTRSS_AUTH_OIDC_NAME=Authelia +TTRSS_AUTH_OIDC_URL=https://auth.example.com/ +TTRSS_AUTH_OIDC_CLIENT_ID=test-ttrss +TTRSS_AUTH_OIDC_CLIENT_SECRET=your-secret-token +``` + +If everything is configured correctly, another login button will appear on the login form, which +you can use to log in through OpenID. @@ -0,0 +1,9 @@ +require(['dojo/_base/kernel', 'dojo/ready'], function (dojo, ready) { + ready(function() { + Plugins.Auth_OIDC = { + login: function(url) { + window.location.href = url; + } + } + }) +}); @@ -9,6 +9,11 @@ class Auth_OIDC extends Auth_Base { * TTRSS_AUTH_OIDC_POST_LOGOUT_URL=http://127.0.0.1/logout-redirect */ const AUTH_OIDC_POST_LOGOUT_URL = "AUTH_OIDC_POST_LOGOUT_URL"; + const AUTH_OIDC_NAME = "AUTH_OIDC_NAME"; + const AUTH_OIDC_URL = "AUTH_OIDC_URL"; + const AUTH_OIDC_CLIENT_ID = "AUTH_OIDC_CLIENT_ID"; + const AUTH_OIDC_CLIENT_SECRET = "AUTH_OIDC_CLIENT_SECRET"; + /** @var PluginHost $host */ private $host; @@ -21,35 +26,46 @@ class Auth_OIDC extends Auth_Base { } function init($host) { - $host->add_hook($host::HOOK_AUTH_USER, $this); - Config::add(self::AUTH_OIDC_POST_LOGOUT_URL, "", Config::T_STRING); + Config::add(self::AUTH_OIDC_NAME, "", Config::T_STRING); + Config::add(self::AUTH_OIDC_URL, "", Config::T_STRING); + Config::add(self::AUTH_OIDC_CLIENT_ID, "", Config::T_STRING); + Config::add(self::AUTH_OIDC_CLIENT_SECRET, "", Config::T_STRING); + + if (Config::get(self::AUTH_OIDC_URL)) { + $host->add_hook($host::HOOK_AUTH_USER, $this); + $host->add_hook($host::HOOK_LOGINFORM_ADDITIONAL_BUTTONS, $this); - if (Config::get(self::AUTH_OIDC_POST_LOGOUT_URL) != "") { - $host->add_hook($host::HOOK_POST_LOGOUT, $this); + if (Config::get(self::AUTH_OIDC_POST_LOGOUT_URL) != "") + $host->add_hook($host::HOOK_POST_LOGOUT, $this); } $this->host = $host; } function is_public_method($method) { - return $method == "callback"; + return $method == "oidc_login"; } - function callback() { - print "IN_CALLBACK"; - die; + public function oidc_login() : void { + $oidc = new OpenIDConnectClient(Config::get(self::AUTH_OIDC_URL), + Config::get(self::AUTH_OIDC_CLIENT_ID), + Config::get(self::AUTH_OIDC_CLIENT_SECRET)); + + $oidc->setRedirectURL(Config::get_self_url()); + $oidc->addScope(['openid', 'profile', 'email']); + $oidc->authenticate(); } function authenticate($login, $password, $service = '') { - $oidc = new OpenIDConnectClient('https://auth.fakecake.org', - 'dev-debian-ttrss', - 'Bu3vuCi0wBeQteJ7di4H6SKgqvYnpSludEP68SHu9wLekxXl'); + if (!($_SESSION['uid'] ?? false) && ($_REQUEST['code'] ?? false)) { - if (!($_SESSION['uid'] ?? false)) { - $oidc->setRedirectURL(Config::get_self_url()); + $oidc = new OpenIDConnectClient(Config::get(self::AUTH_OIDC_URL), + Config::get(self::AUTH_OIDC_CLIENT_ID), + Config::get(self::AUTH_OIDC_CLIENT_SECRET)); try { + $oidc->setRedirectURL(Config::get_self_url()); $oidc->addScope(['openid', 'profile', 'email']); $oidc->authenticate(); @@ -58,7 +74,6 @@ class Auth_OIDC extends Auth_Base { $user_id = $this->auto_create_user($login, $password); if ($user_id) { - $name = $oidc->requestUserInfo("name"); if ($name) { @@ -77,14 +92,22 @@ class Auth_OIDC extends Auth_Base { return $user_id; } catch (Exception $e) { - var_dump($e); - die; + $_SESSION["login_error_msg"] = 'OIDC: ' . $e->getMessage(); } } return false; } + function get_login_js() { + return file_get_contents(__DIR__ . "/init.js"); + } + + function hook_loginform_additional_buttons() { + print \Controls\button_tag(T_sprintf('Log in with %s', Config::get(self::AUTH_OIDC_NAME)), '', + ['class' => '', 'onclick' => 'Plugins.Auth_OIDC.login("'.htmlspecialchars($this->host->get_public_method_url($this, "oidc_login")).'")']); + } + function hook_post_logout($login, $user_id) { return [ Config::get(self::AUTH_OIDC_POST_LOGOUT_URL) |