-
Notifications
You must be signed in to change notification settings - Fork 37
/
Copy pathindex.php
100 lines (75 loc) · 2.5 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<?php
session_start();
$client_id = '';
$client_secret = '';
$redirect_uri = 'http://localhost:8080/';
$metadata_url = 'https://*.okta.com/oauth2/default/.well-known/openid-configuration';
if(isset($_GET['logout'])) {
unset($_SESSION['username']);
unset($_SESSION['sub']);
header('Location: /');
die();
}
if(isset($_SESSION['sub'])) {
echo '<p>Logged in as</p>';
echo '<p>' . $_SESSION['username'] . '</p>';
echo '<p><a href="/?logout">Log Out</a></p>';
die();
}
$metadata = http($metadata_url);
if(!isset($_GET['code'])) {
$_SESSION['state'] = bin2hex(random_bytes(5));
$_SESSION['code_verifier'] = bin2hex(random_bytes(50));
$code_challenge = base64_urlencode(hash('sha256', $_SESSION['code_verifier'], true));
$authorize_url = $metadata->authorization_endpoint.'?'.http_build_query([
'response_type' => 'code',
'client_id' => $client_id,
'redirect_uri' => $redirect_uri,
'state' => $_SESSION['state'],
'scope' => 'openid profile',
'code_challenge' => $code_challenge,
'code_challenge_method' => 'S256',
]);
echo '<p>Not logged in</p>';
echo '<p><a href="'.$authorize_url.'">Log In</a></p>';
} else {
if($_SESSION['state'] != $_GET['state']) {
die('Authorization server returned an invalid state parameter');
}
if(isset($_GET['error'])) {
die('Authorization server returned an error: '.htmlspecialchars($_GET['error']));
}
$response = http($metadata->token_endpoint, [
'grant_type' => 'authorization_code',
'code' => $_GET['code'],
'redirect_uri' => $redirect_uri,
'client_id' => $client_id,
'client_secret' => $client_secret,
'code_verifier' => $_SESSION['code_verifier'],
]);
if(!isset($response->access_token)) {
die('Error fetching access token');
}
$userinfo = http($metadata->userinfo_endpoint, [
'access_token' => $response->access_token,
]);
if($userinfo->sub) {
$_SESSION['sub'] = $userinfo->sub;
$_SESSION['username'] = $userinfo->preferred_username;
$_SESSION['profile'] = $userinfo;
header('Location: /');
die();
}
}
// Base64-urlencoding is a simple variation on base64-encoding
// Instead of +/ we use -_, and the trailing = are removed.
function base64_urlencode($string) {
return rtrim(strtr(base64_encode($string), '+/', '-_'), '=');
}
function http($url, $params=false) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
if($params)
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
return json_decode(curl_exec($ch));
}