locale_from_portal = !empty($_GET['lg']) ? '?lg=' . $_GET['lg'] : '' ; $this->redirect_uri = \Yii::$app->params['cms'] . '/partner-register-login/'.$this->locale_from_portal; $this->metadata_url = \Yii::$app->params['id_server'] . '/realms/nasledstvo.bg/.well-known/openid-configuration'; $this->client_id = \Yii::$app->params['id_server_client_id']; $this->client_secret = \Yii::$app->params['id_server_client_secret']; } public function authenticationServerCheckout($isAdmin = false) { if ($isAdmin) { $this->redirect_uri = \Yii::$app->params['cms'] . '/admin-register-login/'.$this->locale_from_portal; } $metadata = $this->http($this->metadata_url); if (!isset($_GET['code'])) { $_SESSION['state'] = bin2hex(random_bytes(5)); $_SESSION['code_verifier'] = bin2hex(random_bytes(50)); $code_challenge = $this->base64_urlencode(hash('sha256', $_SESSION['code_verifier'], true)); $authorize_url = $metadata->authorization_endpoint . '?' . http_build_query([ 'response_type' => 'code', 'client_id' => $this->client_id, 'redirect_uri' => $this->redirect_uri, 'state' => $_SESSION['state'], 'scope' => 'openid profile', 'code_challenge' => $code_challenge, 'code_challenge_method' => 'S256', ]); header("Location: $authorize_url"); exit; } else { if ($_SESSION['state'] != $_GET['state']) { die('Authorization server returned an invalid state parameter'); } if (isset($_GET['error'])) { die('Authorization server returned an error: ' . htmlspecialchars($_GET['error'])); } $response = $this->http($metadata->token_endpoint, [ 'grant_type' => 'authorization_code', 'code' => $_GET['code'], 'redirect_uri' => $this->redirect_uri, 'client_id' => $this->client_id, 'client_secret' => $this->client_secret, 'code_verifier' => $_SESSION['code_verifier'], ]); if (!isset($response->access_token)) { die('Error fetching access token'); } $userinfo = $this->http($metadata->userinfo_endpoint, [ 'access_token' => $response->access_token, ]); if (!empty($userinfo->groups_user) && in_array('public_user', $userinfo->groups_user)) { header('Location: ' . \Yii::$app->params['portal'] . '/bg/user/wrong-user/'); exit; } if(!empty($_GET['lg'])) { setcookie('cookie_lg', $_GET['lg'], time() + (86400 * 30), "/"); } else { if (!empty($userinfo->locale)) { if ($userinfo->locale == 'bg' || $userinfo->locale == 'en') { setcookie('cookie_lg', $userinfo->locale, time() + (86400 * 30), "/"); } } else { setcookie('cookie_lg', 'bg', time() + (86400 * 30), "/"); } } //echo json_encode($userinfo); // exit; if (empty($userinfo->sub)) die('sub is empty'); //echo json_encode($response); //exit; if (!empty($userinfo->sub)) { if (!empty($userinfo->realm_access)) { if (!empty($userinfo->realm_access->roles)) { if (in_array('cms-partner-admin', $userinfo->realm_access->roles)) { //exit; if (empty($userinfo->partner_id)) die('missing parameter: partner_id'); $_SESSION['id_token_hint'] = $response->id_token; //Login as partner user UserSession::log('partner-admin', 2, $userinfo->sub); UserPartner::prepareRegisterUser($userinfo, 1); } else if (in_array('cms-partner-editor', $userinfo->realm_access->roles)) { //exit; if (empty($userinfo->partner_id)) die('missing parameter: partner_id'); $_SESSION['id_token_hint'] = $response->id_token; //Login as partner user UserSession::log('partner-editor', 2, $userinfo->sub); UserPartner::prepareRegisterUser($userinfo, 2); } else if (in_array('cms-super-admin', $userinfo->realm_access->roles)) { $_SESSION['id_token_hint'] = $response->id_token; //Login as global administrator UserSession::log('admin', 2, $userinfo->sub); UserAdminGlobal::prepareRegisterUser($userinfo); } else { require_once __DIR__ . '/access_denied_page.php'; exit; } } } } echo 'Error: Some parameters are missing'; exit; } } private function http($url, $params = false) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); if ($params) curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); return json_decode(curl_exec($ch)); } private function base64_urlencode($string) { return rtrim(strtr(base64_encode($string), '+/', '-_'), '='); } }