diff --git a/README.md b/README.md index 4cc51f1..399d145 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,31 @@ +# UKM Norge Modifications + +## Permissions Are Not Checked + +The purpose of using OpenID Connect is to link Arrsys users with users from other platforms (e.g., delta.ukm.no). Given the absence of a verification process in Arrsys and the fact that users are added by other users, along with the use of multisite functionality where users may have different permissions across multiple sites, permission checks are unnecessary. It's important to note that the user __data from Arrsys is not trustworthy__ due to the lack of verification. + +__IMPORTANT: Other platforms are required to verify users through email or mobile number before establishing connections.__ + +## Add new client +file: `functions.php` +~~~php +add_filter('oidc_registered_clients', 'my_oidc_clients'); +function my_oidc_clients() { + return array( + FSS_OIDC_USER => array( + 'name' => 'FSS - Festival Styring System', + 'secret' => FSS_OIDC_SECRET, + 'redirect_uri' => FSS_OIDC_CALLBACK, + 'grant_types' => array('authorization_code'), + 'scope' => 'openid profile email phone', + ), + ... // new client + ); +} +~~~ + +--- + # OpenID Connect Server - Contributors: wordpressdotorg, akirk, ashfame, psrpinto diff --git a/src/Http/Handlers/AuthenticateHandler.php b/src/Http/Handlers/AuthenticateHandler.php index 8a069fd..25cf8ff 100644 --- a/src/Http/Handlers/AuthenticateHandler.php +++ b/src/Http/Handlers/AuthenticateHandler.php @@ -45,6 +45,13 @@ public function handle( Request $request, Response $response ): Response { 'form_fields' => $request->getAllQueryParameters(), ); + // IMPORTANT NOTE - UKM Norge: We are not checking permissions here. + // The goal is to connect Arrsys users with users from other platforms (like delta.ukm.no). + // Since there is no verification process and users are added by other users, + // along with the use of multisite functionality and users may have different permissions across various sites, + // we do not need to check permissions. + // The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. + /* $has_permission = current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) ); if ( ! $has_permission ) { login_header( 'OIDC Connect', null, new \WP_Error( 'OIDC_NO_PERMISSION', __( "You don't have permission to use OpenID Connect.", 'openid-connect-server' ) ) ); @@ -53,6 +60,10 @@ public function handle( Request $request, Response $response ): Response { login_header( 'OIDC Connect' ); $this->render_consent_screen( $data ); } + */ + // Therefore we will always render the consent screen when the user is logged in. + login_header( 'OIDC Connect' ); + $this->render_consent_screen( $data ); login_footer(); diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php index 96371ce..1c8452a 100644 --- a/src/Http/Handlers/AuthorizeHandler.php +++ b/src/Http/Handlers/AuthorizeHandler.php @@ -10,7 +10,7 @@ use OpenIDConnectServer\Http\RequestHandler; use OpenIDConnectServer\Storage\ConsentStorage; -const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; +const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; // This feature is not used by UKM. Read the information in README.md for more information. class AuthorizeHandler extends RequestHandler { private OAuth2Server $server; @@ -34,7 +34,7 @@ public function handle( Request $request, Response $response ): Response { } // The initial OIDC request will come without a nonce, thus unauthenticated. - if ( ! is_user_logged_in() || ! current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) ) ) { + if ( ! is_user_logged_in() /*|| ! current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) )*/ ) { // This is handled by a hook in wp-login.php which will display a form asking the user to consent. // TODO: Redirect with $response->setRedirect(). wp_safe_redirect( add_query_arg( array_map( 'rawurlencode', array_merge( $request->getAllQueryParameters(), array( 'action' => 'openid-authenticate' ) ) ), wp_login_url() ) ); diff --git a/src/Http/Handlers/ConfigurationHandler.php b/src/Http/Handlers/ConfigurationHandler.php index 2ea96ec..6890b8d 100644 --- a/src/Http/Handlers/ConfigurationHandler.php +++ b/src/Http/Handlers/ConfigurationHandler.php @@ -28,7 +28,7 @@ private function configuration(): array { 'authorization_endpoint' => Router::make_rest_url( 'authorize' ), 'token_endpoint' => Router::make_rest_url( 'token' ), 'userinfo_endpoint' => Router::make_rest_url( 'userinfo' ), - 'scopes_supported' => array( 'openid', 'profile' ), + 'scopes_supported' => array( 'openid', 'profile', 'email', 'phone' ), 'response_types_supported' => array( 'code' ), 'id_token_signing_alg_values_supported' => array( 'RS256' ), ); diff --git a/src/Storage/UserClaimsStorage.php b/src/Storage/UserClaimsStorage.php index 17a8246..6ec3816 100644 --- a/src/Storage/UserClaimsStorage.php +++ b/src/Storage/UserClaimsStorage.php @@ -38,13 +38,26 @@ public function getUserClaims( $user_id, $scope ) { 'nickname' => 'user_nicename', ); + // Is email scope requested? + if(in_array('email', $scopes, true)) { + $field_map['email'] = 'user_email'; + } + + // Is phone scope requested? + if(in_array('phone', $scopes, true)) { + $field_map['phone'] = 'user_phone'; + } + foreach ( $field_map as $key => $value ) { if ( $user->$value ) { $claims[ $key ] = $user->$value; } } - $claims['picture'] = get_avatar_url( $user->user_email ); + // Is profile scope requested, add picture (user avatar)? + if(in_array( 'profile', $scopes, true )) { + $claims['picture'] = get_avatar_url( $user->user_email ); + } return apply_filters( 'oidc_user_claims', $claims, $user ); }