From 37e73c808a1c82604de316a32466188d3ab3aef4 Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Tue, 3 Dec 2024 11:08:18 +0100 Subject: [PATCH 1/5] Supporting email and phone scopes --- src/Http/Handlers/ConfigurationHandler.php | 2 +- src/Storage/UserClaimsStorage.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/Http/Handlers/ConfigurationHandler.php b/src/Http/Handlers/ConfigurationHandler.php index 2ea96ec..6890b8d 100644 --- a/src/Http/Handlers/ConfigurationHandler.php +++ b/src/Http/Handlers/ConfigurationHandler.php @@ -28,7 +28,7 @@ private function configuration(): array { 'authorization_endpoint' => Router::make_rest_url( 'authorize' ), 'token_endpoint' => Router::make_rest_url( 'token' ), 'userinfo_endpoint' => Router::make_rest_url( 'userinfo' ), - 'scopes_supported' => array( 'openid', 'profile' ), + 'scopes_supported' => array( 'openid', 'profile', 'email', 'phone' ), 'response_types_supported' => array( 'code' ), 'id_token_signing_alg_values_supported' => array( 'RS256' ), ); diff --git a/src/Storage/UserClaimsStorage.php b/src/Storage/UserClaimsStorage.php index 17a8246..6ec3816 100644 --- a/src/Storage/UserClaimsStorage.php +++ b/src/Storage/UserClaimsStorage.php @@ -38,13 +38,26 @@ public function getUserClaims( $user_id, $scope ) { 'nickname' => 'user_nicename', ); + // Is email scope requested? + if(in_array('email', $scopes, true)) { + $field_map['email'] = 'user_email'; + } + + // Is phone scope requested? + if(in_array('phone', $scopes, true)) { + $field_map['phone'] = 'user_phone'; + } + foreach ( $field_map as $key => $value ) { if ( $user->$value ) { $claims[ $key ] = $user->$value; } } - $claims['picture'] = get_avatar_url( $user->user_email ); + // Is profile scope requested, add picture (user avatar)? + if(in_array( 'profile', $scopes, true )) { + $claims['picture'] = get_avatar_url( $user->user_email ); + } return apply_filters( 'oidc_user_claims', $claims, $user ); } From 45e2dd3d16f8a6621d1baf10b9612710bee19b6d Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Mon, 13 Jan 2025 21:00:46 +0100 Subject: [PATCH 2/5] Deactivating verification The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. --- src/Http/Handlers/AuthenticateHandler.php | 11 +++++++++++ src/Http/Handlers/AuthorizeHandler.php | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/Http/Handlers/AuthenticateHandler.php b/src/Http/Handlers/AuthenticateHandler.php index 8a069fd..25cf8ff 100644 --- a/src/Http/Handlers/AuthenticateHandler.php +++ b/src/Http/Handlers/AuthenticateHandler.php @@ -45,6 +45,13 @@ public function handle( Request $request, Response $response ): Response { 'form_fields' => $request->getAllQueryParameters(), ); + // IMPORTANT NOTE - UKM Norge: We are not checking permissions here. + // The goal is to connect Arrsys users with users from other platforms (like delta.ukm.no). + // Since there is no verification process and users are added by other users, + // along with the use of multisite functionality and users may have different permissions across various sites, + // we do not need to check permissions. + // The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. + /* $has_permission = current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) ); if ( ! $has_permission ) { login_header( 'OIDC Connect', null, new \WP_Error( 'OIDC_NO_PERMISSION', __( "You don't have permission to use OpenID Connect.", 'openid-connect-server' ) ) ); @@ -53,6 +60,10 @@ public function handle( Request $request, Response $response ): Response { login_header( 'OIDC Connect' ); $this->render_consent_screen( $data ); } + */ + // Therefore we will always render the consent screen when the user is logged in. + login_header( 'OIDC Connect' ); + $this->render_consent_screen( $data ); login_footer(); diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php index 96371ce..e3f7efb 100644 --- a/src/Http/Handlers/AuthorizeHandler.php +++ b/src/Http/Handlers/AuthorizeHandler.php @@ -10,7 +10,7 @@ use OpenIDConnectServer\Http\RequestHandler; use OpenIDConnectServer\Storage\ConsentStorage; -const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; +const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; // This feature is not used by UKM. Read the information in README.md for more information. class AuthorizeHandler extends RequestHandler { private OAuth2Server $server; From f28501bf1ab5da510ece0cd078d30067b2c7651d Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Mon, 13 Jan 2025 21:07:29 +0100 Subject: [PATCH 3/5] Update README.md --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 4cc51f1..9b732ac 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,13 @@ +# UKM Norge Modifications + +## Permissions Are Not Checked + +The purpose of using OpenID Connect is to link Arrsys users with users from other platforms (e.g., delta.ukm.no). Given the absence of a verification process in Arrsys and the fact that users are added by other users, along with the use of multisite functionality where users may have different permissions across multiple sites, permission checks are unnecessary. It's important to note that the user __data from Arrsys is not trustworthy__ due to the lack of verification. + +__IMPORTANT: Other platforms are required to verify users through email or mobile number before establishing connections.__ + + + # OpenID Connect Server - Contributors: wordpressdotorg, akirk, ashfame, psrpinto From a54dbabd73dd6128aa19e7279579e5ee598a5ab2 Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Mon, 13 Jan 2025 21:20:51 +0100 Subject: [PATCH 4/5] Update README.md --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index 9b732ac..399d145 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,25 @@ The purpose of using OpenID Connect is to link Arrsys users with users from othe __IMPORTANT: Other platforms are required to verify users through email or mobile number before establishing connections.__ +## Add new client +file: `functions.php` +~~~php +add_filter('oidc_registered_clients', 'my_oidc_clients'); +function my_oidc_clients() { + return array( + FSS_OIDC_USER => array( + 'name' => 'FSS - Festival Styring System', + 'secret' => FSS_OIDC_SECRET, + 'redirect_uri' => FSS_OIDC_CALLBACK, + 'grant_types' => array('authorization_code'), + 'scope' => 'openid profile email phone', + ), + ... // new client + ); +} +~~~ +--- # OpenID Connect Server From 844ae151178fdbf3a67badacb92f37164cb257b7 Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Mon, 13 Jan 2025 21:42:48 +0100 Subject: [PATCH 5/5] Deactivating permissions, checking just login The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. --- src/Http/Handlers/AuthorizeHandler.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php index e3f7efb..1c8452a 100644 --- a/src/Http/Handlers/AuthorizeHandler.php +++ b/src/Http/Handlers/AuthorizeHandler.php @@ -34,7 +34,7 @@ public function handle( Request $request, Response $response ): Response { } // The initial OIDC request will come without a nonce, thus unauthenticated. - if ( ! is_user_logged_in() || ! current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) ) ) { + if ( ! is_user_logged_in() /*|| ! current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) )*/ ) { // This is handled by a hook in wp-login.php which will display a form asking the user to consent. // TODO: Redirect with $response->setRedirect(). wp_safe_redirect( add_query_arg( array_map( 'rawurlencode', array_merge( $request->getAllQueryParameters(), array( 'action' => 'openid-authenticate' ) ) ), wp_login_url() ) );