reimplement for Keycloak

Signed-off-by: Naoto Kobayashi <[email protected]>

Author: YoitoFes

DotAccess.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace dokuwiki\plugin\oauthkeycloak;
+
+use dokuwiki\plugin\oauth\Service\AbstractOAuth2Base;
+use OAuth\Common\Http\Uri\Uri;
+
+/**
+ * Custom Service for Keycloak oAuth
+ */
+class Keycloak extends AbstractOAuth2Base
+{
+    /**
+     * Defined scopes are listed here:
+     * @link https://www.keycloak.org/docs/latest/server_admin/#_client_scopes
+     */
+    const SCOPE_OPENID    = 'openid';
+
+    /**
+     * Endpoints are listed here:
+     * @link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata
+     */
+    const ENDPOINT_AUTH     = 'authorization_endpoint';
+    const ENDPOINT_TOKEN    = 'token_endpoint';
+    const ENDPOINT_USERINFO = 'userinfo_endpoint';
+    /**
+     * This endpoint is used for backchannel logout and documented here
+     * @link https://www.keycloak.org/docs/latest/server_admin/#con-basic-settings_server_administration_guide
+     */
+    const ENDPOINT_LOGOUT   = 'end_session_endpoint';
+
+    /**
+     * Return URI of discovered endpoint
+     *
+     * @return string
+     */
+    public static function getEndpointUri(string $endpoint)
+    {
+        $plugin = plugin_load('helper', 'oauthkeycloak');
+        $json = file_get_contents($plugin->getConf('openidurl'));
+        if (!$json) return '';
+        $data = json_decode($json, true);
+        if (!isset($data[$endpoint])) return '';
+        return $data[$endpoint];
+    }
+
+    /** @inheritdoc */
+    public function getAuthorizationEndpoint()
+    {
+        return new Uri(self::getEndpointUri(self::ENDPOINT_AUTH));
+    }
+
+    /** @inheritdoc */
+    public function getAccessTokenEndpoint()
+    {
+        return new Uri(self::getEndpointUri(self::ENDPOINT_TOKEN));
+    }
+
+    /** @inheritdoc */
+    protected function getAuthorizationMethod()
+    {
+        return static::AUTHORIZATION_METHOD_HEADER_BEARER;
+    }
+
+    /**
+     * Logout from Keycloak
+     *
+     * @return void
+     * @throws \OAuth\Common\Exception\Exception
+     */
+    public function logout()
+    {
+        $token = $this->getStorage()->retrieveAccessToken($this->service());
+        $refreshToken = $token->getRefreshToken();
+
+        if (!$refreshToken) {
+            return;
+        }
+
+        $parameters = [
+            'client_id' => $this->credentials->getConsumerId(),
+            'client_secret' => $this->credentials->getConsumerSecret(),
+            'refresh_token' => $refreshToken,
+        ];
+
+        $this->httpClient->retrieveResponse(
+            new Uri(self::getEndpointUri(self::ENDPOINT_LOGOUT)),
+            $parameters,
+            $this->getExtraOAuthHeaders()
+        );
+    }
+}

Generic.php

@@ -1,19 +1,23 @@
-oauthgeneric Plugin for DokuWiki
+oauthkeycloak Plugin for DokuWiki
+===
 
-Generic Service for use with the oAuth Plugin
+Keycloak Service for use with the oAuth Plugin 2021-12-19 or above
 
 All documentation for this plugin can be found at
-http://www.dokuwiki.org/plugin:oauthgeneric
+<http://www.dokuwiki.org/plugin:oauthkeycloak>
 
 If you install this plugin manually, make sure it is installed in
-lib/plugins/oauthgeneric/ - if the folder is called different it
+lib/plugins/oauthkeycloak/ - if the folder is called different it
 will not work!
 
-Please refer to http://www.dokuwiki.org/plugins for additional info
+Please refer to <http://www.dokuwiki.org/plugins> for additional info
 on how to install plugins in DokuWiki.
 
 ----
-Copyright (C) Andreas Gohr <[email protected]>
+Copyright (C) Naoto Kobayashi <[email protected]>
+
+This program is based on [dokuwiki-plugin-oauthgeneric](https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric)
+by Andreas Gohr <[email protected]>
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

Keycloak.php

@@ -1,19 +1,28 @@
 <?php
 
 use dokuwiki\plugin\oauth\Adapter;
-use dokuwiki\plugin\oauthgeneric\DotAccess;
-use dokuwiki\plugin\oauthgeneric\Generic;
+use dokuwiki\plugin\oauthkeycloak\Keycloak;
 
 /**
- * Service Implementation for oAuth Doorkeeper authentication
+ * Service Implementation for Keycloak authentication
  */
-class action_plugin_oauthgeneric extends Adapter
+class action_plugin_oauthkeycloak extends Adapter
 {
-
     /** @inheritdoc */
     public function registerServiceClass()
     {
-        return Generic::class;
+        return Keycloak::class;
+    }
+
+    /**
+     * @inheritdoc
+     * @throws \OAuth\Common\Exception\Exception
+     */
+    public function logout()
+    {
+        /** @var Keycloak */
+        $oauth = $this->getOAuthService();
+        $oauth->logout();
     }
 
     /** * @inheritDoc */
@@ -22,59 +31,31 @@ public function getUser()
         $oauth = $this->getOAuthService();
         $data = array();
 
-        $url = $this->getConf('userurl');
+        $url = Keycloak::getEndpointUri(Keycloak::ENDPOINT_USERINFO);
         $raw = $oauth->request($url);
 
-        if (!$raw) throw new OAuthException('Failed to fetch data from userurl');
+        if (!$raw) throw new OAuthException('Failed to fetch data from userinfo endpoint');
         $result = json_decode($raw, true);
-        if (!$result) throw new OAuthException('Failed to parse data from userurl');
-
-        $user = DotAccess::get($result, $this->getConf('json-user'), '');
-        $name = DotAccess::get($result, $this->getConf('json-name'), '');
-        $mail = DotAccess::get($result, $this->getConf('json-mail'), '');
-        $grps = DotAccess::get($result, $this->getConf('json-grps'), []);
-
-        // type fixes
-        if (is_array($user)) $user = array_shift($user);
-        if (is_array($name)) $user = array_shift($name);
-        if (is_array($mail)) $user = array_shift($mail);
-        if (!is_array($grps)) {
-            $grps = explode(',', $grps);
-            $grps = array_map('trim', $grps);
-        }
+        if (!$result) throw new OAuthException('Failed to parse data from userinfo endpoint');
 
-        // fallbacks for user name
-        if (empty($user)) {
-            if (!empty($name)) {
-                $user = $name;
-            } elseif (!empty($mail)) {
-                list($user) = explode('@', $mail);
-            }
-        }
-
-        // fallback for full name
-        if (empty($name)) {
-            $name = $user;
-        }
+        $data = array();
+        $data['user'] = $result['preferred_username'];
+        $data['name'] = $result['name'];
+        $data['mail'] = $result['email'];
+        $data['grps'] = $result['groups'];
 
-        return compact('user', 'name', 'mail', 'grps');
+        return $data;
     }
 
     /** @inheritdoc */
     public function getScopes()
     {
-        return $this->getConf('scopes');
-    }
-
-    /** @inheritDoc */
-    public function getLabel()
-    {
-        return $this->getConf('label');
+        return array(Keycloak::SCOPE_OPENID);
     }
 
     /** @inheritDoc */
     public function getColor()
     {
-        return $this->getConf('color');
+        return '#333333';
     }
 }

README renamed to README.md

@@ -1,21 +1,10 @@
 <?php
+
 /**
- * Default settings for the oauthgeneric plugin
+ * Default settings for the oauthkeycloak plugin
  */
 
 $conf['key'] = '';
 $conf['secret'] = '';
 
-$conf['authurl'] = '';
-$conf['tokenurl'] = '';
-$conf['userurl'] = '';
-$conf['authmethod'] = 0;
-$conf['scopes'] = '';
-
-$conf['json-user'] = '';
-$conf['json-name'] = '';
-$conf['json-mail'] = '';
-$conf['json-grps'] = '';
-
-$conf['label'] = 'OAuth';
-$conf['color'] = '#333333';
+$conf['openidurl'] = '';

action.php

@@ -1,21 +1,10 @@
 <?php
+
 /**
- * Options for the oauthgeneric plugin
+ * Options for the oauthkeycloak plugin
  */
 
 $meta['key'] = array('string');
 $meta['secret'] = array('password');
 
-$meta['authurl'] = array('string');
-$meta['tokenurl'] = array('string');
-$meta['userurl'] = array('string');
-$meta['authmethod'] = array('multichoice', '_choices' => [0, 1, 6, 2, 3, 4, 5]);
-$meta['scopes'] = array('array');
-
-$meta['json-user'] = array('string');
-$meta['json-name'] = array('string');
-$meta['json-mail'] = array('string');
-$meta['json-grps'] = array('string');
-
-$meta['label'] = array('string');
-$meta['color'] = array('string');
+$meta['openidurl'] = array('string');