Initial login functionality (#3)

* Initial login functionality
* Update php versions in CI
* Support for running tests with Laravel 8
* phpstan and psalm ignore on wrong typehint of open id connect client

Author: ricklambrechts

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                php: [ 8.0, 8.1, 8.2 ]
+                php: [ 8.1, 8.2 ]
                 laravel: [ 8.*, 9.*, 10.* ]
                 stability: [ prefer-stable ]
                 include:

composer.json

@@ -21,7 +21,13 @@
         }
     },
     "require": {
-        "php": ">=8.0"
+        "php": ">=8.1",
+        "jumbojett/openid-connect-php": "dev-master",
+        "guzzlehttp/guzzle": "^7.5",
+        "web-token/jwt-encryption": "^3.1",
+        "web-token/jwt-key-mgmt": "^3.1",
+        "web-token/jwt-encryption-algorithm-aescbc": "^3.1",
+        "web-token/jwt-encryption-algorithm-rsa": "^3.1"
     },
     "require-dev": {
         "orchestra/testbench": "^6.0|^7.0|^8.0",

config/oidc.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+return [
+    /**
+     * The issuer URL of the OpenID Connect provider.
+     */
+    'issuer' => env('OIDC_ISSUER', ''),
+
+    /**
+     * The client ID of the OpenID Connect provider.
+     */
+    'client_id' => env('OIDC_CLIENT_ID', ''),
+
+    /**
+     * If needed, the client secret of the OpenID Connect provider.
+     */
+    'client_secret' => env('OIDC_CLIENT_SECRET', ''),
+
+    /**
+     * Only needed when response of user info endpoint is encrypted.
+     * This is the path to the JWE decryption key.
+     */
+    'decryption_key_path' => env('OIDC_DECRYPTION_KEY_PATH', ''),
+
+    /**
+     * By default, the openid scope is requested. If you need additional scopes, you can specify them here.
+     */
+    'additional_scopes' => explode(',', env('OIDC_ADDITIONAL_SCOPES', '')),
+
+    /**
+     * Code Challenge Method used for PKCE.
+     */
+    'code_challenge_method' => env('OIDC_CODE_CHALLENGE_METHOD', 'S256'),
+
+    /**
+     * TTL of the OpenID configuration cache in seconds.
+     */
+    'configuration_cache_ttl' => env('OIDC_CONFIGURATION_CACHE_TTL', 60 * 60 * 24),
+
+    /**
+     * Route configuration
+     */
+    'route_configuration' => [
+        'login_route' => env('OIDC_LOGIN_ROUTE', '/oidc/login'),
+        'middleware' => [
+            'web'
+        ],
+        'prefix' => '',
+    ]
+];

routes/oidc.php

@@ -0,0 +1,8 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Support\Facades\Route;
+use MinVWS\OpenIDConnectLaravel\Http\Controllers\LoginController;
+
+Route::get(config('oidc.route_configuration.login_route'), LoginController::class)->name('oidc.login');

src/Http/Controllers/Controller.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\Http\Controllers;
+
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Foundation\Bus\DispatchesJobs;
+use Illuminate\Foundation\Validation\ValidatesRequests;
+use Illuminate\Routing\Controller as BaseController;
+
+class Controller extends BaseController
+{
+    use AuthorizesRequests;
+    use DispatchesJobs;
+    use ValidatesRequests;
+}

src/Http/Controllers/LoginController.php

@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\Http\Controllers;
+
+use Exception;
+use Illuminate\Contracts\Support\Responsable;
+use Jumbojett\OpenIDConnectClientException;
+use MinVWS\OpenIDConnectLaravel\Http\Responses\LoginResponseInterface;
+use MinVWS\OpenIDConnectLaravel\OpenIDConnectClient;
+use MinVWS\OpenIDConnectLaravel\Services\OpenIDConnectExceptionHandlerInterface;
+
+class LoginController extends Controller
+{
+    public function __construct(
+        protected OpenIDConnectClient $client,
+        protected OpenIDConnectExceptionHandlerInterface $exceptionHandler,
+    ) {
+    }
+
+    public function __invoke(): Responsable
+    {
+        // This redirects to the client and handles the redirect back
+        try {
+            $this->client->authenticate();
+        } catch (OpenIDConnectClientException $e) {
+            return $this->exceptionHandler->handleExceptionWhileAuthenticate($e);
+        }
+
+        // After the redirect back, we can get the user information
+        try {
+            $userInfo = $this->client->requestUserInfo();
+            if (!is_object($userInfo)) {
+                throw new OpenIDConnectClientException('Received user info is not an object');
+            }
+        } catch (OpenIDConnectClientException $e) {
+            return $this->exceptionHandler->handleExceptionWhileRequestUserInfo($e);
+        } catch (Exception $e) {
+            return $this->exceptionHandler->handleException($e);
+        }
+
+        // Return the user information in a response
+        return app(LoginResponseInterface::class, ['userInfo' => $userInfo]);
+    }
+}

src/Http/Responses/LoginResponse.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\Http\Responses;
+
+use Illuminate\Contracts\Support\Responsable;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class LoginResponse implements Responsable
+{
+    public function __construct(
+        protected object $userInfo
+    ) {
+    }
+
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param Request $request
+     * @return Response
+     */
+    public function toResponse($request): Response
+    {
+        return new JsonResponse([
+            'userInfo' => $this->userInfo,
+        ]);
+    }
+}

src/Http/Responses/LoginResponseInterface.php

@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\Http\Responses;
+
+use Illuminate\Contracts\Support\Responsable;
+
+interface LoginResponseInterface extends Responsable
+{
+}

src/OpenIDConfiguration/OpenIDConfiguration.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\OpenIDConfiguration;
+
+/**
+ * Class OpenIDConfiguration
+ * Based on the OpenID Provider Metadata specification.
+ * @link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ */
+class OpenIDConfiguration
+{
+    /**
+     * @param string $version
+     * @param string[] $tokenEndpointAuthMethodsSupported
+     * @param bool $claimsParameterSupported
+     * @param bool $requestParameterSupported
+     * @param bool $requestUriParameterSupported
+     * @param bool $requireRequestUriRegistration
+     * @param string[] $grantTypesSupported
+     * @param bool $frontchannelLogoutSupported
+     * @param bool $frontchannelLogoutSessionSupported
+     * @param bool $backchannelLogoutSupported
+     * @param bool $backchannelLogoutSessionSupported
+     * @param string $issuer
+     * @param string $authorizationEndpoint
+     * @param string $jwksUri
+     * @param string $tokenEndpoint
+     * @param string[] $scopesSupported
+     * @param string[] $responseTypesSupported
+     * @param string[] $responseModesSupported
+     * @param string[] $subjectTypesSupported
+     * @param string[] $idTokenSigningAlgValuesSupported
+     * @param string $userinfoEndpoint
+     * @param string[] $codeChallengeMethodsSupported
+     */
+    public function __construct(
+        public string $version = '',
+        public array $tokenEndpointAuthMethodsSupported = [],
+        public bool $claimsParameterSupported = false,
+        public bool $requestParameterSupported = false,
+        public bool $requestUriParameterSupported = false,
+        public bool $requireRequestUriRegistration = false,
+        public array $grantTypesSupported = [],
+        public bool $frontchannelLogoutSupported = false,
+        public bool $frontchannelLogoutSessionSupported = false,
+        public bool $backchannelLogoutSupported = false,
+        public bool $backchannelLogoutSessionSupported = false,
+        public string $issuer = '',
+        public string $authorizationEndpoint = '',
+        public string $jwksUri = '',
+        public string $tokenEndpoint = '',
+        public array $scopesSupported = [],
+        public array $responseTypesSupported = [],
+        public array $responseModesSupported = [],
+        public array $subjectTypesSupported = [],
+        public array $idTokenSigningAlgValuesSupported = [],
+        public string $userinfoEndpoint = '',
+        public array $codeChallengeMethodsSupported = [],
+    ) {
+    }
+}

src/OpenIDConfiguration/OpenIDConfigurationLoader.php

@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MinVWS\OpenIDConnectLaravel\OpenIDConfiguration;
+
+use Illuminate\Contracts\Cache\Repository;
+use Illuminate\Support\Facades\Http;
+
+class OpenIDConfigurationLoader
+{
+    public function __construct(
+        protected string $issuer,
+        protected ?Repository $cacheStore = null,
+        protected int $cacheTtl = 3600,
+    ) {
+    }
+
+    /**
+     * @throws OpenIDConfigurationLoaderException
+     */
+    public function getConfiguration(): OpenIDConfiguration
+    {
+        if (!$this->cacheStore) {
+            return $this->getConfigurationFromIssuer();
+        }
+
+        return $this->cacheStore->remember('openid-configuration', $this->cacheTtl, function () {
+            return $this->getConfigurationFromIssuer();
+        });
+    }
+
+    /**
+     * @throws OpenIDConfigurationLoaderException
+     */
+    protected function getConfigurationFromIssuer(): OpenIDConfiguration
+    {
+        $url = $this->getOpenIDConfigurationUrl();
+
+        $response = Http::get($url);
+        if (!$response->successful()) {
+            throw new OpenIDConfigurationLoaderException(
+                message: 'Could not load OpenID configuration from issuer',
+                context: [
+                    'issuer' => $this->issuer,
+                    'url' => $url,
+                    'response_status_code' => $response->status(),
+                    'response' => $response,
+                ],
+            );
+        }
+
+        if (!is_array($response->json())) {
+            throw new OpenIDConfigurationLoaderException(
+                message: 'Response body of OpenID configuration is not JSON',
+                context: [
+                    'issuer' => $this->issuer,
+                    'url' => $url,
+                    'response_status_code' => $response->status(),
+                    'response' => $response,
+                    'response_body' => $response->body(),
+                ],
+            );
+        }
+
+        return new OpenIDConfiguration(
+            version: $response->json('version', ''),
+            tokenEndpointAuthMethodsSupported: $response->json('token_endpoint_auth_methods_supported', []),
+            claimsParameterSupported: $response->json('claims_parameter_supported', false),
+            requestParameterSupported: $response->json('request_parameter_supported', false),
+            requestUriParameterSupported: $response->json('request_uri_parameter_supported', false),
+            requireRequestUriRegistration: $response->json('require_request_uri_registration', false),
+            grantTypesSupported: $response->json('grant_types_supported', []),
+            frontchannelLogoutSupported: $response->json('frontchannel_logout_supported', false),
+            frontchannelLogoutSessionSupported: $response->json('frontchannel_logout_session_supported', false),
+            backchannelLogoutSupported: $response->json('backchannel_logout_supported', false),
+            backchannelLogoutSessionSupported: $response->json('backchannel_logout_session_supported', false),
+            issuer: $response->json('issuer', ''),
+            authorizationEndpoint: $response->json('authorization_endpoint', ''),
+            jwksUri: $response->json('jwks_uri', ''),
+            tokenEndpoint: $response->json('token_endpoint', ''),
+            scopesSupported: $response->json('scopes_supported', []),
+            responseTypesSupported: $response->json('response_types_supported', []),
+            responseModesSupported: $response->json('response_modes_supported', []),
+            subjectTypesSupported: $response->json('subject_types_supported', []),
+            idTokenSigningAlgValuesSupported: $response->json('id_token_signing_alg_values_supported', []),
+            userinfoEndpoint: $response->json('userinfo_endpoint', ''),
+            codeChallengeMethodsSupported: $response->json('code_challenge_methods_supported', [])
+        );
+    }
+
+    protected function getOpenIDConfigurationUrl(): string
+    {
+        return $this->issuer . '/.well-known/openid-configuration';
+    }
+}