'code', 'client_id' => $CLIENT_ID, 'redirect_uri' => $REDIRECT_URI, 'scope' => 'openid profile email', 'state' => $state, ]); header("Location: $AUTH_URL?$params"); exit; } // Step 2: Callback with code — exchange for token $code = $_GET['code']; $ch = curl_init($TOKEN_URL); curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_POSTFIELDS => http_build_query([ 'grant_type' => 'authorization_code', 'code' => $code, 'redirect_uri' => $REDIRECT_URI, 'client_id' => $CLIENT_ID, 'client_secret' => $CLIENT_SECRET, ]), ]); $resp = curl_exec($ch); curl_close($ch); $token = json_decode($resp, true); if (empty($token['access_token'])) { echo "

SSO Error

Token exchange failed.

Retour"; exit; } // Step 3: Get user info $ch2 = curl_init($USERINFO_URL); curl_setopt_array($ch2, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_HTTPHEADER => ["Authorization: Bearer " . $token['access_token']], ]); $userResp = curl_exec($ch2); curl_close($ch2); $user = json_decode($userResp, true); if (empty($user['preferred_username'])) { echo "

SSO Error

User info failed.

Retour"; exit; } // Step 4: Set session (same keys as weval-auth-session.php) session_regenerate_id(true); $_SESSION['weval_auth'] = true; $_SESSION['weval_user'] = $user['preferred_username']; $_SESSION['wu'] = $user['preferred_username']; $_SESSION['wa'] = 1; $_SESSION['sso'] = 'authentik'; // Step 5: Redirect to WEVCODE header("Location: /wevcode"); exit;