62 lines
2.6 KiB
PHP
62 lines
2.6 KiB
PHP
<?php
|
|
// WEVAL Authentik SSO — OAuth2 Callback (with debug)
|
|
session_set_cookie_params(["lifetime"=>86400,"path"=>"/","domain"=>".weval-consulting.com","secure"=>true,"httponly"=>true,"samesite"=>"Lax"]);
|
|
session_start();
|
|
$code = $_GET['code'] ?? '';
|
|
$state = $_GET['state'] ?? '';
|
|
$error = $_GET['error'] ?? '';
|
|
|
|
$log = function($msg) { error_log("SSO_CB: $msg"); file_put_contents("/tmp/sso-debug.log", date("Y-m-d H:i:s")." $msg\n", FILE_APPEND); };
|
|
|
|
if($error) { $log("ERROR: $error"); header('Location: /login.html?error=sso_'.urlencode($error)); exit; }
|
|
if(!$code) { $log("NO CODE"); header('Location: /login.html?error=no_code'); exit; }
|
|
|
|
$log("Code received: ".substr($code,0,20)."... State: $state");
|
|
|
|
$tokenUrl = 'http://127.0.0.1:9090/application/o/token/';
|
|
$clientId = 'aB9IF9xQ8L9u7Ty1Eq63dMYFgy59O58fqzuNulwJ';
|
|
$clientSecret = 'ZfGUQFAn9mAxerG5wOVvfCWb4QZ0YlGW0s8AxLhY5qkChGhQY8hQeKw4nSvuH79lEPwAEs6IMggeygWN7sjqpJ2WkWgKMcuQUCBxl5CC6ly7Xih9Nd20LUgPv86cG1ZP';
|
|
$redirectUri = 'https://weval-consulting.com/api/auth-callback.php';
|
|
|
|
$postData = http_build_query(['grant_type'=>'authorization_code','code'=>$code,'redirect_uri'=>$redirectUri,'client_id'=>$clientId,'client_secret'=>$clientSecret]);
|
|
|
|
$ch = curl_init($tokenUrl);
|
|
curl_setopt_array($ch, [CURLOPT_POST=>true, CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>10, CURLOPT_POSTFIELDS=>$postData]);
|
|
$resp = curl_exec($ch);
|
|
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
|
|
$curlError = curl_error($ch);
|
|
curl_close($ch);
|
|
|
|
$log("Token response HTTP $httpCode: $resp");
|
|
if($curlError) $log("CURL ERROR: $curlError");
|
|
|
|
$token = json_decode($resp, true);
|
|
if(empty($token['access_token'])) {
|
|
$log("TOKEN FAIL: no access_token in response");
|
|
header('Location: /login.html?error=token_fail&manual=1');
|
|
exit;
|
|
}
|
|
|
|
// Get user info
|
|
$ch = curl_init('http://127.0.0.1:9090/application/o/userinfo/');
|
|
curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>5, CURLOPT_HTTPHEADER=>['Authorization: Bearer '.$token['access_token']]]);
|
|
$userResp = curl_exec($ch); curl_close($ch);
|
|
$user = json_decode($userResp, true);
|
|
$username = $user['preferred_username'] ?? $user['sub'] ?? 'sso_user';
|
|
$email = $user['email'] ?? '';
|
|
|
|
$log("User: $username ($email)");
|
|
|
|
session_regenerate_id(true);
|
|
$_SESSION['wu'] = $username;
|
|
$_SESSION['wa'] = 1;
|
|
$_SESSION['weval_auth'] = true;
|
|
$_SESSION['weval_user'] = $username;
|
|
$_SESSION['sso'] = true;
|
|
$_SESSION['email'] = $email;
|
|
|
|
$redirect = '/products/workspace.html';
|
|
if($state) { $decoded = base64_decode($state); if($decoded && strpos($decoded,'/')===0) $redirect = $decoded; }
|
|
$log("Redirect: $redirect");
|
|
header('Location: '.$redirect);
|