83 lines
2.5 KiB
PHP
83 lines
2.5 KiB
PHP
<?php
|
|
/**
|
|
* Authentik SSO OAuth2 Callback
|
|
* Flow: User clicks SSO → redirect to Authentik → callback here → set session → redirect
|
|
*/
|
|
session_start();
|
|
|
|
$CLIENT_ID = "aB9IF9xQ8L9u7Ty1Eq63dMYFgy59O58fqzuNulwJ";
|
|
$CLIENT_SECRET = "nSTs6x7n1PoUjbQylt6WFYsAVY9fuXcAlMCB1gFxzqRIICdkfjbZWtRgOA8QSe9TJOIPkZGgAEP8mXsbxi5Jtl9PzkDyGA5TihBQurlphxsnYdM8mtW2SgjXIaoSzbGI";
|
|
$AUTH_URL = "https://auth.weval-consulting.com/application/o/authorize/";
|
|
$TOKEN_URL = "https://auth.weval-consulting.com/application/o/token/";
|
|
$USERINFO_URL = "https://auth.weval-consulting.com/application/o/userinfo/";
|
|
$REDIRECT_URI = "https://weval-consulting.com/api/authentik-callback.php";
|
|
$APP_SLUG = "weval-consulting";
|
|
|
|
// Step 1: No code = redirect to Authentik
|
|
if (empty($_GET['code'])) {
|
|
$state = bin2hex(random_bytes(16));
|
|
$_SESSION['oauth_state'] = $state;
|
|
$params = http_build_query([
|
|
'response_type' => 'code',
|
|
'client_id' => $CLIENT_ID,
|
|
'redirect_uri' => $REDIRECT_URI,
|
|
'scope' => 'openid profile email',
|
|
'state' => $state,
|
|
]);
|
|
header("Location: $AUTH_URL?$params");
|
|
exit;
|
|
}
|
|
|
|
// Step 2: Callback with code — exchange for token
|
|
$code = $_GET['code'];
|
|
|
|
$ch = curl_init($TOKEN_URL);
|
|
curl_setopt_array($ch, [
|
|
CURLOPT_POST => true,
|
|
CURLOPT_RETURNTRANSFER => true,
|
|
CURLOPT_TIMEOUT => 10,
|
|
CURLOPT_POSTFIELDS => http_build_query([
|
|
'grant_type' => 'authorization_code',
|
|
'code' => $code,
|
|
'redirect_uri' => $REDIRECT_URI,
|
|
'client_id' => $CLIENT_ID,
|
|
'client_secret' => $CLIENT_SECRET,
|
|
]),
|
|
]);
|
|
$resp = curl_exec($ch);
|
|
curl_close($ch);
|
|
$token = json_decode($resp, true);
|
|
|
|
if (empty($token['access_token'])) {
|
|
echo "<h2>SSO Error</h2><p>Token exchange failed.</p><a href='/wevcode'>Retour</a>";
|
|
exit;
|
|
}
|
|
|
|
// Step 3: Get user info
|
|
$ch2 = curl_init($USERINFO_URL);
|
|
curl_setopt_array($ch2, [
|
|
CURLOPT_RETURNTRANSFER => true,
|
|
CURLOPT_TIMEOUT => 10,
|
|
CURLOPT_HTTPHEADER => ["Authorization: Bearer " . $token['access_token']],
|
|
]);
|
|
$userResp = curl_exec($ch2);
|
|
curl_close($ch2);
|
|
$user = json_decode($userResp, true);
|
|
|
|
if (empty($user['preferred_username'])) {
|
|
echo "<h2>SSO Error</h2><p>User info failed.</p><a href='/wevcode'>Retour</a>";
|
|
exit;
|
|
}
|
|
|
|
// Step 4: Set session (same keys as weval-auth-session.php)
|
|
session_regenerate_id(true);
|
|
$_SESSION['weval_auth'] = true;
|
|
$_SESSION['weval_user'] = $user['preferred_username'];
|
|
$_SESSION['wu'] = $user['preferred_username'];
|
|
$_SESSION['wa'] = 1;
|
|
$_SESSION['sso'] = 'authentik';
|
|
|
|
// Step 5: Redirect to WEVCODE
|
|
header("Location: /wevcode");
|
|
exit;
|