Added OIDC support, improved OAuth flow

config.inc.php

@@ -537,6 +537,18 @@
 // $tlCfg->OAuthServers[1]['oauth_profile'] = 'https://login.microsoftonline.com/TENANTID/openid/userinfo';
 // $tlCfg->OAuthServers[1]['oauth_scope'] = 'https://graph.microsoft.com/mail.read https://graph.microsoft.com/user.read openid profile email';
 
+// OIDC
+// $tlCfg->OAuthServers[1]['oauth_enabled'] = true;
+// $tlCfg->OAuthServers[1]['oauth_name'] = 'oidc';
+// $tlCfg->OAuthServers[1]['oauth_client_id'] = 'CLIENT_ID';
+// $tlCfg->OAuthServers[1]['oauth_client_secret'] = 'CLIENT_SECRET';
+// $tlCfg->OAuthServers[1]['oauth_grant_type'] = 'authorization_code';
+// $tlCfg->OAuthServers[1]['oauth_url'] = 'OAUTH_URL';
+// $tlCfg->OAuthServers[1]['token_url'] = 'TOKEN_URL';
+// $tlCfg->OAuthServers[1]['redirect_uri'] = 'redirect_uri';
+// $tlCfg->OAuthServers[1]['oauth_scope'] = 'openid profile email groups ext offline_access';
+// $tlCfg->OAuthServers[1]['https'] = $_SERVER['HTTPS'];
+
 /**
  * Single Sign On authentication
  *

custom_config.inc.php.oidc_oauth

@@ -0,0 +1,17 @@
+<?php
+/**
+ * OAUTH auth
+ * Configure this on custom_config.inc.php
+ */
+
+// OIDC
+// $tlCfg->OAuthServers[1]['oauth_enabled'] = true;
+// $tlCfg->OAuthServers[1]['oauth_name'] = 'oidc';
+// $tlCfg->OAuthServers[1]['oauth_client_id'] = 'CLIENT_ID';
+// $tlCfg->OAuthServers[1]['oauth_client_secret'] = 'CLIENT_SECRET';
+// $tlCfg->OAuthServers[1]['oauth_grant_type'] = 'authorization_code';
+// $tlCfg->OAuthServers[1]['oauth_url'] = 'OAUTH_URL';
+// $tlCfg->OAuthServers[1]['token_url'] = 'TOKEN_URL';
+// $tlCfg->OAuthServers[1]['redirect_uri'] = 'redirect_uri';
+// $tlCfg->OAuthServers[1]['oauth_scope'] = 'openid profile email groups ext offline_access';
+// $tlCfg->OAuthServers[1]['https'] = $_SERVER['HTTPS'];

docs/oauth/oidc.md

@@ -0,0 +1,41 @@
+# How to configurate oauth work with OIDC
+
+## About Dex
+Dex is an identity service that uses OpenID Connect to drive authentication for other apps.
+
+https://github.com/dexidp/dex
+
+## Configuration
+config.inc.php example:
+
+```
+// OIDC
+$tlCfg->OAuthServers[1]['oauth_enabled'] = true;
+$tlCfg->OAuthServers[1]['oauth_name'] = 'oidc';
+$tlCfg->OAuthServers[1]['oauth_client_id'] = 'CLIENT_ID';
+$tlCfg->OAuthServers[1]['oauth_client_secret'] = 'CLIENT_SECRET';
+$tlCfg->OAuthServers[1]['oauth_grant_type'] = 'authorization_code';
+$tlCfg->OAuthServers[1]['oauth_url'] = 'OAUTH_URL';
+$tlCfg->OAuthServers[1]['token_url'] = 'TOKEN_URL';
+$tlCfg->OAuthServers[1]['redirect_uri'] = 'redirect_uri';
+$tlCfg->OAuthServers[1]['oauth_scope'] = 'openid profile email groups ext offline_access';
+$tlCfg->OAuthServers[1]['https'] = $_SERVER['HTTPS'];
+```
+
+oauth_enabled: enable this oauth configuration.
+
+oauth_name: "oidc".
+
+oauth_client_id: id of OAuth program
+
+oauth_client_secret: secret code.
+
+oauth_grant_type: authorization_code is default value.
+
+oauth_url: url of OAuth server.
+
+token_url: url for getting token.
+
+redirect_uri: callback uri.
+
+oauth_scope: openid profile email groups ext offline_access

lib/functions/oauth_providers/oidc.php

@@ -0,0 +1,81 @@
+<?php
+/**
+ * TestLink Open Source Project - http://testlink.sourceforge.net/ 
+ * This script is distributed under the GNU General Public License 2 or later. 
+ *
+ * @filesource  oidc.php
+ *
+ * OIDC OAUTH API (authentication)
+ *
+ * @internal revisions
+ * @since 1.9.20
+ *
+ */
+
+// Get token
+function oauth_get_token($authCfg, $code) {
+
+  $result = new stdClass();
+  $result->status = array('status' => tl::OK, 'msg' => null);
+
+  // Params to get token
+  $oauthParams = array(
+     'code'          => $code,
+     'client_id'     => $authCfg['oauth_client_id'],
+     'client_secret' => $authCfg['oauth_client_secret'],
+     'grant_type'    => $authCfg['oauth_grant_type']
+  );
+
+  $oauthParams['redirect_uri'] = $authCfg['redirect_uri'];  
+  if( isset($authCfg['https']) ) {
+    $oauthParams['redirect_uri'] = 
+      str_replace('http://', 'https://', $oauthParams['redirect_uri']);  
+  }
+
+  // Step #1 - Get the token
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_URL, $authCfg['token_url']);
+  curl_setopt($curl, CURLOPT_POST, 1);
+  curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json'));
+  curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($oauthParams));
+  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
+  curl_setopt($curl, CURLOPT_COOKIESESSION, true);
+  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
+  $result_curl = curl_exec($curl);
+
+  if( $result_curl === false ) {
+    echo 'Curl error: ' . curl_error($curl);
+    echo '<pre>';
+    var_dump(curl_getinfo($curl));
+    echo '</pre>';
+    return false;
+  }
+  curl_close($curl);
+  $tokenInfo = json_decode($result_curl);
+
+  // If token is received start session
+  if (isset($tokenInfo->access_token)) {
+
+    $tokens = explode('.', $tokenInfo->id_token);
+    if (count($tokens) != 3)
+      return false;
+
+    $base64payload = $tokens[1];
+
+    $payload = json_decode(base64_decode($base64payload));
+    if ($payload==false){
+      return false;
+    }
+
+    $result->options = new stdClass();
+    $result->options->givenName = $payload->name;
+    $result->options->familyName = $payload->name;
+    $result->options->user = $payload->email;
+    $result->options->auth = 'oauth';
+    return $result;
+  }
+  $result->status['msg'] = 'An error occurred during getting token';
+  $result->status['status'] = tl::ERROR;
+
+  return $result;
+}