cyanide-burnout · November 24, 2023 14:58
diff --git a/auth.php b/auth.php
 <?php

  // https://katystech.blog/projects/php-azuread-oauth-login
  // https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

  // Configuration settings: OAUTH_TENANT_ID, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET

  require_once("config.php");

  session_start();

  if (($_SERVER["REQUEST_METHOD"] == "POST") &&
      array_key_exists("code",  $_POST) &&
      array_key_exists("state", $_POST) &&
      ($_POST["state"] == session_id()))
  {
    $parameters = array(
      "client_id"     => OAUTH_CLIENT_ID,
      "code"          => $_POST["code"],
      "redirect_uri"  => "https://" . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH),
      "grant_type"    => "authorization_code",
      "client_secret" => OAUTH_CLIENT_SECRET);

    $handle = curl_init();
    curl_setopt($handle, CURLOPT_POST, true);
    curl_setopt($handle, CURLOPT_POSTFIELDS, $parameters);
    curl_setopt($handle, CURLOPT_URL, "https://login.microsoftonline.com/" . OAUTH_TENANT_ID . "/oauth2/v2.0/token");
    curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

    $response = curl_exec($handle);
    $data     = json_decode($response, true);
    curl_close($handle);

    if (array_key_exists("access_token", $data)) $_SESSION["access_token"] = $data["access_token"];
    if (array_key_exists("error", $data))        $error = $data["error_description"];
  }

  if (($_SERVER["REQUEST_METHOD"] == "POST") &&
      array_key_exists("error", $_POST))
  {
    // Error may accure on authorization phase
   $error = $_POST["error_description"];
  }

  if ((array_key_exists("action", $_GET) && ($_GET["action"] == "logout") ||
       isset($error) && preg_match("/^AADSTS70008:|^AADSTS54005:/", $error)) &&
      array_key_exists("access_token", $_SESSION))
  {
    // AADSTS70008: The provided authorization code or refresh token has expired due to inactivity
    // AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token
    unset($_SESSION["access_token"]);
  }

  if (!array_key_exists("access_token", $_SESSION))
  {
    $parameters = array(
      "client_id"     => OAUTH_CLIENT_ID,
      "redirect_uri"  => "https://" . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH),
      "response_type" => "code",
      "response_mode" => "form_post",
      "prompt"        => "select_account",
      "scope"         => urlencode("user.read"),
      "state"         => session_id());

    header("Location: https://login.microsoftonline.com/" . OAUTH_TENANT_ID . "/oauth2/v2.0/authorize?" . http_build_query($parameters));
    exit();
  }

  if (isset($error))
  {
    header($_SERVER["SERVER_PROTOCOL"] . " 500 Internal Server Error", true, 500);
    print($error);
    exit();
  }

  if (array_key_exists("access_token", $_SESSION))
  {
    $token               = explode(".", $_SESSION["access_token"]);
    $_SESSION["profile"] = json_decode(base64_decode($token[1], true), true);
  }

 ?>
	<?php

	// https://katystech.blog/projects/php-azuread-oauth-login
	// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

	// Configuration settings: OAUTH_TENANT_ID, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET

	require_once("config.php");

	session_start();

	if (($_SERVER["REQUEST_METHOD"] == "POST") &&
	array_key_exists("code", $_POST) &&
	array_key_exists("state", $_POST) &&
	($_POST["state"] == session_id()))
	{
	$parameters = array(
	"client_id" => OAUTH_CLIENT_ID,
	"code" => $_POST["code"],
	"redirect_uri" => "https://" . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH),
	"grant_type" => "authorization_code",
	"client_secret" => OAUTH_CLIENT_SECRET);

	$handle = curl_init();
	curl_setopt($handle, CURLOPT_POST, true);
	curl_setopt($handle, CURLOPT_POSTFIELDS, $parameters);
	curl_setopt($handle, CURLOPT_URL, "https://login.microsoftonline.com/" . OAUTH_TENANT_ID . "/oauth2/v2.0/token");
	curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

	$response = curl_exec($handle);
	$data = json_decode($response, true);
	curl_close($handle);

	if (array_key_exists("access_token", $data)) $_SESSION["access_token"] = $data["access_token"];
	if (array_key_exists("error", $data)) $error = $data["error_description"];
	}

	if (($_SERVER["REQUEST_METHOD"] == "POST") &&
	array_key_exists("error", $_POST))
	{
	// Error may accure on authorization phase
	$error = $_POST["error_description"];
	}

	if ((array_key_exists("action", $_GET) && ($_GET["action"] == "logout") \|\|
	isset($error) && preg_match("/^AADSTS70008:\|^AADSTS54005:/", $error)) &&
	array_key_exists("access_token", $_SESSION))
	{
	// AADSTS70008: The provided authorization code or refresh token has expired due to inactivity
	// AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token
	unset($_SESSION["access_token"]);
	}

	if (!array_key_exists("access_token", $_SESSION))
	{
	$parameters = array(
	"client_id" => OAUTH_CLIENT_ID,
	"redirect_uri" => "https://" . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH),
	"response_type" => "code",
	"response_mode" => "form_post",
	"prompt" => "select_account",
	"scope" => urlencode("user.read"),
	"state" => session_id());

	header("Location: https://login.microsoftonline.com/" . OAUTH_TENANT_ID . "/oauth2/v2.0/authorize?" . http_build_query($parameters));
	exit();
	}

	if (isset($error))
	{
	header($_SERVER["SERVER_PROTOCOL"] . " 500 Internal Server Error", true, 500);
	print($error);
	exit();
	}

	if (array_key_exists("access_token", $_SESSION))
	{
	$token = explode(".", $_SESSION["access_token"]);
	$_SESSION["profile"] = json_decode(base64_decode($token[1], true), true);
	}

	?>