/trunk/doc/config_values.md |
---|
670,13 → 670,14 |
Allow "Remember me" logins for a RA. |
### JWT_ALLOW_MANUAL |
### JWT_ALLOW_MANUAL_ADMIN and JWT_ALLOW_MANUAL_ADMIN_USER |
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL', false); |
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_ADMIN', false); |
OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL_USER', false); |
Allow JWT tokens which were manually created "by hand". |
These can have any content you like, but they must |
contain the claim "oidplus_generator" with value "2". |
contain the claim `oidplus_generator` with value `OIDplusAuthContentStoreJWT::JWT_GENERATOR_MANUAL`. |
### JWT_TTL_LOGIN_USER |
/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php |
---|
161,10 → 161,13 |
} |
} |
else if ($gen === self::JWT_GENERATOR_MANUAL) { |
// Generator 2 are "hand-crafted" tokens |
if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL', false)) { |
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL')); |
// Generator: "hand-crafted" tokens |
if (($has_admin) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_ADMIN', false)) { |
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_ADMIN')); |
} |
if (($has_ra) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_USER', false)) { |
throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_USER')); |
} |
} else { |
throw new OIDplusException(_L('Token generator %1 not recognized',$gen)); |
} |
194,7 → 197,7 |
// Optional feature: Limit the JWT to a specific IP address |
// Currently not used in OIDplus |
$ip = $contentProvider->getValue('ip',''); |
$ip = $contentProvider->getValue('oidplus_limit_ip',''); |
if ($ip !== '') { |
if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) { |
throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
441,11 → 444,11 |
*/ |
public function getJWTToken(): string { |
$payload = $this->content; |
$payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
$payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
$payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
$payload["jti"] = gen_uuid(); |
$payload["iat"] = time(); |
$payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
if (OIDplus::getPkiStatus()) { |
$privKey = OIDplus::getSystemPrivateKey(); |
/trunk/includes/classes/OIDplusAuthContentStoreSession.class.php |
---|
97,6 → 97,12 |
public static function getActiveProvider()/*: ?OIDplusAuthContentStore*/ { |
static $contentProvider = null; |
$rel_url = substr($_SERVER['REQUEST_URI'], strlen(OIDplus::webpath(null, OIDplus::PATH_RELATIVE_TO_ROOT))); |
if (str_starts_with($rel_url, 'rest/')) { // <== TODO: Find a way how to move this into the plugin, since REST does not belong to the core. (Maybe some kind of "stateless mode" that is enabled by the REST plugin) |
// For REST, we must only allow JWT from Bearer and nothing else! So disable cookies if we are accessing the REST plugin |
return null; |
} |
if (!$contentProvider) { |
if (self::getSessionHandler()->isActive()) { |
$contentProvider = new OIDplusAuthContentStoreSession(); |
/trunk/includes/classes/OIDplusAuthUtils.class.php |
---|
75,20 → 75,15 |
// TODO: Should we implement these AuthContentStore as plugin type, so that there can be more than just JWT and PHP session? |
// Logged in via JWT |
// (The JWT can come from a REST Authentication Bearer, an AJAX Cookie, or an Automated AJAX Call GET/POST token.) |
$tmp = OIDplusAuthContentStoreJWT::getActiveProvider(); |
if ($tmp) return $tmp; |
// For REST, we must only allow JWT from Bearer and nothing else! So disable cookies if we are accessing the REST plugin |
$rel_url = substr($_SERVER['REQUEST_URI'], strlen(OIDplus::webpath(null, OIDplus::PATH_RELATIVE_TO_ROOT))); |
if (!str_starts_with($rel_url, 'rest/')) { // <== TODO: Find a way how to move this into the plugin, since REST does not belong to the core. (Maybe some kind of "stateless mode" that is enabled by the REST plugin) |
// Normal login via web-browser |
// Cookie will only be created once content is stored |
$tmp = OIDplusAuthContentStoreSession::getActiveProvider(); |
if ($tmp) return $tmp; |
} |
// No active session and no JWT token available. User is not logged in. |
return null; |
} |