classes/adminsetting/auth_oidc_admin_setting_redirecturi.php

@@ -33,15 +33,18 @@
  * Displays the redirect URI for easier config.
  */
 class auth_oidc_admin_setting_redirecturi extends \admin_setting {
+    private $url;
+
     /**
      * Constructor.
      *
      * @param $name
      * @param $heading
      * @param $description
      */
-    public function __construct($name, $heading, $description) {
+    public function __construct($name, $heading, $description, $url) {
         $this->nosave = true;
+        $this->url = $url;
         parent::__construct($name, $heading, $description, '');
     }
 
@@ -82,6 +85,7 @@ public function write_setting($data) {
      */
     public function output_html($data, $query = '') {
         $redirecturl = utils::get_redirecturl();
+        $redirecturl = $this->url;
         $html = \html_writer::tag('h5', $redirecturl);
         return format_admin_setting($this, $this->visiblename, $html, $this->description, true, '', null, $query);
     }

classes/loginflow/authcode.php

@@ -26,7 +26,9 @@
 
 namespace auth_oidc\loginflow;
 
+use auth_oidc\jwt;
 use auth_oidc\utils;
+use moodle_exception;
 
 defined('MOODLE_INTERNAL') || die();
 
@@ -88,7 +90,7 @@ protected function getoidcparam($name, $fallback = '') {
         $valclean = preg_replace('/[^A-Za-z0-9\_\-\.\+\/\=]/i', '', $val);
         if ($valclean !== $val) {
             utils::debug('Authorization error.', 'authcode::cleanoidcparam', $name);
-            throw new \moodle_exception('errorauthgeneral', 'auth_oidc');
+            throw new moodle_exception('errorauthgeneral', 'auth_oidc');
         }
         return $valclean;
     }
@@ -179,25 +181,27 @@ public function initiateauthrequest($promptlogin = false, array $stateparams = a
     protected function handleauthresponse(array $authparams) {
         global $DB, $SESSION, $USER, $CFG;
 
+        $sid = optional_param('session_state', '', PARAM_TEXT);
+
         if (!empty($authparams['error_description'])) {
             utils::debug('Authorization error.', 'authcode::handleauthresponse', $authparams);
             redirect($CFG->wwwroot, get_string('errorauthgeneral', 'auth_oidc'), null, \core\output\notification::NOTIFY_ERROR);
         }
 
         if (!isset($authparams['code'])) {
             utils::debug('No auth code received.', 'authcode::handleauthresponse', $authparams);
-            throw new \moodle_exception('errorauthnoauthcode', 'auth_oidc');
+            throw new moodle_exception('errorauthnoauthcode', 'auth_oidc');
         }
 
         if (!isset($authparams['state'])) {
             utils::debug('No state received.', 'authcode::handleauthresponse', $authparams);
-            throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
+            throw new moodle_exception('errorauthunknownstate', 'auth_oidc');
         }
 
         // Validate and expire state.
         $staterec = $DB->get_record('auth_oidc_state', ['state' => $authparams['state']]);
         if (empty($staterec)) {
-            throw new \moodle_exception('errorauthunknownstate', 'auth_oidc');
+            throw new moodle_exception('errorauthunknownstate', 'auth_oidc');
         }
         $orignonce = $staterec->nonce;
         $additionaldata = [];
@@ -214,18 +218,18 @@ protected function handleauthresponse(array $authparams) {
         $client = $this->get_oidcclient();
         $tokenparams = $client->tokenrequest($authparams['code']);
         if (!isset($tokenparams['id_token'])) {
-            throw new \moodle_exception('errorauthnoidtoken', 'auth_oidc');
+            throw new moodle_exception('errorauthnoidtoken', 'auth_oidc');
         }
 
-        // Decode and verify idtoken.
+        // Decode and verify ID token.
         [$oidcuniqid, $idtoken] = $this->process_idtoken($tokenparams['id_token'], $orignonce);
 
         // Check restrictions.
         $passed = $this->checkrestrictions($idtoken);
         if ($passed !== true && empty($additionaldata['ignorerestrictions'])) {
             $errstr = 'User prevented from logging in due to restrictions.';
             utils::debug($errstr, 'handleauthresponse', $idtoken);
-            throw new \moodle_exception('errorrestricted', 'auth_oidc');
+            throw new moodle_exception('errorrestricted', 'auth_oidc');
         }
 
         // This is for setting the system API user.
@@ -245,7 +249,6 @@ protected function handleauthresponse(array $authparams) {
         // Check if OIDC user is already migrated.
         $tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]);
         if (isloggedin() && !isguestuser() && (empty($tokenrec) || (isset($USER->auth) && $USER->auth !== 'oidc'))) {
-
             // If user is already logged in and trying to link Microsoft 365 account or use it for OIDC.
             // Check if that Microsoft 365 account already exists in moodle.
             $userrec = $DB->count_records_sql('SELECT COUNT(*)
@@ -260,7 +263,7 @@ protected function handleauthresponse(array $authparams) {
                 } else if ($additionaldata['redirect'] == '/local/o365/ucp.php') {
                     $redirect = $additionaldata['redirect'].'?action=connection&o365accountconnected=true';
                 } else {
-                    throw new \moodle_exception('errorinvalidredirect_message', 'auth_oidc');
+                    throw new moodle_exception('errorinvalidredirect_message', 'auth_oidc');
                 }
                 redirect(new \moodle_url($redirect));
             }
@@ -276,6 +279,9 @@ protected function handleauthresponse(array $authparams) {
         } else {
             // Otherwise it's a user logging in normally with OIDC.
             $this->handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken);
+            if ($USER->id && $DB->record_exists('auth_oidc_token', ['userid' => $USER->id])) {
+                $DB->set_field('auth_oidc_token', 'sid', $sid, ['userid' => $USER->id]);
+            }
             redirect(core_login_get_return_url());
         }
     }
@@ -284,9 +290,9 @@ protected function handleauthresponse(array $authparams) {
      * Handle a user migration event.
      *
      * @param string $oidcuniqid A unique identifier for the user.
-     * @param array $authparams Paramteres receieved from the auth request.
+     * @param array $authparams Parameters received from the auth request.
      * @param array $tokenparams Parameters received from the token request.
-     * @param \auth_oidc\jwt $idtoken A JWT object representing the received id_token.
+     * @param jwt $idtoken A JWT object representing the received id_token.
      * @param bool $connectiononly Whether to just connect the user (true), or to connect and change login method (false).
      */
     protected function handlemigration($oidcuniqid, $authparams, $tokenparams, $idtoken, $connectiononly = false) {
@@ -312,7 +318,7 @@ protected function handlemigration($oidcuniqid, $authparams, $tokenparams, $idto
                     return true;
                 } else {
                     // OIDC user connected to user that is not us. Can't continue.
-                    throw new \moodle_exception('errorauthuserconnectedtodifferent', 'auth_oidc');
+                    throw new moodle_exception('errorauthuserconnectedtodifferent', 'auth_oidc');
                 }
             }
         }
@@ -331,7 +337,7 @@ protected function handlemigration($oidcuniqid, $authparams, $tokenparams, $idto
                 $this->updatetoken($tokenrec->id, $authparams, $tokenparams);
                 return true;
             } else {
-                throw new \moodle_exception('errorauthuseralreadyconnected', 'auth_oidc');
+                throw new moodle_exception('errorauthuseralreadyconnected', 'auth_oidc');
             }
         }
 
@@ -418,18 +424,18 @@ protected function check_objects($oidcuniqid, $username) {
      * Handle a login event.
      *
      * @param string $oidcuniqid A unique identifier for the user.
-     * @param array $authparams Parameters receieved from the auth request.
+     * @param array $authparams Parameters received from the auth request.
      * @param array $tokenparams Parameters received from the token request.
-     * @param \auth_oidc\jwt $idtoken A JWT object representing the received id_token.
+     * @param jwt $idtoken A JWT object representing the received id_token.
      */
-    protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken) {
+    protected function handlelogin(string $oidcuniqid, array $authparams, array $tokenparams, jwt $idtoken) {
         global $DB, $CFG;
 
         $tokenrec = $DB->get_record('auth_oidc_token', ['oidcuniqid' => $oidcuniqid]);
 
         // Do not continue if auth plugin is not enabled.
         if (!is_enabled_auth('oidc')) {
-            throw new \moodle_exception('erroroidcnotenabled', 'auth_oidc', null, null, '1');
+            throw new moodle_exception('erroroidcnotenabled', 'auth_oidc', null, null, '1');
         }
 
         if (!empty($tokenrec)) {
@@ -466,10 +472,9 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 complete_user_login($user);
             } else {
                 // There was a problem in authenticate_user_login.
-                throw new \moodle_exception('errorauthgeneral', 'auth_oidc', null, null, '2');
+                throw new moodle_exception('errorauthgeneral', 'auth_oidc', null, null, '2');
             }
 
-            return true;
         } else {
             /* No existing token, user not connected. Possibilities:
                 - Matched user.
@@ -484,7 +489,7 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 $username = $oidcuniqid;
 
                 // If upn claim is missing, it can mean either the IdP is not Azure AD, or it's a guest user.
-                if (\auth_oidc_is_local_365_installed()) {
+                if (auth_oidc_is_local_365_installed()) {
                     $apiclient = \local_o365\utils::get_api();
                     $userdetails = $apiclient->get_user($oidcuniqid, true);
                     if (!is_null($userdetails) && isset($userdetails['userPrincipalName']) &&
@@ -501,7 +506,7 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
             if (!empty($matchedwith)) {
                 if ($matchedwith->auth != 'oidc') {
                     $matchedwith->aadupn = $username;
-                    throw new \moodle_exception('errorusermatched', 'auth_oidc', null, $matchedwith);
+                    throw new moodle_exception('errorusermatched', 'auth_oidc', null, $matchedwith);
                 }
             }
             $username = trim(\core_text::strtolower($username));
@@ -518,7 +523,7 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                     $eventdata = ['other' => ['username' => $username, 'reason' => $failurereason]];
                     $event = \core\event\user_login_failed::create($eventdata);
                     $event->trigger();
-                    throw new \moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '1');
+                    throw new moodle_exception('errorauthloginfailednouser', 'auth_oidc', null, null, '1');
                 }
             }
 
@@ -543,7 +548,7 @@ protected function handlelogin($oidcuniqid, $authparams, $tokenparams, $idtoken)
                 redirect($CFG->wwwroot, get_string('errorauthgeneral', 'auth_oidc'), null, \core\output\notification::NOTIFY_ERROR);
             }
 
-            return true;
         }
+        return true;
     }
 }