src/Security/KeycloakAuthenticator.php line 197

Open in your IDE?
  1. <?php
  3. namespace App\Security;
  5. use App\Security\Dto\TokensBag;
  6. use App\Security\Exception\OpenIdServerException;
  7. use App\Service\KeycloakApiService;
  8. use App\Specification\KeycloakModeUsed;
  9. use App\Specification\SimmtLoginPageModeUsed;
  10. use Doctrine\ORM\EntityManagerInterface;
  11. use App\Security\Exception\InvalidStateException;
  12. use Psr\Log\LoggerInterface;
  13. use Ramsey\Uuid\Uuid;
  14. use LogicException;
  15. use RuntimeException;
  16. use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
  17. use Symfony\Component\HttpFoundation\RedirectResponse;
  18. use Symfony\Component\HttpFoundation\Request;
  19. use Symfony\Component\HttpFoundation\RequestStack;
  20. use Symfony\Component\HttpFoundation\Response;
  21. use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
  22. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  23. use Symfony\Component\Routing\RouterInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  25. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  26. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  27. use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
  28. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  29. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  30. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  31. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  32. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  33. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PreAuthenticatedUserBadge;
  36. class KeycloakAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterfaceInteractiveAuthenticatorInterface
  37. {
  38.     private const STATE_QUERY_KEY 'state';
  39.     private const STATE_SESSION_KEY 'openid_state';
  40.     public const LOGIN_ROUTE 'login';
  41.     public const OIDC_LOGIN_ROUTE 'oidc_redirect_uri';
  43.     private EntityManagerInterface $em;
  44.     private RouterInterface $router;
  45.     private UrlGeneratorInterface $urlGenerator;
  46.     private KeycloakApiService $keycloakApiService;
  47.     private ParameterBagInterface $param;
  48.     private RequestStack $requestStack;
  49.     private LoggerInterface $logger;
  50.     private string $clientId;
  51.     private string $keycloakRealmName;
  52.     private string $authorizationEndpoint;
  54.     public function __construct(
  55.         RouterInterface $router,
  56.         KeycloakApiService $keycloakApiService,
  57.         UrlGeneratorInterface $urlGenerator,
  58.         ParameterBagInterface $param,
  59.         RequestStack $requestStack,
  60.         LoggerInterface $logger,
  61.     ) {
  62.         $this->router $router;
  63.         $this->keycloakApiService $keycloakApiService;
  64.         $this->urlGenerator $urlGenerator;
  65.         $this->param $param;
  66.         $this->requestStack $requestStack;
  67.         $this->logger $logger;
  68.         $this->clientId $this->param->get('simmt_keycloak_client_id');
  69.         $this->keycloakRealmName $this->param->get('simmt_keycloak_realms_name');
  70.         $this->authorizationEndpoint $this->param->get('simmt_keycloak_app_url');
  71.     }
  73.     public function supports(Request $request): ?bool
  74.     {
  75.         if (SimmtLoginPageModeUsed::isSatisfiedBy($this->param)) {
  76.             return self::LOGIN_ROUTE === $request->attributes->get('_route')
  77.                 && $request->isMethod('POST');
  78.         }
  80.         return ($request->attributes->get('_route') === self::OIDC_LOGIN_ROUTE
  81.             || $request->attributes->get('_route') === self::LOGIN_ROUTE);
  82.     }
  84.     public function authenticate(Request $request): Passport
  85.     {
  86.         $sessionState $request->getSession()->get(self::STATE_SESSION_KEY);
  87.         $queryState $request->get(self::STATE_QUERY_KEY);
  88.         if ($queryState === null || $queryState !== $sessionState) {
  89.             throw new InvalidStateException(sprintf(
  90.                 'query state (%s) is not the same as session state (%s)',
  91.                 $queryState ?? 'NULL',
  92.                 $sessionState ?? 'NULL',
  93.             ));
  94.         }
  96.         $request->getSession()->remove(self::STATE_SESSION_KEY);
  97.         try {
  98.             $response $this->keycloakApiService->getTokenFromAuthorizationCode($request->query->get('code'''));
  99.         } catch (HttpExceptionInterface $e) {
  100.             throw new OpenIdServerException(sprintf(
  101.                 'Bad status code returned by openID server (%s)',
  102.                 $e->getStatusCode(),
  103.             ), previous$e);
  104.         }
  106.         $responseData json_decode($responsetrue);
  107.         if (false === $responseData) {
  108.             throw new OpenIdServerException(sprintf('Can\'t parse json in response: %s'$response));
  109.         }
  111.         $jwtToken $responseData['id_token'] ?? null;
  112.         if (null === $jwtToken) {
  113.             throw new OpenIdServerException(sprintf('No access token found in response %s'$response));
  114.         }
  116.         $refreshToken $responseData['refresh_token'] ?? null;
  117.         if (null === $refreshToken) {
  118.             throw new RuntimeException(sprintf('No refresh token found in response %s'$response));
  119.         }
  121.         $decoded $this->keycloakApiService->getPublicKey($responseData['access_token']);
  123.         if (array_key_exists('email', (array)$decoded)) {
  124.             $email $decoded->email;
  126.             $session $request->getSession();
  128.             $session->remove('oidc_access_token');
  129.             $session->remove('oidc_refresh_token');
  130.             $session->remove('oidc_expires_token');
  131.             $session->remove('oidc_expires_refresh_token');
  132.             $session->set('oidc_access_token'$responseData['access_token']);
  133.             $session->set('oidc_refresh_token'$responseData['refresh_token']);
  134.             $session->set('oidc_expires_token'$responseData['expires_in']);
  135.             $session->set('oidc_expires_refresh_token'$responseData['refresh_expires_in']);
  137.             $this->logger->info(">>>>>>>>>>>>>>>>>> 1er ACCESS TOKEN LORS DE LA CONNEXION >>>>>>>>>>>>>>>>>>");
  138.             $this->logger->debug($responseData['access_token']);
  139.             $this->logger->info("<<<<<<<<<<<<<<<<<< 1er ACCESS TOKEN LORS DE LA CONNEXION <<<<<<<<<<<<<<<<<<");
  141.             $this->logger->info(">>>>>>>>>>>>>>>>>> 1er REFRESH TOKEN LORS DE LA CONNEXION >>>>>>>>>>>>>>>>>>");
  142.             $this->logger->debug($responseData['refresh_token']);
  143.             $this->logger->info("<<<<<<<<<<<<<<<<<< 1er REFRESH TOKEN LORS DE LA CONNEXION <<<<<<<<<<<<<<<<<<");
  145.             $this->requestStack->getCurrentRequest()->attributes->set('_app_jwt_expires'$responseData['expires_in']);
  147.             $userBadge = new UserBadge($email);
  149.             $passport = new SelfValidatingPassport($userBadge, [new PreAuthenticatedUserBadge()]);
  151.             $passport->setAttribute(TokensBag::class, new TokensBag($session->get('oidc_access_token')
  152.                 ?? null$session->get('oidc_refresh_token')));
  154.             return $passport;
  156.         } else {
  157.             throw new AccessDeniedException('Unauthorized access');
  158.         }
  159.     }
  161.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $providerKey): RedirectResponse
  162.     {
  163.         $this->logger->info("User connexion success");
  165.         return new RedirectResponse($this->urlGenerator->generate('home'));
  166.     }
  168.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): Response
  169.     {
  170.         $this->logger->info("User connexion failed");
  172.         $request->getSession()->getFlashBag()->add(
  173.             'error',
  174.             'An authentication error occured',
  175.         );
  176.         $vistoryRedirect $this->param->get('vistory_redirect');
  178.         if (KeycloakModeUsed::isSatisfiedBy($this->param) &&
  179.             (($request->attributes->get('_route') != 'login' ||
  180.                 $request->attributes->get('_route') == 'oidc_redirect_uri') && $vistoryRedirect != 'true' )) {
  181.             return new RedirectResponse($this->urlGenerator->generate('user_not_found'));
  182.         }
  184.         return new RedirectResponse($this->urlGenerator->generate('logout'));
  185.     }
  187.     public function start(Request $requestAuthenticationException $authException null): Response
  188.     {
  189.         if (SimmtLoginPageModeUsed::isSatisfiedBy($this->param)) {
  190.             return new RedirectResponse($this->router->generate('login'));
  191.         }
  193.         $scheme $request->getScheme();
  194.         $uri $scheme ':' $this->urlGenerator->generate('oidc_redirect_uri', [], UrlGeneratorInterface::NETWORK_PATH);
  196.         $state =  Uuid::uuid4()->toString();
  197.         $request->getSession()->set(self::STATE_SESSION_KEY$state);
  199.         $qs http_build_query([
  200.             'client_id' => $this->clientId,
  201.             'response_type' => 'code',
  202.             'state' => $state,
  203.             'scope' => "openid roles profile email",
  204.             'redirect_uri' => $uri,
  205.         ]);
  207.         return new RedirectResponse(sprintf("%s/realms/%s/protocol/openid-connect/auth?%s",
  208.             $this->authorizationEndpoint$this->keycloakRealmName$qs));
  209.     }
  211.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  212.     {
  213.         $token parent::createToken($passport$firewallName);
  215.         $currentRequest $this->requestStack->getCurrentRequest();
  217.         if (null === $currentRequest) {
  218.             throw new LogicException(sprintf('%s can only be used in an http context'__CLASS__));
  219.         }
  221.         $jwtExpires $currentRequest->attributes->get('_app_jwt_expires');
  222.         if (null === $jwtExpires) {
  223.             throw new \LogicException('Missing _app_jwt_expires in the session');
  224.         }
  226.         $currentRequest->attributes->remove('_app_jwt_expires');
  228.         $tokens $passport->getAttribute(TokensBag::class);
  230.         if (null === $tokens) {
  231.             throw new \LogicException(sprintf('Can\'t find %s in passport attributes'TokensBag::class));
  232.         }
  234.         $token->setAttribute(TokensBag::class, $tokens->withExpiration($jwtExpires));
  236.         return $token;
  237.     }
  239.     public function isInteractive(): bool
  240.     {
  241.         return true;
  242.     }
  243. }