src/Security/KeycloakAuthenticator.php line 133

Open in your IDE?
  1. <?php
  3. namespace App\Security;
  5. use App\Security\Dto\TokensBag;
  6. use App\Security\Exception\OpenIdServerException;
  7. use App\Service\KeycloakApiService;
  8. use App\Security\Exception\InvalidStateException;
  9. use App\Utils\JwtUtils;
  10. use Doctrine\ORM\EntityManagerInterface;
  11. use Psr\Log\LoggerInterface;
  12. use Ramsey\Uuid\Uuid;
  13. use LogicException;
  14. use RuntimeException;
  15. use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
  16. use Symfony\Component\HttpFoundation\RedirectResponse;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\RequestStack;
  19. use Symfony\Component\HttpFoundation\Response;
  20. use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
  21. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  22. use Symfony\Component\Routing\RouterInterface;
  23. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  24. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  25. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  26. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  27. use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
  28. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  29. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  30. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  31. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  32. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  33. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PreAuthenticatedUserBadge;
  36. class KeycloakAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterfaceInteractiveAuthenticatorInterface
  37. {
  38.     use JwtUtils;
  40.     private const STATE_QUERY_KEY 'state';
  41.     private const STATE_SESSION_KEY 'openid_state';
  42.     public const LOGIN_ROUTE 'login';
  43.     public const OIDC_LOGIN_ROUTE 'oidc_redirect_uri';
  45.     private EntityManagerInterface $em;
  46.     private RouterInterface $router;
  47.     private UrlGeneratorInterface $urlGenerator;
  48.     private KeycloakApiService $keycloakApiService;
  49.     private ParameterBagInterface $param;
  50.     private RequestStack $requestStack;
  51.     private LoggerInterface $logger;
  52.     private string $clientId;
  53.     private string $keycloakRealmName;
  54.     private string $authorizationEndpoint;
  56.     public function __construct(
  57.         RouterInterface $router,
  58.         KeycloakApiService $keycloakApiService,
  59.         UrlGeneratorInterface $urlGenerator,
  60.         ParameterBagInterface $param,
  61.         RequestStack $requestStack,
  62.         LoggerInterface $logger,
  63.     ) {
  64.         $this->router $router;
  65.         $this->keycloakApiService $keycloakApiService;
  66.         $this->urlGenerator $urlGenerator;
  67.         $this->param $param;
  68.         $this->requestStack $requestStack;
  69.         $this->logger $logger;
  70.         $this->clientId $this->param->get('keycloak_client_id');
  71.         $this->keycloakRealmName $this->param->get('keycloak_realms_name');
  72.         $this->authorizationEndpoint $this->param->get('keycloak_app_url');
  73.     }
  75.     public function supports(Request $request): ?bool
  76.     {
  78.         return $request->request->get('Refresh-Token') ??
  79.             ($request->attributes->get('_route') === self::OIDC_LOGIN_ROUTE
  80.                 || $request->attributes->get('_route') === self::LOGIN_ROUTE);
  81.     }
  83.     public function authenticate(Request $request): Passport
  84.     {
  85.         // Vérifiez s'il y a des tokens dans les en-têtes HTTP
  86.         $accessToken $request->request->get('Authorization');
  87.         $refreshToken $request->request->get('Refresh-Token');
  89.         $session $request->getSession();
  91.         if ($request->request->has('Refresh-Token')) {
  92.             $this->removeOidcSession($session);
  94.             $session->set('oidc_access_token'$accessToken);
  95.             $session->set('oidc_refresh_token'$refreshToken);
  97.             $expirationTime $this->getExpirationTime($accessToken);
  99.             if ($expirationTime time()) {
  100.                 throw new UserNotFoundException('Session utilisateur expirée.');
  101.             }
  103.             setcookie("celaneo_access_token"""time() - 3600);
  104.             setcookie("celaneo_refresh_token"""time() - 3600);
  106.             setcookie("celaneo_access_token"$accessTokentime() + $expirationTime);
  108.             $session->set('oidc_expires_token'$expirationTime);
  110.             $decoded $this->keycloakApiService->getPublicKey($accessToken);
  111.             if (array_key_exists('email', (array)$decoded) && $expirationTime time()) {
  112.                 $email $decoded->email;
  113.                 $userBadge = new UserBadge($email);
  115.                 // Retournez un Passport avec l'utilisateur validé
  116.                 $passport = new SelfValidatingPassport($userBadge, [new PreAuthenticatedUserBadge()]);
  118.                 $passport->setAttribute(TokensBag::class, new TokensBag($session->get('oidc_access_token')
  119.                     ?? null$session->get('oidc_refresh_token')));
  121.                 return $passport;
  123.             } else {
  124.                 throw new UserNotFoundException('Unauthorized access');
  125.             }
  126.         }
  128.         // Si aucun token valide n'est trouvé dans les en-têtes HTTP, suivre le flux OIDC habituel
  129.         $sessionState $session->get(self::STATE_SESSION_KEY);
  130.         $queryState $request->get(self::STATE_QUERY_KEY);
  132.         if ($queryState === null || $queryState !== $sessionState) {
  133.             throw new InvalidStateException(sprintf(
  134.                 'query state (%s) is not the same as session state (%s)',
  135.                 $queryState ?? 'NULL',
  136.                 $sessionState ?? 'NULL',
  137.             ));
  138.         }
  140.         $session->remove(self::STATE_SESSION_KEY);
  142.         try {
  143.             $response $this->keycloakApiService->getTokenFromAuthorizationCode($request->query->get('code'''));
  144.         } catch (HttpExceptionInterface $e) {
  145.             throw new OpenIdServerException(sprintf(
  146.                 'Bad status code returned by openID server (%s)',
  147.                 $e->getStatusCode(),
  148.             ), previous$e);
  149.         }
  151.         $responseData json_decode($responsetrue);
  153.         if (false === $responseData) {
  154.             throw new OpenIdServerException(sprintf('Can\'t parse json in response: %s'$response));
  155.         }
  157.         $jwtToken $responseData['id_token'] ?? null;
  158.         if (null === $jwtToken) {
  159.             throw new OpenIdServerException(sprintf('No access token found in response %s'$response));
  160.         }
  162.         $refreshToken $responseData['refresh_token'] ?? null;
  163.         if (null === $refreshToken) {
  164.             throw new RuntimeException(sprintf('No refresh token found in response %s'$response));
  165.         }
  167.         $decoded $this->keycloakApiService->getPublicKey($responseData['access_token']);
  169.         if (array_key_exists('email', (array)$decoded)) {
  170.             $email $decoded->email;
  171.             $this->removeOidcSession($session);
  173.             $session->set('oidc_access_token'$responseData['access_token']);
  174.             $session->set('oidc_refresh_token'$responseData['refresh_token']);
  175.             $session->set('oidc_expires_token'$responseData['expires_in']);
  176.             $session->set('oidc_expires_refresh_token'$responseData['refresh_expires_in']);
  178.             setcookie("celaneo_access_token"""time() - 3600);
  179.             setcookie("celaneo_refresh_token"""time() - 3600);
  181.             setcookie("celaneo_access_token"$responseData['access_token'], time() + $responseData['expires_in']);
  182.             setcookie("celaneo_refresh_token"$responseData['refresh_token'], time() + $responseData['refresh_expires_in']);
  184.             $this->logger->info(">>>>>>>>>>>>>>>>>> 1er ACCESS TOKEN LORS DE LA CONNEXION >>>>>>>>>>>>>>>>>>");
  185.             $this->logger->debug($responseData['access_token']);
  186.             $this->logger->info("<<<<<<<<<<<<<<<<<< 1er ACCESS TOKEN LORS DE LA CONNEXION <<<<<<<<<<<<<<<<<<");
  188.             $this->logger->info(">>>>>>>>>>>>>>>>>> 1er REFRESH TOKEN LORS DE LA CONNEXION >>>>>>>>>>>>>>>>>>");
  189.             $this->logger->debug($responseData['refresh_token']);
  190.             $this->logger->info("<<<<<<<<<<<<<<<<<< 1er REFRESH TOKEN LORS DE LA CONNEXION <<<<<<<<<<<<<<<<<<");
  192.             $this->requestStack->getCurrentRequest()->attributes->set('_app_jwt_expires'$responseData['expires_in']);
  194.             $userBadge = new UserBadge($email);
  196.             $passport = new SelfValidatingPassport($userBadge, [new PreAuthenticatedUserBadge()]);
  198.             $passport->setAttribute(TokensBag::class, new TokensBag($session->get('oidc_access_token')
  199.                 ?? null$session->get('oidc_refresh_token')));
  201.             return $passport;
  203.         } else {
  204.             throw new UserNotFoundException('Unauthorized access');
  205.         }
  206.     }
  208.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $providerKey): RedirectResponse
  209.     {
  210.         $this->logger->info("User connexion success");
  212.         return new RedirectResponse($this->urlGenerator->generate('home'));
  213.     }
  215.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): Response
  216.     {
  217.         $this->logger->info("User connexion failed");
  219.         $request->getSession()->getFlashBag()->add(
  220.             'error',
  221.             'An authentication error occured',
  222.         );
  224.         if ($request->attributes->get('_route') != 'login' ||
  225.             $request->attributes->get('_route') == 'oidc_redirect_uri') {
  226.             return new RedirectResponse($this->urlGenerator->generate('user_not_found'));
  227.         }
  229.         return new RedirectResponse($this->urlGenerator->generate('logout'));
  230.     }
  232.     public function start(Request $requestAuthenticationException $authException null): Response
  233.     {
  234.         if ($request->request->has('Refresh-Token')) {
  236.             $refreshToken $request->request->get('Refresh-Token');
  238.             $response $this->keycloakApiService->getTokenFromRefreshToken($refreshToken);
  239.             $responseData json_decode($responsetrue);
  241.             $session $request->getSession();
  242.             $session->remove('refresh_con');
  243.             $session->set('refresh_con'$responseData['refresh_token']);
  245.             return new RedirectResponse($this->urlGenerator->generate('home'));
  246.         } else {
  247.             $scheme $request->getScheme();
  248.             $uri $scheme ':' $this->urlGenerator->generate('oidc_redirect_uri', [], UrlGeneratorInterface::NETWORK_PATH);
  250.             $state Uuid::uuid4()->toString();
  251.             $request->getSession()->set(self::STATE_SESSION_KEY$state);
  253.             $qs http_build_query([
  254.                 'client_id' => $this->clientId,
  255.                 'response_type' => 'code',
  256.                 'state' => $state,
  257.                 'scope' => "openid roles profile email",
  258.                 'redirect_uri' => $uri,
  259.             ]);
  261.             return new RedirectResponse(sprintf("%s/realms/%s/protocol/openid-connect/auth?%s",
  262.                 $this->authorizationEndpoint$this->keycloakRealmName$qs));
  263.         }
  264.     }
  266.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  267.     {
  268.         $token parent::createToken($passport$firewallName);
  270.         $currentRequest $this->requestStack->getCurrentRequest();
  272.         if (null === $currentRequest) {
  273.             throw new LogicException(sprintf('%s can only be used in an http context'__CLASS__));
  274.         }
  276.         $jwtExpires $currentRequest->attributes->get('_app_jwt_expires');
  277.         if (null === $jwtExpires) {
  278.             throw new \LogicException('Missing _app_jwt_expires in the session');
  279.         }
  281.         $currentRequest->attributes->remove('_app_jwt_expires');
  283.         $tokens $passport->getAttribute(TokensBag::class);
  285.         if (null === $tokens) {
  286.             throw new \LogicException(sprintf('Can\'t find %s in passport attributes'TokensBag::class));
  287.         }
  289.         $token->setAttribute(TokensBag::class, $tokens->withExpiration($jwtExpires));
  291.         return $token;
  292.     }
  294.     public function isInteractive(): bool
  295.     {
  296.         return true;
  297.     }
  299.     public function removeOidcSession($session)
  300.     {
  301.         $session->remove('oidc_access_token');
  302.         $session->remove('oidc_refresh_token');
  303.         $session->remove('oidc_expires_token');
  304.         $session->remove('oidc_expires_refresh_token');
  305.     }
  306. }