From 8617b46d679132f465053c84080156009fc58553 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+github@gmail.com>
Date: Fri, 30 Aug 2024 16:29:46 +0200
Subject: [PATCH] provide generic logout for sso auth plugins, fixes #3624
---
lib/classes/auth_plugins/StudipAuthCAS.php | 2 +-
lib/classes/auth_plugins/StudipAuthOIDC.php | 6 +++++-
lib/classes/auth_plugins/StudipAuthSSO.php | 11 +++++++++--
public/logout.php | 14 +++++---------
4 files changed, 20 insertions(+), 13 deletions(-)
diff --git a/lib/classes/auth_plugins/StudipAuthCAS.php b/lib/classes/auth_plugins/StudipAuthCAS.php
index 29deb75bfc7..129cbd5aa81 100644
--- a/lib/classes/auth_plugins/StudipAuthCAS.php
+++ b/lib/classes/auth_plugins/StudipAuthCAS.php
@@ -80,7 +80,7 @@ class StudipAuthCAS extends StudipAuthSSO
return $this->userdata->getUserData($key, phpCAS::getUser());
}
- function logout()
+ public function logout(): void
{
// do a global cas logout
phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
diff --git a/lib/classes/auth_plugins/StudipAuthOIDC.php b/lib/classes/auth_plugins/StudipAuthOIDC.php
index b26c17b0f94..1c77cb4791f 100644
--- a/lib/classes/auth_plugins/StudipAuthOIDC.php
+++ b/lib/classes/auth_plugins/StudipAuthOIDC.php
@@ -68,7 +68,6 @@ class StudipAuthOIDC extends StudipAuthSSO
*/
public function verifyUsername($username)
{
-
$this->oidc->authenticate();
$this->userdata = (array)$this->oidc->requestUserInfo();
if (isset($this->userdata['sub'])) {
@@ -109,4 +108,9 @@ class StudipAuthOIDC extends StudipAuthSSO
{
return $this->userdata[$key];
}
+
+ public function logout(): void
+ {
+ $this->oidc->signOut($this->oidc->getIdToken(), null);
+ }
}
diff --git a/lib/classes/auth_plugins/StudipAuthSSO.php b/lib/classes/auth_plugins/StudipAuthSSO.php
index dd6af11387b..2cb0e146ae9 100644
--- a/lib/classes/auth_plugins/StudipAuthSSO.php
+++ b/lib/classes/auth_plugins/StudipAuthSSO.php
@@ -36,7 +36,7 @@ abstract class StudipAuthSSO extends StudipAuthAbstract
* Check whether this user can be authenticated. The default
* implementation just checks whether $username is not empty.
*/
- function isAuthenticated ($username, $password)
+ public function isAuthenticated ($username, $password)
{
return !empty($username);
}
@@ -44,8 +44,15 @@ abstract class StudipAuthSSO extends StudipAuthAbstract
/**
* SSO auth plugins cannot determine if a username is used.
*/
- function isUsedUsername ($username)
+ public function isUsedUsername ($username)
{
return false;
}
+
+ /**
+ * Use this to log out the user
+ */
+ public function logout(): void
+ {
+ }
}
diff --git a/public/logout.php b/public/logout.php
index 2f8fcd8c58e..0c5d6c81f0f 100644
--- a/public/logout.php
+++ b/public/logout.php
@@ -42,12 +42,6 @@ if ($auth->auth['uid'] !== 'nobody') {
$_language = $_SESSION['_language'];
$contrast = UserConfig::get($GLOBALS['user']->id)->USER_HIGH_CONTRAST;
- // TODO this needs to be generalized or removed
- //erweiterung cas
- if ($auth->auth['auth_plugin'] === 'cas') {
- $casauth = StudipAuthAbstract::GetInstance('cas');
- $docaslogout = true;
- }
//Logout aus dem Sessionmanagement
$auth->logout();
$sess->delete();
@@ -58,10 +52,12 @@ if ($auth->auth['uid'] !== 'nobody') {
$timeout=(time()-(15 * 60));
$user->set_last_action($timeout);
- //der logout() Aufruf fuer CAS (dadurch wird das Cookie (Ticket) im Browser zerstoert)
- if (!empty($docaslogout)) {
- $casauth->logout();
+ // Perform logout from auth plugin (if possible)
+ $auth_plugin = StudipAuthAbstract::getInstance($auth->auth['auth_plugin']);
+ if ($auth_plugin instanceof StudipAuthSSO) {
+ $auth_plugin->logout();
}
+
$sess->start();
$_SESSION['_language'] = $_language;
if ($contrast) {
--
GitLab