provide generic logout for sso auth plugins, fixes #3624

Closes #3624 Merge request studip/studip!3345

provide generic logout for sso auth plugins, fixes #3624
98e521ee · Jan-Hendrik Willms · 1a938fd7 · 98e521ee · 98e521ee · 98e521ee
Commit 98e521ee authored 6 months ago by Jan-Hendrik Willms
--- a/config/config_defaults.inc.php
+++ b/config/config_defaults.inc.php
@@ -368,15 +368,19 @@ $STUDIP_AUTH_CONFIG_LTI = [
    ]
 ];
-$STUDIP_AUTH_CONFIG_SHIB = array("session_initiator" => "https://sp.studip.de/Shibboleth.sso/WAYF/DEMO",
+$STUDIP_AUTH_CONFIG_SHIB = [
-                                        "validate_url" => "https://sp.studip.de/auth/studip-sp.php",
+    'session_initiator' => 'https://sp.studip.de/Shibboleth.sso/WAYF/DEMO',
-                                        "local_domain" => "studip.de",
+    'validate_url'      => 'https://sp.studip.de/auth/studip-sp.php',
-                                        "user_data_mapping" =>
+    'logout_url'        => 'https://sp.studip.de/Shibboleth.sso/Logout',
-                                                array(  "auth_user_md5.username" => array("callback" => "dummy", "map_args" => ""),
+    'local_domain'      => 'studip.de',
-                                                        "auth_user_md5.password" => array("callback" => "dummy", "map_args" => ""),
+    'user_data_mapping' => [
-                                                        "auth_user_md5.Vorname" => array("callback" => "getUserData", "map_args" => "givenname"),
+        'auth_user_md5.username' => ['callback' => 'dummy', 'map_args' => ''],
-                                                        "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "surname"),
+        'auth_user_md5.password' => ['callback' => 'dummy', 'map_args' => ''],
-                                                        "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email")));
+        'auth_user_md5.Vorname'  => ['callback' => 'getUserData', 'map_args' => 'givenname'],
+        'auth_user_md5.Nachname' => ['callback' => 'getUserData', 'map_args' => 'surname'],
+        'auth_user_md5.Email'    => ['callback' => 'getUserData', 'map_args' => 'email']
+    ],
+];
 $STUDIP_AUTH_CONFIG_IP = array('allowed_users' =>
    array ('root' => array('127.0.0.1', '::1')));

--- a/lib/classes/auth_plugins/StudipAuthCAS.php
+++ b/lib/classes/auth_plugins/StudipAuthCAS.php
@@ -80,7 +80,7 @@ class StudipAuthCAS extends StudipAuthSSO
        return $this->userdata->getUserData($key, phpCAS::getUser());
    }
-    function logout()
+    public function logout(): void
    {
        // do a global cas logout
        phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);

--- a/lib/classes/auth_plugins/StudipAuthOIDC.php
+++ b/lib/classes/auth_plugins/StudipAuthOIDC.php
@@ -68,7 +68,6 @@ class StudipAuthOIDC extends StudipAuthSSO
     */
    public function verifyUsername($username)
    {
        $this->oidc->authenticate();
        $this->userdata = (array)$this->oidc->requestUserInfo();
        if (isset($this->userdata['sub'])) {
@@ -109,4 +108,9 @@ class StudipAuthOIDC extends StudipAuthSSO
    {
        return $this->userdata[$key];
    }
+    public function logout(): void
+    {
+        $this->oidc->signOut($this->oidc->getIdToken(), null);
+    }
 }
--- a/lib/classes/auth_plugins/StudipAuthSSO.php
+++ b/lib/classes/auth_plugins/StudipAuthSSO.php
@@ -36,7 +36,7 @@ abstract class StudipAuthSSO extends StudipAuthAbstract
     * Check whether this user can be authenticated. The default
     * implementation just checks whether $username is not empty.
     */
-    function isAuthenticated ($username, $password)
+    public function isAuthenticated ($username, $password)
    {
        return !empty($username);
    }
@@ -44,8 +44,15 @@ abstract class StudipAuthSSO extends StudipAuthAbstract
    /**
     * SSO auth plugins cannot determine if a username is used.
     */
-    function isUsedUsername ($username)
+    public function isUsedUsername ($username)
    {
        return false;
    }
+    /**
+     * Use this to log out the user
+     */
+    public function logout(): void
+    {
+    }
 }
--- a/lib/classes/auth_plugins/StudipAuthShib.php
+++ b/lib/classes/auth_plugins/StudipAuthShib.php
@@ -18,6 +18,7 @@ class StudipAuthShib extends StudipAuthSSO
    public $local_domain;
    public $session_initiator;
    public $validate_url;
+    public ?string $logout_url = null;
    public $userdata;
    public $username_attribute = 'username';
@@ -136,4 +137,12 @@ class StudipAuthShib extends StudipAuthSSO
        return $data[0];
    }
+    public function logout(): void
+    {
+        if (!empty($this->logout_url)) {
+            header('Location: ' . URLHelper::getURL($this->logout_url, ['return' => Request::url()]));
+            exit();
+        }
+    }
 }
--- a/public/logout.php
+++ b/public/logout.php
@@ -42,12 +42,10 @@ if ($auth->auth['uid'] !== 'nobody') {
    $_language = $_SESSION['_language'];
    $contrast = UserConfig::get($GLOBALS['user']->id)->USER_HIGH_CONTRAST;
-    // TODO this needs to be generalized or removed
+    // Get auth plugin of user before logging out since the $auth object will
-    //erweiterung cas
+    // be modified by the logout
-    if ($auth->auth['auth_plugin'] === 'cas') {
+    $auth_plugin = StudipAuthAbstract::getInstance($auth->auth['auth_plugin']);
-        $casauth = StudipAuthAbstract::GetInstance('cas');
-        $docaslogout = true;
-    }
    //Logout aus dem Sessionmanagement
    $auth->logout();
    $sess->delete();
@@ -58,10 +56,11 @@ if ($auth->auth['uid'] !== 'nobody') {
    $timeout=(time()-(15 * 60));
    $user->set_last_action($timeout);
-    //der logout() Aufruf fuer CAS (dadurch wird das Cookie (Ticket) im Browser zerstoert)
+    // Perform logout from auth plugin (if possible)
-    if (!empty($docaslogout)) {
+    if ($auth_plugin instanceof StudipAuthSSO) {
-        $casauth->logout();
+        $auth_plugin->logout();
    }
    $sess->start();
    $_SESSION['_language'] = $_language;
    if ($contrast) {