Skip to content

Commit

Permalink
first commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@fansaien
fansaien committed Jul 25, 2024
0 parents commit bb84612
Show file tree
Hide file tree
Showing 10 changed files with 572 additions and 0 deletions.
85 changes: 85 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# Laravel Socialite Azure Active Directory Plugin

## Installation

`composer require metrogistics/laravel-azure-ad-oauth`

If you are using Laravel 5.5 or greater, the service provider will be detected and installed by Laravel automatically. Otherwise you will need to add the service provider and the facade (optional) to the `config/app.php` file:

```
Metrogistics\AzureSocialite\ServiceProvider::class,
// ...
'AzureUser' => Metrogistics\AzureSocialite\AzureUserFacade::class,
```

Publish the config and override any defaults:

```
php artisan vendor publish
```

Add the necessary env vars:

```
AZURE_AD_CLIENT_ID=XXXX
AZURE_AD_CLIENT_SECRET=XXXX
```

The only changes you should have to make to your application are:

* You will need to make the password field in the users table nullable.
* You will need to have a `VARCHAR` field on the users table that is 36 characters long to store the Azure AD ID for the user. The default name for the field is `azure_id` but that can be changed in the config file: `'user_id_field' => 'azure_id',`.

## Usage

All you need to do to make use of Azure AD SSO is to point a user to the `/login/microsoft` route (configurable) for login. Once a user has been logged in, they will be redirect to the home page (also configurable).

After login, you can access the basic Laravel authenticate user as normal:

```
auth()->user();
```

If you need to set additional user fields when the user model is created at login, you may provide a callback via the `UserFactory::userCallback()` method. A good place to do so would be in your AppServiceProvider's `boot` method:

```
\Metrogistics\AzureSocialite\UserFactory::userCallback(function($new_user){
$new_user->api_token = str_random(60);
});
```

## Azure AD Setup

1. Navigate to `Azure Active Directory` -> `App registrations`.
2. Create a new application
1. Choose a name
2. Select the "Web app / API" Application Type
3. Add the "Sign-on URL". This will typically be `https://domain.com/auth/login`
4. Click "Create"
3. Click into the newly created app.
4. The "Application ID" is what you will need for your `AZURE_AD_CLIENT_ID` env variable.
5. Click into "Reply URLs". You will need to whitelist the redirection path for your app here. It will typically be `https://domain.com/login/microsoft/callback`. Click "Save"
6. Select the permissions required for you app in the "Required permissions" tab.
7. Add any necessary roles to the manifest:
1. Click on the "Manifest" tab.
2. Add roles as necessary using the following format:

```
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Manager Role",
"id": "08b0e9e3-8d88-4d99-b630-b9642a70f51e",// Any unique GUID
"isEnabled": true,
"description": "Manage stuff with this role",
"value": "manager"
}
],
```
3. Click "Save"
8. In the "Keys" tab, enter a description (something like "App Secret"). Set Duration to "Never Expires". Click "Save". Copy the whole key. This will not show again. You will need this value for the `AZURE_AD_CLIENT_SECRET` env variable.
9. Click on the "Managed application" link (It will be the name of the application);
10. Under the "Properties" tab, enable user sign-in. Make user assignment required. Click "Save".
11. Under the "Users and groups" tab, add users and their roles as needed.
30 changes: 30 additions & 0 deletions composer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"name": "metrogistics/laravel-azure-ad-oauth",
"description": "Provides single-sign-on ability to Microsoft Azure Active Directory enabled apps.",
"require": {
"laravel/framework": ">5.4",
"laravel/socialite": ">3.0",
"guzzlehttp/guzzle": "^6.3"
},
"authors": [
{
"name": "Patrick Stephan",
"email": "[email protected]"
}
],
"autoload": {
"psr-4": {
"Metrogistics\\AzureSocialite\\": "src/"
}
},
"extra": {
"laravel": {
"providers": [
"Metrogistics\\AzureSocialite\\ServiceProvider"
],
"aliases": {
"AzureUser": "Metrogistics\\AzureSocialite\\AzureUserFacade"
}
}
}
}
45 changes: 45 additions & 0 deletions src/AuthController.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
<?php

namespace Metrogistics\AzureSocialite;

use Illuminate\Routing\Controller;
use Laravel\Socialite\Facades\Socialite;

class AuthController extends Controller
{
public function redirectToOauthProvider()
{
return Socialite::driver('azure-oauth')->redirect();
}

public function handleOauthResponse()
{
$user = Socialite::driver('azure-oauth')->user();

$authUser = $this->findOrCreateUser($user);

auth()->login($authUser, true);

// session([
// 'azure_user' => $user
// ]);

return redirect(
config('azure-oath.redirect_on_login')
);
}

protected function findOrCreateUser($user)
{
$user_class = config('azure-oath.user_class');
$authUser = $user_class::where(config('azure-oath.user_id_field'), $user->id)->first();

if ($authUser) {
return $authUser;
}

$UserFactory = new UserFactory();

return $UserFactory->convertAzureUser($user);
}
}
83 changes: 83 additions & 0 deletions src/AzureOauthProvider.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
<?php

namespace Metrogistics\AzureSocialite;

use Illuminate\Support\Arr;
use Laravel\Socialite\Two\User;
use Laravel\Socialite\Two\AbstractProvider;
use Laravel\Socialite\Two\ProviderInterface;

class AzureOauthProvider extends AbstractProvider implements ProviderInterface
{
const IDENTIFIER = 'AZURE_OAUTH';
protected $scopes = ['User.Read'];
protected $scopeSeparator = ' ';

protected function getAuthUrl($state)
{
return $this->buildAuthUrlFromBase('https://login.microsoftonline.com/common/oauth2/authorize', $state);
}

protected function getTokenUrl()
{
return 'https://login.microsoftonline.com/common/oauth2/token';
}

protected function getTokenFields($code)
{
return array_merge(parent::getTokenFields($code), [
'grant_type' => 'authorization_code',
'resource' => 'https://graph.microsoft.com',
]);
}

protected function getUserByToken($token)
{
$response = $this->getHttpClient()->get('https://graph.microsoft.com/v1.0/me/', [
'headers' => [
'Authorization' => 'Bearer '.$token,
],
]);

return json_decode($response->getBody(), true);
}

public function user()
{
if ($this->hasInvalidState()) {
throw new InvalidStateException;
}

$response = $this->getAccessTokenResponse($this->getCode());

$user = $this->mapUserToObject($this->getUserByToken(
$token = Arr::get($response, 'access_token')
));

$user->idToken = Arr::get($response, 'id_token');
$user->expiresAt = time() + Arr::get($response, 'expires_in');

return $user->setToken($token)
->setRefreshToken(Arr::get($response, 'refresh_token'));
}

protected function mapUserToObject(array $user)
{
return (new User())->setRaw($user)->map([
'id' => $user['id'],
'name' => $user['displayName'],
'email' => $user['mail'],

'businessPhones' => $user['businessPhones'],
'displayName' => $user['displayName'],
'givenName' => $user['givenName'],
'jobTitle' => $user['jobTitle'],
'mail' => $user['mail'],
'mobilePhone' => $user['mobilePhone'],
'officeLocation' => $user['officeLocation'],
'preferredLanguage' => $user['preferredLanguage'],
'surname' => $user['surname'],
'userPrincipalName' => $user['userPrincipalName'],
]);
}
}
71 changes: 71 additions & 0 deletions src/AzureUser.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<?php

namespace Metrogistics\AzureSocialite;

use GuzzleHttp\Client;
use Laravel\Socialite\Facades\Socialite;

class AzureUser
{
protected $user;

public function __construct($user)
{
$this->user = $user;
}

public function get()
{
$this->user->setExpiresIn($this->user->expiresAt - time());

return $this->user;
}

public function roles()
{
$tokens = explode('.', $this->user->idToken);

return json_decode(static::urlsafeB64Decode($tokens[1]))->roles;
}

public static function urlsafeB64Decode($input)
{
$remainder = strlen($input) % 4;

if ($remainder) {
$padlen = 4 - $remainder;
$input .= str_repeat('=', $padlen);
}

return base64_decode(strtr($input, '-_', '+/'));
}

public function refreshAccessToken()
{
$guzzle = new Client();

$response = $guzzle->post('https://login.microsoftonline.com/common/oauth2/token', [
'form_params' => [
'client_id' => config('azure-oath.credentials.client_id'),
'scope' => 'user.read',
'refresh_token' => $this->get()->refreshToken,
'redirect_uri' => config('azure-oath.credentials.redirect'),
'grant_type' => 'refresh_token',
'client_secret' => config('azure-oath.credentials.client_secret')
]
]);

$token_response = json_decode($response->getBody());

$this->user->token = $token_response->access_token;
$this->user->refreshToken = $token_response->refresh_token;
$this->user->expiresAt = $token_response->expires_on;
$this->user->expiresIn = $token_response->expires_in;

session([
'azure_user' => $this->user
]);

return $this->get();
}
}
13 changes: 13 additions & 0 deletions src/AzureUserFacade.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?php

namespace Metrogistics\AzureSocialite;

use Illuminate\Support\Facades\Facade;

class AzureUserFacade extends Facade
{
protected static function getFacadeAccessor()
{
return 'azure-user';
}
}
Loading

0 comments on commit bb84612

Please sign in to comment.