SSO: Fix provider configuration to use KnpUOAuthClient defaults

Corrected provider parameters to align with default configuration values provided by the KnpUOAuthClient package

config/authentication.yaml

@@ -13,12 +13,6 @@ parameters:
                     urlAccessToken: ''
                     urlResourceOwnerDetails: ''
                     responseResourceOwnerId: 'sub'
-                    # accessTokenMethod: 'POST'
-                    # responseError: 'error'
-                    # responseCode: ''
-                    # scopeSeparator: ' '
-                    scopes:
-                        - openid
                 allow_create_new_users: true
                 allow_update_user_info: false
                 resource_owner_username_field: null
@@ -38,8 +32,7 @@ parameters:
                 title: 'Facebook'
                 client_id: ''
                 client_secret: ''
-                graph_api_version: 'v20.0'
-                redirect_params: { }
+                #graph_api_version: 'v20.0'
 
             keycloak:
                 enabled: false
@@ -48,26 +41,10 @@ parameters:
                 client_secret: ''
                 auth_server_url: ''
                 realm: ''
-                version: ''
-                encryption_algorithm: null
-                encryption_key_path: null
-                encryption_key: null
-                redirect_params: { }
+                #version: ''
 
             azure:
                 enabled: false
                 title: 'Azure'
                 client_id: ''
                 client_secret: ''
-                tenant: 'common'
-                client_certificate_private_key: ''
-                client_certificate_thumbprint: ''
-                url_login: 'https://login.microsoftonline.com/'
-                path_authorize: '/oauth2/authorize'
-                path_token: '/oauth2/token'
-                scope: {}
-                url_api: 'https://graph.windows.net/'
-                resource: null
-                api_version: '1.6'
-                auth_with_resource: true
-                default_end_point_version: '1.0'

config/packages/knpu_oauth2_client.yaml

@@ -5,6 +5,10 @@ knpu_oauth2_client:
             provider_class: League\OAuth2\Client\Provider\GenericProvider
             client_id: ''
             client_secret: ''
+            provider_options:
+                responseResourceOwnerId: 'sub'
+                scopes:
+                    - openid
             redirect_route: chamilo.oauth2_generic_check
 
         facebook:
@@ -12,25 +16,20 @@ knpu_oauth2_client:
             client_id: ''
             client_secret: ''
             redirect_route: chamilo.oauth2_facebook_check
-            graph_api_version: ''
-            redirect_params: { }
+            graph_api_version: 'v20.0'
 
         keycloak:
             type: keycloak
             client_id: ''
             client_secret: ''
             redirect_route: chamilo.oauth2_keycloak_check
-            redirect_params: { }
             auth_server_url: null
             realm: null
 
         azure:
             type: azure
             client_id: ''
-            # a route name you'll create
             redirect_route: chamilo.oauth2_azure_check
-            redirect_params: { }
-            # The shared client secret if you don't use a certificate
             client_secret: ' '
 
         # configure your clients as described here: https://github.com/knpuniversity/oauth2-client-bundle#configuration

src/CoreBundle/Decorator/OAuth2ProviderFactoryDecorator.php

@@ -7,9 +7,7 @@ declare(strict_types=1);
 namespace Chamilo\CoreBundle\Decorator;
 
 use Chamilo\CoreBundle\ServiceHelper\AuthenticationConfigHelper;
-use KnpU\OAuth2ClientBundle\DependencyInjection\KnpUOAuth2ClientExtension;
 use KnpU\OAuth2ClientBundle\DependencyInjection\ProviderFactory;
-use KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle;
 use League\OAuth2\Client\Provider\AbstractProvider;
 use League\OAuth2\Client\Provider\Facebook;
 use League\OAuth2\Client\Provider\GenericProvider;
@@ -34,23 +32,31 @@ readonly class OAuth2ProviderFactoryDecorator
         array $redirectParams = [],
         array $collaborators = []
     ): AbstractProvider {
-        $options = match ($class) {
-            GenericProvider::class => $this->getProviderOptions('generic'),
-            Facebook::class => $this->getProviderOptions('facebook'),
-            Keycloak::class => $this->getProviderOptions('keycloak'),
-            Azure::class => $this->getProviderOptions('azure'),
+        $customConfig = match ($class) {
+            GenericProvider::class => $this->authenticationConfigHelper->getProviderConfig('generic'),
+            Facebook::class => $this->authenticationConfigHelper->getProviderConfig('facebook'),
+            Keycloak::class => $this->authenticationConfigHelper->getProviderConfig('keycloak'),
+            Azure::class => $this->authenticationConfigHelper->getProviderConfig('azure'),
         };
 
-        return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators);
-    }
-
-    private function getProviderOptions(string $providerName): array
-    {
-        /** @var KnpUOAuth2ClientExtension $extension */
-        $extension = (new KnpUOAuth2ClientBundle())->getContainerExtension();
+        $redirectParams = $customConfig['redirect_params'] ?? [];
+
+        $customOptions = match ($class) {
+            GenericProvider::class => $this->authenticationConfigHelper->getProviderOptions(
+                'generic',
+                [
+                    'client_id' => $customConfig['client_id'],
+                    'client_secret' => $customConfig['client_secret'],
+                    ...$customConfig['provider_options'],
+                ],
+            ),
+            Facebook::class => $this->authenticationConfigHelper->getProviderOptions('facebook', $customConfig),
+            Keycloak::class => $this->authenticationConfigHelper->getProviderOptions('keycloak', $customConfig),
+            Azure::class => $this->authenticationConfigHelper->getProviderOptions('azure', $customConfig),
+        };
 
-        $configParams = $this->authenticationConfigHelper->getParams($providerName);
+        $options = $customOptions + $options;
 
-        return $extension->getConfigurator($providerName)->getProviderOptions($configParams);
+        return $this->inner->createProvider($class, $options, $redirectUri, $redirectParams, $collaborators);
     }
 }

src/CoreBundle/Security/Authenticator/OAuth2/GenericAuthenticator.php

@@ -62,7 +62,7 @@ class GenericAuthenticator extends AbstractAuthenticator
 
     protected function userLoader(AccessToken $accessToken): User
     {
-        $providerParams = $this->authenticationConfigHelper->getParams('generic');
+        $providerParams = $this->authenticationConfigHelper->getProviderConfig('generic');
 
         /** @var GenericResourceOwner $resourceOwner */
         $resourceOwner = $this->client->fetchUserFromToken($accessToken);

src/CoreBundle/ServiceHelper/AuthenticationConfigHelper.php

@@ -21,7 +21,7 @@ readonly class AuthenticationConfigHelper
         private UrlGeneratorInterface $urlGenerator,
     ) {}
 
-    public function getParams(string $providerName, ?AccessUrl $url = null): array
+    public function getProviderConfig(string $providerName, ?AccessUrl $url = null): array
     {
         $providers = $this->getProvidersForUrl($url);
 
@@ -34,7 +34,7 @@ readonly class AuthenticationConfigHelper
 
     public function isEnabled(string $methodName, ?AccessUrl $url = null): bool
     {
-        $configParams = $this->getParams($methodName, $url);
+        $configParams = $this->getProviderConfig($methodName, $url);
 
         return $configParams['enabled'] ?? false;
     }
@@ -74,4 +74,58 @@ readonly class AuthenticationConfigHelper
 
         throw new InvalidArgumentException('Invalid access URL configuration');
     }
+
+    public function getProviderOptions(string $providerType, array $config): array
+    {
+        $defaults = match($providerType) {
+            'generic' => [
+                'clientId' => $config['client_id'],
+                'clientSecret' => $config['client_secret'],
+                'urlAuthorize' => $config['urlAuthorize'],
+                'urlAccessToken' => $config['urlAccessToken'],
+                'urlResourceOwnerDetails' => $config['urlResourceOwnerDetails'],
+                'accessTokenMethod' => $config['accessTokenMethod'] ?? null,
+                'accessTokenResourceOwnerId' => $config['accessTokenResourceOwnerId'] ?? null,
+                'scopeSeparator' => $config['scopeSeparator'] ?? null,
+                'responseError' => $config['responseError'] ?? null,
+                'responseCode' => $config['responseCode'] ?? null,
+                'responseResourceOwnerId' => $config['responseResourceOwnerId'] ?? null,
+                'scopes' => $config['scopes'] ?? null,
+                'pkceMethod' => $config['pkceMethod'] ?? null,
+            ],
+            'facebook' => [
+                'clientId' => $config['client_id'],
+                'clientSecret' => $config['client_secret'],
+                'graphApiVersion' => $config['graph_api_version'] ?? null,
+            ],
+            'keycloak' => [
+                'clientId' => $config['client_id'],
+                'clientSecret' => $config['client_secret'],
+                'authServerUrl' => $config['auth_server_url'],
+                'realm' => $config['realm'],
+                'version' => $config['version'] ?? null,
+                'encryptionAlgorithm' => $config['encryption_algorithm'] ?? null,
+                'encryptionKeyPath' => $config['encryption_key_path'] ?? null,
+                'encryptionKey' => $config['encryption_key'] ?? null,
+            ],
+            'azure' => [
+                'clientId' => $config['client_id'],
+                'clientSecret' => $config['client_secret'],
+                'clientCertificatePrivateKey' => $config['client_certificate_private_key'] ?? null,
+                'clientCertificateThumbprint' => $config['client_certificate_thumbprint'] ?? null,
+                'urlLogin' => $config['url_login'] ?? null,
+                'pathAuthorize' => $config['path_authorize'] ?? null,
+                'pathToken' => $config['path_token'] ?? null,
+                'scope' => $config['scope'] ?? null,
+                'tenant' => $config['tenant'] ?? null,
+                'urlAPI' => $config['url_api'] ?? null,
+                'resource' => $config['resource'] ?? null,
+                'API_VERSION' => $config['api_version'] ?? null,
+                'authWithResource' => $config['auth_with_resource'] ?? null,
+                'defaultEndPointVersion' => $config['default_end_point_version'] ?? null,
+            ],
+        };
+
+        return array_filter($defaults, fn($value) => $value !== null);
+    }
 }