Plugin: OAuth2: SSO: Adding force redirect option for the plugin -refs BT#19346

main/inc/local.inc.php

@@ -401,6 +401,45 @@ if (!empty($_SESSION['_user']['user_id']) && !($login || $logout)) {
 
                 $doNotRedirectToCourse = true; // we should already be on the right page, no need to redirect
             }
+	}
+    //If plugin oauth2 is activated with force_redirect and user isn't logged in
+    } elseif ('true' === api_get_plugin_setting('oauth2', 'enable')
+        && 'true' === api_get_plugin_setting('oauth2', 'force_redirect')
+        && !isset($_user['user_id'])
+        && !isset($_POST['login'])
+        && !$logout
+    ) {
+        $skipFolderOauth = [];
+        $skipFolderOauth = explode(',',api_get_plugin_setting('oauth2', 'skip_force_redirect_in'));
+        $load = true;
+        foreach ($skipFolderOauth as $folder) {
+            if (false !== strpos($_SERVER['REQUEST_URI'], $folder)) {
+                $load = false;
+                break;
+            }
+        }
+        if ($load) {
+            $plugin = OAuth2::create();
+            $provider = $plugin->getProvider();
+            // If we don't have an authorization code then get one
+            if (!array_key_exists('code', $_GET)) {
+                // Fetch the authorization URL from the provider; this returns the
+                // urlAuthorize option and generates and applies any necessary parameters
+                // (e.g. state).
+                $authorizationUrl = $provider->getAuthorizationUrl();
+
+                // Get the state generated for you and store it to the session.
+                ChamiloSession::write('oauth2state', $provider->getState());
+
+                // Redirect the user to the authorization URL.
+                header('Location: '.$authorizationUrl);
+                exit;
+            }
+            // Check given state against previously stored one to mitigate CSRF attack
+            if (!array_key_exists('state', $_GET) || ($_GET['state'] !== ChamiloSession::read('oauth2state'))) {
+                ChamiloSession::erase('oauth2state');
+                exit('Invalid state');
+            }
         }
     } elseif (isset($_POST['login']) && isset($_POST['password'])) {
         // $login && $password are given to log in

plugin/oauth2/lang/english.php

@@ -13,6 +13,11 @@ $strings['plugin_comment'] = 'Allow authentication with an <em>OAuth2</em> serve
 
 $strings['enable'] = 'Enable';
 
+$strings['force_redirect'] = 'Force redirect';
+$strings['force_redirect_help'] = 'If set to yes, then if the user is not yet logged in it will be redirected automatically to the SSO server';
+$strings['skip_force_redirect_in'] = 'Skip folders for force redirect';
+$strings['skip_force_redirect_in_help'] = "If force redirect is set to yes, then all pages will redirect unlogged user to the SSO server except from the one defined here in a list separated by commas in the form /main/webservices,/plugin/oauth2";
+
 $strings['client_id'] = 'Client ID';
 $strings['client_id_help'] = '<strong>The <em>OAuth2</em> client identifier</strong>
 the <em>OAuth2</em> server administrator assigned to this Chamilo instance.

plugin/oauth2/src/OAuth2.php

@@ -20,6 +20,9 @@ class OAuth2 extends Plugin
 
     const SETTING_ENABLE = 'enable';
 
+    const SETTING_FORCE_REDIRECT = 'force_redirect';
+    const SETTING_SKIP_FORCE_REDIRECT_IN = 'skip_force_redirect_in';
+
     const SETTING_CLIENT_ID = 'client_id';
     const SETTING_CLIENT_SECRET = 'client_secret';
 
@@ -64,7 +67,10 @@ class OAuth2 extends Plugin
             [
                 self::SETTING_ENABLE => 'boolean',
 
-                self::SETTING_CLIENT_ID => 'text',
+		self::SETTING_FORCE_REDIRECT => 'boolean',
+                self::SETTING_SKIP_FORCE_REDIRECT_IN => 'text',
+
+		self::SETTING_CLIENT_ID => 'text',
                 self::SETTING_CLIENT_SECRET => 'text',
 
                 self::SETTING_AUTHORIZE_URL => 'text',