USER_URL); $code_parts = explode(':', $code, 3); $accept_header = $_SERVER['HTTP_ACCEPT'] ?: '*/*'; if ( '' !== $code_parts[2] ) { $response['scope'] = base64_url_decode($code_parts[2]); } $json = get_q_value('application/json', $accept_header); $form = get_q_value('application/x-www-form-urlencoded', $accept_header); if ( 0 === $json && 0 === $form ){ $error = 'Client does not accept JSON or Form encoded responses'; http_response_code(406); include 'form.php'; die(); } elseif ( $json >= $form ){ header('Content-Type: application/json'); exit( json_encode($response) ); } else { header('Content-Type: application/x-www-form-urlencoded'); exit( http_build_query($response) ); } } // No code submitted, // Check login if ( is_null($_SERVER["REMOTE_USER"]) ) { $error = 'Not logged in. Login on the SSO portal'; http_response_code(403); include 'form.php'; die(); } elseif ( USER_NAME !== $_SERVER["REMOTE_USER"] ){ $error = 'This system is for ' . USER_NAME . ' only.'; http_response_code(403); include 'form.php'; die(); } // Filter client data $me = filter_input( INPUT_GET, 'me', FILTER_VALIDATE_URL ); $client_id = filter_input( INPUT_GET, 'client_id', FILTER_VALIDATE_URL ); $redirect_uri = filter_input( INPUT_GET, 'redirect_uri', FILTER_VALIDATE_URL ); $state = filter_input_regexp( INPUT_GET, 'state', '@^[\x20-\x7E]*$@' ); $response_type = filter_input_regexp( INPUT_GET, 'response_type', '@^(id|code)?$@' ); $scope = filter_input_regexp( INPUT_GET, 'scope', '@^([\x21\x23-\x5B\x5D-\x7E]+( [\x21\x23-\x5B\x5D-\x7E]+)*)?$@' ); if ( ! is_string($client_id) ) { $error .= 'Invalid Client ID
'; } if ( ! is_string($redirect_uri) ){ $error .= 'Invalid redirect URI
'; } if ( false === $state ) { $error .= 'Invalid state
'; } if ( false === $response_type ) { $error .= 'Invalid response type
'; } if ( $error ){ http_response_code(400); include 'form.php'; die(); } $csrf_code = filter_input( INPUT_POST, '_csrf', FILTER_UNSAFE_RAW ); // If form submitted if ( ! is_null($csrf_code) ) { if ( !verify_signed_code( APP_KEY, $client_id . $redirect_uri . $state, $csrf_code ) ){ $error = 'Invalid CSFR code'; http_response_code(400); include 'form.php'; die(); } $scope = filter_input_regexp( INPUT_POST, 'scopes', '@^[\x21\x23-\x5B\x5D-\x7E]+$@', FILTER_REQUIRE_ARRAY ); if ( ! is_null($scope) ) { if ( false === $scope || in_array( false, $scope, true ) ) { $error = 'Provided scopes contain illegal characters'; } $scope = implode( ' ', $scope ); } $code = create_signed_code( APP_KEY, USER_URL . $redirect_uri . $client_id, 5 * 60, $scope ); $final_redir = $redirect_uri; if ( strpos($redirect_uri, '?') === false ) { $final_redir .= '?'; } else { $final_redir .= '&'; } $parameters = array( 'code' => $code, 'me' => USER_URL ); if ( ! is_null($state) ) { $parameters['state'] = $state; } $final_redir .= http_build_query($parameters); header('Location: ' . $final_redir, true, 302); } else { $csrf_code = create_signed_code(APP_KEY, $client_id . $redirect_uri . $state, 2 * 60); include 'form.php'; }