app/Access/Controllers/OidcController.php

<?php

namespace BookStack\Access\Controllers;

use BookStack\Access\Oidc\OidcException;
use BookStack\Access\Oidc\OidcService;
use BookStack\Http\Controller;
use Illuminate\Http\Request;

class OidcController extends Controller
{
    public function __construct(
        protected OidcService $oidcService
    ) {
        $this->middleware('guard:oidc');
    }

    /**
     * Start the authorization login flow via OIDC.
     */
    public function login()
    {
        try {
            $loginDetails = $this->oidcService->login();
        } catch (OidcException $exception) {
            $this->showErrorNotification($exception->getMessage());

            return redirect('/login');
        }

        session()->put('oidc_state', time() . ':' . $loginDetails['state']);

        return redirect($loginDetails['url']);
    }

    /**
     * Authorization flow redirect callback.
     * Processes authorization response from the OIDC Authorization Server.
     */
    public function callback(Request $request)
    {
        $responseState = $request->query('state');
        $splitState =  explode(':', session()->pull('oidc_state', ':'), 2);
        if (count($splitState) !== 2) {
            $splitState = [null, null];
        }

        [$storedStateTime, $storedState] = $splitState;
        $threeMinutesAgo = time() - 3 * 60;

        if (!$storedState || $storedState !== $responseState || intval($storedStateTime) < $threeMinutesAgo) {
            $this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));

            return redirect('/login');
        }

        try {
            $this->oidcService->processAuthorizeResponse($request->query('code'));
        } catch (OidcException $oidcException) {
            $this->showErrorNotification($oidcException->getMessage());

            return redirect('/login');
        }

        return redirect()->intended();
    }

    /**
     * Log the user out, then start the OIDC RP-initiated logout process.
     */
    public function logout()
    {
        return redirect($this->oidcService->logout());
    }
}
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`<?php`

Played around with a new app structure 2023-05-17 17:56:55 +01:00			`namespace BookStack\Access\Controllers;`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00
Played around with a new app structure 2023-05-17 17:56:55 +01:00			`use BookStack\Access\Oidc\OidcException;`
			`use BookStack\Access\Oidc\OidcService;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-18 20:53:39 +01:00			`use BookStack\Http\Controller;`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`use Illuminate\Http\Request;`

Fleshed out testing for OIDC system 2021-10-13 16:51:27 +01:00			`class OidcController extends Controller`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`{`
OIDC: Updated state handling to prevent loss from other requests Which was occuring in chrome, where background requests to the PWA manifest, or opensearch, endpoint caused OIDC to fail due to lost state since it was only flashed to the session. This persists it with a manual TTL. Added tests to cover. Manually tested against Azure. For #5929 2025-12-03 13:34:00 +00:00			`public function __construct(`
			`protected OidcService $oidcService`
			`) {`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`$this->middleware('guard:oidc');`
			`}`

			`/**`
			`* Start the authorization login flow via OIDC.`
			`*/`
			`public function login()`
			`{`
Updated OIDC error handling for better error reporting Fixes issue where certain errors would not show to the user due to extra navigation jumps which lost the error message in the process. This simplifies and aligns exceptions with more directly handled exception usage at the controller level. Fixes #3264 2022-02-24 14:16:09 +00:00			`try {`
			`$loginDetails = $this->oidcService->login();`
			`} catch (OidcException $exception) {`
			`$this->showErrorNotification($exception->getMessage());`
Applied latest StyleCI changes 2022-02-24 15:04:09 +00:00
Updated OIDC error handling for better error reporting Fixes issue where certain errors would not show to the user due to extra navigation jumps which lost the error message in the process. This simplifies and aligns exceptions with more directly handled exception usage at the controller level. Fixes #3264 2022-02-24 14:16:09 +00:00			`return redirect('/login');`
			`}`

OIDC: Updated state handling to prevent loss from other requests Which was occuring in chrome, where background requests to the PWA manifest, or opensearch, endpoint caused OIDC to fail due to lost state since it was only flashed to the session. This persists it with a manual TTL. Added tests to cover. Manually tested against Azure. For #5929 2025-12-03 13:34:00 +00:00			`session()->put('oidc_state', time() . ':' . $loginDetails['state']);`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00
			`return redirect($loginDetails['url']);`
			`}`

			`/**`
Fleshed out testing for OIDC system 2021-10-13 16:51:27 +01:00			`* Authorization flow redirect callback.`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`* Processes authorization response from the OIDC Authorization Server.`
			`*/`
Fleshed out testing for OIDC system 2021-10-13 16:51:27 +01:00			`public function callback(Request $request)`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`{`
			`$responseState = $request->query('state');`
OIDC: Updated state handling to prevent loss from other requests Which was occuring in chrome, where background requests to the PWA manifest, or opensearch, endpoint caused OIDC to fail due to lost state since it was only flashed to the session. This persists it with a manual TTL. Added tests to cover. Manually tested against Azure. For #5929 2025-12-03 13:34:00 +00:00			`$splitState = explode(':', session()->pull('oidc_state', ':'), 2);`
			`if (count($splitState) !== 2) {`
			`$splitState = [null, null];`
			`}`

			`[$storedStateTime, $storedState] = $splitState;`
			`$threeMinutesAgo = time() - 3 * 60;`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00
OIDC: Updated state handling to prevent loss from other requests Which was occuring in chrome, where background requests to the PWA manifest, or opensearch, endpoint caused OIDC to fail due to lost state since it was only flashed to the session. This persists it with a manual TTL. Added tests to cover. Manually tested against Azure. For #5929 2025-12-03 13:34:00 +00:00			`if (!$storedState \|\| $storedState !== $responseState \|\| intval($storedStateTime) < $threeMinutesAgo) {`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`$this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));`
Applied latest styles changes from style CI 2021-10-16 16:01:59 +01:00
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`return redirect('/login');`
			`}`

Updated OIDC error handling for better error reporting Fixes issue where certain errors would not show to the user due to extra navigation jumps which lost the error message in the process. This simplifies and aligns exceptions with more directly handled exception usage at the controller level. Fixes #3264 2022-02-24 14:16:09 +00:00			`try {`
			`$this->oidcService->processAuthorizeResponse($request->query('code'));`
			`} catch (OidcException $oidcException) {`
			`$this->showErrorNotification($oidcException->getMessage());`
Applied latest StyleCI changes 2022-02-24 15:04:09 +00:00
Updated OIDC error handling for better error reporting Fixes issue where certain errors would not show to the user due to extra navigation jumps which lost the error message in the process. This simplifies and aligns exceptions with more directly handled exception usage at the controller level. Fixes #3264 2022-02-24 14:16:09 +00:00			`return redirect('/login');`
			`}`
Applied latest styles changes from style CI 2021-10-16 16:01:59 +01:00
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`return redirect()->intended();`
			`}`
Fixed OIDC Logout 2023-08-29 13:07:21 +08:00
			`/**`
OIDC: Updated state handling to prevent loss from other requests Which was occuring in chrome, where background requests to the PWA manifest, or opensearch, endpoint caused OIDC to fail due to lost state since it was only flashed to the session. This persists it with a manual TTL. Added tests to cover. Manually tested against Azure. For #5929 2025-12-03 13:34:00 +00:00			`* Log the user out, then start the OIDC RP-initiated logout process.`
Fixed OIDC Logout 2023-08-29 13:07:21 +08:00			`*/`
			`public function logout()`
			`{`
Auth: Refactored OIDC RP-logout PR code, Extracted logout Extracted logout to the login service so the logic can be shared instead of re-implemented at each stage. For this, the SocialAuthService was split so the driver management is in its own class, so it can be used elsewhere without use (or circular dependencies) of the SocialAuthService. During review of #4467 2023-12-06 13:49:53 +00:00			`return redirect($this->oidcService->logout());`
Fixed OIDC Logout 2023-08-29 13:07:21 +08:00			`}`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-06 23:05:26 +01:00			`}`