Aketzu · January 2, 2020 06:52
diff --git a/auth-index.php b/auth-index.php
 <?php
 session_start();
 require('vendor/autoload.php');

 $provider = new TheNetworg\OAuth2\Client\Provider\Azure([
    'clientId'          => '12345678-1234-1234-1234-12345678abcd',
    'clientSecret'      => 'xxx',
    'redirectUri'       => 'https://example.com/auth',
    'tenant'            => 'example.com',
    'scope'             => 'openid email profile User.Read Directory.Read.All',
    'resource'          => 'https://graph.microsoft.com/',
    'urlAPI'            => 'https://graph.microsoft.com/v1.0/'
 ]);

 if (@$_GET['logout'] == '1') {
    unset($_SESSION['oauth2state']);
    unset($_SESSION['user']);
    unset($_SESSION['token']);
    exit('Logout done');
 }

 if (!isset($_GET['code'])) {

    // If we don't have an authorization code then get one
    $authUrl = $provider->getAuthorizationUrl(/*['prompt' => 'admin_consent']*/);
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: '.$authUrl);
    exit;

 // Check given state against previously stored one to mitigate CSRF attack
 } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

    unset($_SESSION['oauth2state']);
    unset($_SESSION['user']);
    unset($_SESSION['token']);
    exit('Invalid state');

 } else {

    // Try to get an access token (using the authorization code grant)
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code'],
        'resource' => 'https://graph.microsoft.com/v1.0/',
    ]);
    //For future use
    $_SESSION['token'] = serialize($token);

    $me = $provider->get("me", $token);

    $user = $me;

    $me = $provider->get("me/memberOf", $token);

    $user['groups'] = [];
    foreach ($me as $grp) {
      //$grp['groupTypes'] include 'unified'  => O365 group
      //if (!$grp['securityEnabled']) { continue; }
      $user['groups'][] = $grp['displayName'];
    }
    $_SESSION['user'] = $user;

    $url = $_SESSION['redirect'];
    if (!$url) {
      $url = "https://example.com";
    }
    unset($_SESSION['redirect']);
    header('Location: '.$url);
 }

 ?>
diff --git a/composer.json b/composer.json
 {
    "require": {
        "thenetworg/oauth2-azure": "^1.4",
        "php-amqplib/php-amqplib": "^2.8"
    }
 }
diff --git a/randomscript.php b/randomscript.php
 <?php
 session_start();

 if (!@$_SESSION['user']) {
  $_SESSION['redirect'] = 'https://example.com' . $_SERVER['REQUEST_URI'];
  header("Location: https://example.com/auth");
  exit();
 }
 if (strpos($_SESSION['user']['userPrincipalName'], '@example.com') === FALSE || !in_array('secret-things-group', $_SESSION['user']['groups'])) {
  die("You don't have permissions for this page");
 }
 ?>
 <html>
  ...
	<?php
	session_start();
	require('vendor/autoload.php');

	$provider = new TheNetworg\OAuth2\Client\Provider\Azure([
	'clientId' => '12345678-1234-1234-1234-12345678abcd',
	'clientSecret' => 'xxx',
	'redirectUri' => 'https://example.com/auth',
	'tenant' => 'example.com',
	'scope' => 'openid email profile User.Read Directory.Read.All',
	'resource' => 'https://graph.microsoft.com/',
	'urlAPI' => 'https://graph.microsoft.com/v1.0/'
	]);

	if (@$_GET['logout'] == '1') {
	unset($_SESSION['oauth2state']);
	unset($_SESSION['user']);
	unset($_SESSION['token']);
	exit('Logout done');
	}

	if (!isset($_GET['code'])) {

	// If we don't have an authorization code then get one
	$authUrl = $provider->getAuthorizationUrl(/['prompt' => 'admin_consent']/);
	$_SESSION['oauth2state'] = $provider->getState();
	header('Location: '.$authUrl);
	exit;

	// Check given state against previously stored one to mitigate CSRF attack
	} elseif (empty($_GET['state']) \|\| ($_GET['state'] !== $_SESSION['oauth2state'])) {

	unset($_SESSION['oauth2state']);
	unset($_SESSION['user']);
	unset($_SESSION['token']);
	exit('Invalid state');

	} else {

	// Try to get an access token (using the authorization code grant)
	$token = $provider->getAccessToken('authorization_code', [
	'code' => $_GET['code'],
	'resource' => 'https://graph.microsoft.com/v1.0/',
	]);
	//For future use
	$_SESSION['token'] = serialize($token);

	$me = $provider->get("me", $token);

	$user = $me;

	$me = $provider->get("me/memberOf", $token);

	$user['groups'] = [];
	foreach ($me as $grp) {
	//$grp['groupTypes'] include 'unified' => O365 group
	//if (!$grp['securityEnabled']) { continue; }
	$user['groups'][] = $grp['displayName'];
	}
	$_SESSION['user'] = $user;

	$url = $_SESSION['redirect'];
	if (!$url) {
	$url = "https://example.com";
	}
	unset($_SESSION['redirect']);
	header('Location: '.$url);
	}

	?>
	{
	"require": {
	"thenetworg/oauth2-azure": "^1.4",
	"php-amqplib/php-amqplib": "^2.8"
	}
	}
	<?php
	session_start();

	if (!@$_SESSION['user']) {
	$_SESSION['redirect'] = 'https://example.com' . $_SERVER['REQUEST_URI'];
	header("Location: https://example.com/auth");
	exit();
	}
	if (strpos($_SESSION['user']['userPrincipalName'], '@example.com') === FALSE \|\| !in_array('secret-things-group', $_SESSION['user']['groups'])) {
	die("You don't have permissions for this page");
	}
	?>
	<html>
	...