4 * Authorization Server Member
7 * @link http://www.open-emr.org
8 * @author Jerry Padgett <sjpadgett@gmail.com>
9 * @copyright Copyright (c) 2020 Jerry Padgett <sjpadgett@gmail.com>
10 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
13 // below brings in autoloader
14 require_once(__DIR__
. "/../_rest_config.php");
16 use OpenEMR\Common\Csrf\CsrfUtils
;
17 use OpenEMR\Common\Logging\SystemLogger
;
18 use OpenEMR\Common\Session\SessionUtil
;
19 use OpenEMR\RestControllers\AuthorizationController
;
21 $gbl = RestConfig
::GetInstance();
22 if (empty($gbl::$SITE)) {
23 http_response_code(401);
27 // Will start the oauth OpenEMR session/cookie.
28 SessionUtil
::oauthSessionStart($gbl::$web_root);
30 $_GET['site'] = $gbl::$SITE;
31 // No need for sessionAllowWrite since using oauth session
33 require_once __DIR__
. '/../interface/globals.php';
35 $logger = new SystemLogger();
37 // exit if api is not turned on
38 if (empty($GLOBALS['rest_api']) && empty($GLOBALS['rest_fhir_api']) && empty($GLOBALS['rest_portal_api'])) {
39 $logger->debug("api disabled exiting call");
40 SessionUtil
::oauthSessionCookieDestroy();
41 http_response_code(404);
45 // ensure 1) sane site 2) site from gbl and globals are the same and 3) ensure the site exists on filesystem
46 if (empty($gbl::$SITE) ||
empty($_SESSION['site_id']) ||
preg_match('/[^A-Za-z0-9\\-.]/', $gbl::$SITE) ||
($gbl::$SITE != $_SESSION['site_id']) ||
!file_exists($GLOBALS['OE_SITES_BASE'] . '/' . $_SESSION['site_id'])) {
47 // error collecting site
48 $logger->error("OpenEMR error - oauth2 error since unable to properly collect site, so forced exit");
49 SessionUtil
::oauthSessionCookieDestroy();
50 http_response_code(400);
55 // used to prevent csrf in the 2 different types of submissions by oauth2/provider/login.php
56 if (empty($_SESSION['csrf_private_key'])) {
57 CsrfUtils
::setupCsrfKey();
60 $end_point = $gbl::getRequestEndPoint();
61 $logger->debug("oauth2 request received", ["endpoint" => $end_point]);
63 // let's quickly be able to enable our CORS at the PHP level.
64 header("Access-Control-Allow-Credentials: true");
65 header("Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested-with");
66 header("Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS");
67 header("Access-Control-Allow-Origin: *");
69 $authServer = new AuthorizationController();
71 if (false !== stripos($end_point, '/token')) {
72 // session is destroyed within below function
73 $authServer->oauthAuthorizeToken();
77 if (false !== stripos($end_point, '/openid-configuration')) {
79 $base_url = $authServer->authBaseFullUrl
;
80 require_once("provider/.well-known/discovery.php");
84 if (false !== stripos($end_point, '/authorize')) {
85 // session is destroyed (when throws exception) within below function
86 $authServer->oauthAuthorizationFlow();
90 if (false !== stripos($end_point, '/device/code')) {
91 // session is destroyed within below function
92 $authServer->authorizeUser();
96 if (false !== stripos($end_point, '/jwk')) {
98 require_once(__DIR__
. "/provider/jwk.php");
102 if (false !== stripos($end_point, '/login')) {
103 // session is maintained
104 $authServer->userLogin();
107 if ($authServer->isSMARTAuthorizationEndPoint($end_point)) {
108 $authServer->dispatchSMARTAuthorizationEndpoint($end_point);
111 if (false !== stripos($end_point, '/scope-authorize-confirm')) {
112 // session is maintained
113 $authServer->scopeAuthorizeConfirm();
117 if (false !== stripos($end_point, '/registration')) {
118 // session is destroyed within below function
119 $authServer->clientRegistration();
123 if (false !== stripos($end_point, '/client')) {
124 // session is destroyed within below function
125 $authServer->clientRegisteredDetails();
129 if (false !== stripos($end_point, '/logout')) {
130 // session is destroyed within below function
131 $authServer->userSessionLogout();
135 if (false !== stripos($end_point, '/introspect')) {
136 // session is destroyed within below function
137 $authServer->tokenIntrospection();