bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
application/Espo/Core/Authentication/Oidc/BackchannelLogout.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\AuthToken\AuthToken;
use Espo\Core\Authentication\AuthToken\Manager as AuthTokenManager;
use Espo\Core\Authentication\Jwt\Exceptions\Invalid;
use Espo\Core\Authentication\Jwt\Exceptions\SignatureNotVerified;
use Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Authentication\Jwt\Validator;
use Espo\Core\Authentication\Oidc\UserProvider\UserRepository;
use Espo\Core\Utils\Log;
use Espo\Entities\AuthToken as AuthTokenEntity;
use Espo\ORM\EntityManager;
/**
* Compatible only with default Espo auth tokens.
*
* @todo Use a token-sessionId map to retrieve tokens. Send sid claim in id_token.
*/
class BackchannelLogout
{
public function __construct(
private Log $log,
private Validator $validator,
private TokenValidator $tokenValidator,
private ConfigDataProvider $configDataProvider,
private UserRepository $userRepository,
private EntityManager $entityManager,
private AuthTokenManager $authTokenManger
) {}
/**
* @throws SignatureNotVerified
* @throws Invalid
*/
public function logout(string $rawToken): void
{
$token = Token::create($rawToken);
$this->log->debug("OIDC logout: JWT header: " . $token->getHeaderRaw());
$this->log->debug("OIDC logout: JWT payload: " . $token->getPayloadRaw());
$this->validator->validate($token);
$this->tokenValidator->validateSignature($token);
$this->tokenValidator->validateFields($token);
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new Invalid("No username claim in config.");
}
$username = $token->getPayload()->get($usernameClaim);
if (!$username) {
throw new Invalid("No username claim `$usernameClaim` in token.");
}
$user = $this->userRepository->findByUsername($username);
if (!$user) {
return;
}
$authTokenList = $this->entityManager
->getRDBRepositoryByClass(AuthTokenEntity::class)
->where([
'userId' => $user->getId(),
'isActive' => true,
])
->find();
foreach ($authTokenList as $authToken) {
assert($authToken instanceof AuthToken);
$this->authTokenManger->inactivate($authToken);
}
}
}

234
application/Espo/Core/Authentication/Oidc/ConfigDataProvider.php Normal file
View File

@@ -0,0 +1,234 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\ApplicationState;
use Espo\Core\ORM\EntityManagerProxy;
use Espo\Core\Utils\Config;
use Espo\Entities\AuthenticationProvider;
use stdClass;
class ConfigDataProvider
{
private const JWKS_CACHE_PERIOD = '10 minutes';
private Config|AuthenticationProvider $object;
public function __construct(
private Config $config,
private ApplicationState $applicationState,
private EntityManagerProxy $entityManager
) {
$this->object = $this->getAuthenticationProvider() ?? $this->config;
}
private function isAuthenticationProvider(): bool
{
return $this->object instanceof AuthenticationProvider;
}
private function getAuthenticationProvider(): ?AuthenticationProvider
{
if (!$this->applicationState->isPortal()) {
return null;
}
$link = $this->applicationState->getPortal()->getAuthenticationProvider();
if (!$link) {
return null;
}
/** @var ?AuthenticationProvider */
return $this->entityManager->getEntityById(AuthenticationProvider::ENTITY_TYPE, $link->getId());
}
public function getSiteUrl(): string
{
$siteUrl = $this->isAuthenticationProvider() ?
$this->applicationState->getPortal()->getUrl() :
$this->config->get('siteUrl');
return rtrim($siteUrl, '/');
}
public function getRedirectUri(): string
{
return $this->getSiteUrl() . '/oauth-callback.php';
}
public function getClientId(): ?string
{
return $this->object->get('oidcClientId');
}
public function getClientSecret(): ?string
{
return $this->object->get('oidcClientSecret');
}
public function getAuthorizationEndpoint(): ?string
{
return $this->object->get('oidcAuthorizationEndpoint');
}
public function getTokenEndpoint(): ?string
{
return $this->object->get('oidcTokenEndpoint');
}
public function getUserInfoEndpoint(): ?string
{
return $this->object->get('oidcUserInfoEndpoint');
}
public function getJwksEndpoint(): ?string
{
return $this->object->get('oidcJwksEndpoint');
}
/**
* @return string[]
*/
public function getJwtSignatureAlgorithmList(): array
{
return $this->object->get('oidcJwtSignatureAlgorithmList') ?? [];
}
/**
* @return string[]
*/
public function getScopes(): array
{
/** @var string[] */
return $this->object->get('oidcScopes') ?? [];
}
public function getLogoutUrl(): ?string
{
return $this->object->get('oidcLogoutUrl');
}
public function getUsernameClaim(): ?string
{
return $this->object->get('oidcUsernameClaim');
}
public function createUser(): bool
{
return (bool) $this->object->get('oidcCreateUser');
}
public function sync(): bool
{
return (bool) $this->object->get('oidcSync');
}
public function syncTeams(): bool
{
if ($this->isAuthenticationProvider()) {
return false;
}
return (bool) $this->config->get('oidcSyncTeams');
}
public function fallback(): bool
{
if ($this->isAuthenticationProvider()) {
return false;
}
return (bool) $this->config->get('oidcFallback');
}
public function allowRegularUserFallback(): bool
{
if ($this->isAuthenticationProvider()) {
return false;
}
return (bool) $this->config->get('oidcAllowRegularUserFallback');
}
public function allowAdminUser(): bool
{
if ($this->isAuthenticationProvider()) {
return false;
}
return (bool) $this->config->get('oidcAllowAdminUser');
}
public function getGroupClaim(): ?string
{
if ($this->isAuthenticationProvider()) {
return null;
}
return $this->config->get('oidcGroupClaim');
}
/**
* @return ?string[]
*/
public function getTeamIds(): ?array
{
if ($this->isAuthenticationProvider()) {
return null;
}
return $this->config->get('oidcTeamsIds') ?? [];
}
public function getTeamColumns(): ?stdClass
{
if ($this->isAuthenticationProvider()) {
return null;
}
return $this->config->get('oidcTeamsColumns') ?? (object) [];
}
public function getAuthorizationPrompt(): string
{
return $this->object->get('oidcAuthorizationPrompt') ?? 'consent';
}
public function getAuthorizationMaxAge(): ?int
{
return $this->config->get('oidcAuthorizationMaxAge');
}
public function getJwksCachePeriod(): string
{
return $this->config->get('oidcJwksCachePeriod') ?? self::JWKS_CACHE_PERIOD;
}
}

88
application/Espo/Core/Authentication/Oidc/DefaultSignatureVerifierFactory.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\Jwt\SignatureVerifier;
use Espo\Core\Authentication\Jwt\SignatureVerifierFactory;
use Espo\Core\Authentication\Jwt\SignatureVerifiers\Hmac;
use Espo\Core\Authentication\Jwt\SignatureVerifiers\Rsa;
use RuntimeException;
class DefaultSignatureVerifierFactory implements SignatureVerifierFactory
{
private const RS256 = 'RS256';
private const RS384 = 'RS384';
private const RS512 = 'RS512';
private const HS256 = 'HS256';
private const HS384 = 'HS384';
private const HS512 = 'HS512';
private const ALGORITHM_VERIFIER_CLASS_NAME_MAP = [
self::RS256 => Rsa::class,
self::RS384 => Rsa::class,
self::RS512 => Rsa::class,
self::HS256 => Hmac::class,
self::HS384 => Hmac::class,
self::HS512 => Hmac::class,
];
public function __construct(
private KeysProvider $keysProvider,
private ConfigDataProvider $configDataProvider
) {}
public function create(string $algorithm): SignatureVerifier
{
/** @var ?class-string<SignatureVerifier> $className */
$className = self::ALGORITHM_VERIFIER_CLASS_NAME_MAP[$algorithm] ?? null;
if (!$className) {
throw new RuntimeException("Not supported algorithm $algorithm.");
}
if ($className === Rsa::class) {
$keys = $this->keysProvider->get();
return new Rsa($algorithm, $keys);
}
if ($className === Hmac::class) {
$key = $this->configDataProvider->getClientSecret();
if (!$key) {
throw new RuntimeException("No client secret.");
}
return new Hmac($algorithm, $key);
}
throw new RuntimeException();
}
}

203
application/Espo/Core/Authentication/Oidc/KeysProvider.php Normal file
View File

@@ -0,0 +1,203 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\Jwt\Exceptions\UnsupportedKey;
use Espo\Core\Authentication\Jwt\Key;
use Espo\Core\Authentication\Jwt\KeyFactory;
use Espo\Core\Field\DateTime;
use Espo\Core\Utils\Config\SystemConfig;
use Espo\Core\Utils\DataCache;
use Espo\Core\Utils\Json;
use Espo\Core\Utils\Log;
use JsonException;
use RuntimeException;
use stdClass;
class KeysProvider
{
private const CACHE_KEY = 'oidcJwks';
private const REQUEST_TIMEOUT = 10;
public function __construct(
private DataCache $dataCache,
private ConfigDataProvider $configDataProvider,
private KeyFactory $factory,
private Log $log,
private SystemConfig $systemConfig,
) {}
/**
* @return Key[]
*/
public function get(): array
{
$list = [];
$rawKeys = $this->getRaw();
foreach ($rawKeys as $raw) {
try {
$list[] = $this->factory->create($raw);
} catch (UnsupportedKey) {
$this->log->debug("OIDC: Unsupported key " . print_r($raw, true));
}
}
return $list;
}
/**
* @return stdClass[]
*/
private function getRaw(): array
{
$raw = $this->getRawFromCache();
if (!$raw) {
$raw = $this->load();
$this->storeRawToCache($raw);
}
return $raw;
}
/**
* @return stdClass[]
*/
private function load(): array
{
$endpoint = $this->configDataProvider->getJwksEndpoint();
if (!$endpoint) {
throw new RuntimeException("JSON Web Key Set endpoint not specified in settings.");
}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $endpoint,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => self::REQUEST_TIMEOUT,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_PROTOCOLS => CURLPROTO_HTTPS | CURLPROTO_HTTP,
]);
/** @var string|false $response */
$response = curl_exec($curl);
$error = curl_error($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
if ($response === false) {
$response = '';
}
if ($error) {
throw new RuntimeException("OIDC: JWKS request error. Status: $status.");
}
$parsedResponse = null;
try {
$parsedResponse = Json::decode($response);
} catch (JsonException) {}
if (!$parsedResponse instanceof stdClass || !isset($parsedResponse->keys)) {
throw new RuntimeException("OIDC: JWKS bad response.");
}
return $parsedResponse->keys;
}
/**
* @return ?stdClass[]
*/
private function getRawFromCache(): ?array
{
if (!$this->systemConfig->useCache()) {
return null;
}
if (!$this->dataCache->has(self::CACHE_KEY)) {
return null;
}
$data = $this->dataCache->get(self::CACHE_KEY);
if (!$data instanceof stdClass) {
return null;
}
/** @var ?int $timestamp */
$timestamp = $data->timestamp;
if (!$timestamp) {
return null;
}
$period = '-' . $this->configDataProvider->getJwksCachePeriod();
if ($timestamp < DateTime::createNow()->modify($period)->toTimestamp()) {
return null;
}
/** @var ?stdClass[] $keys */
$keys = $data->keys ?? null;
if ($keys === null) {
return null;
}
return $keys;
}
/**
* @param stdClass[] $raw
*/
private function storeRawToCache(array $raw): void
{
if (!$this->systemConfig->useCache()) {
return;
}
$data = (object) [
'timestamp' => time(),
'keys' => $raw,
];
$this->dataCache->store(self::CACHE_KEY, $data);
}
}

322
application/Espo/Core/Authentication/Oidc/Login.php Normal file
View File

@@ -0,0 +1,322 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Api\Request;
use Espo\Core\ApplicationState;
use Espo\Core\Authentication\Login as LoginInterface;
use Espo\Core\Authentication\Login\Data;
use Espo\Core\Authentication\Jwt\Token;
use Espo\Core\Authentication\Logins\Espo;
use Espo\Core\Authentication\Jwt\Exceptions\Invalid;
use Espo\Core\Authentication\Jwt\Exceptions\SignatureNotVerified;
use Espo\Core\Authentication\Jwt\Validator;
use Espo\Core\Authentication\Oidc\UserProvider\UserInfo;
use Espo\Core\Authentication\Result;
use Espo\Core\Authentication\Result\FailReason;
use Espo\Core\Utils\Json;
use Espo\Core\Utils\Log;
use JsonException;
use LogicException;
use RuntimeException;
use SensitiveParameter;
use stdClass;
class Login implements LoginInterface
{
public const NAME = 'Oidc';
private const OIDC_USERNAME = '**oidc';
private const REQUEST_TIMEOUT = 10;
private const NONCE_HEADER = 'X-Oidc-Authorization-Nonce';
public function __construct(
private Espo $espoLogin,
private Log $log,
private ConfigDataProvider $configDataProvider,
private Validator $validator,
private TokenValidator $tokenValidator,
private UserProvider $userProvider,
private ApplicationState $applicationState,
private UserInfoDataProvider $userInfoDataProvider,
) {}
public function login(Data $data, Request $request): Result
{
if ($data->getUsername() !== self::OIDC_USERNAME) {
return $this->loginFallback($data, $request);
}
$code = $data->getPassword();
if (!$code) {
return Result::fail(FailReason::NO_PASSWORD);
}
return $this->loginWithCode($code, $request);
}
private function loginWithCode(string $code, Request $request): Result
{
$endpoint = $this->configDataProvider->getTokenEndpoint();
$clientId = $this->configDataProvider->getClientId();
$clientSecret = $this->configDataProvider->getClientSecret();
$redirectUri = $this->configDataProvider->getRedirectUri();
if (!$endpoint) {
throw new RuntimeException("No token endpoint.");
}
if (!$clientId) {
throw new RuntimeException("No client ID.");
}
if (!$clientSecret) {
throw new RuntimeException("No client secret.");
}
[$rawToken, $failResult, $accessToken] =
$this->requestToken($endpoint, $clientId, $code, $redirectUri, $clientSecret);
if ($failResult) {
return $failResult;
}
if (!$rawToken) {
throw new LogicException();
}
try {
$token = Token::create($rawToken);
} catch (RuntimeException $e) {
$message = self::composeLogMessage('JWT parsing error.');
if ($e->getMessage()) {
$message .= " " . $e->getMessage();
}
$this->log->error($message);
throw new RuntimeException("JWT parsing error.");
}
$this->log->debug("OIDC: JWT header: " . $token->getHeaderRaw());
$this->log->debug("OIDC: JWT payload: " . $token->getPayloadRaw());
try {
$this->validateToken($token);
} catch (Invalid $e) {
$this->log->error("OIDC: " . $e->getMessage());
return Result::fail(FailReason::DENIED);
}
$tokenPayload = $token->getPayload();
$nonce = $request->getHeader(self::NONCE_HEADER);
if ($nonce && $nonce !== $tokenPayload->getNonce()) {
$this->log->warning(self::composeLogMessage('JWT nonce mismatch.'));
return Result::fail(FailReason::DENIED);
}
$userInfo = $this->getUserInfo($tokenPayload, $accessToken);
$user = $this->userProvider->get($userInfo);
if (!$user) {
return Result::fail(FailReason::USER_NOT_FOUND);
}
return Result::success($user)->withBypassSecondStep();
}
private function loginFallback(Data $data, Request $request): Result
{
if (
!$data->getAuthToken() &&
!$this->configDataProvider->fallback()
) {
return Result::fail(FailReason::METHOD_NOT_ALLOWED);
}
if (
!$data->getAuthToken() &&
$this->applicationState->isPortal()
) {
return Result::fail(FailReason::METHOD_NOT_ALLOWED);
}
$result = $this->espoLogin->login($data, $request);
$user = $result->getUser();
if (!$user) {
return $result;
}
if ($data->getAuthToken()) {
// Allow fallback when logged by auth token.
return $result;
}
if (
$user->isRegular() &&
!$this->configDataProvider->allowRegularUserFallback()
// Portal users are allowed.
) {
return Result::fail(FailReason::METHOD_NOT_ALLOWED);
}
if ($user->isPortal()) {
return Result::fail(FailReason::METHOD_NOT_ALLOWED);
}
return $result;
}
/**
* @return array{?string, ?Result, ?string}
*/
private function requestToken(
string $endpoint,
string $clientId,
string $code,
string $redirectUri,
string $clientSecret
): array {
$params = [
'grant_type' => 'authorization_code',
'client_id' => $clientId,
'client_secret' => $clientSecret,
'code' => $code,
'redirect_uri' => $redirectUri,
];
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $endpoint,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => self::REQUEST_TIMEOUT,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => http_build_query($params),
CURLOPT_HTTPHEADER => ['content-type: application/x-www-form-urlencoded'],
CURLOPT_PROTOCOLS => CURLPROTO_HTTPS | CURLPROTO_HTTP,
]);
/** @var string|false $response */
$response = curl_exec($curl);
$error = curl_error($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
if ($response === false) {
$response = '';
}
if ($error || is_int($status) && ($status >= 400 && $status < 500)) {
if ($status === 400) {
$this->log->error(self::composeLogMessage('Bad token request.', $status, $response));
throw new RuntimeException();
}
$this->log->warning(self::composeLogMessage('Token request error.', $status, $response));
return [null, Result::fail(FailReason::DENIED), null];
}
$parsedResponse = null;
try {
$parsedResponse = Json::decode($response);
} catch (JsonException) {}
if (!$parsedResponse instanceof stdClass) {
$this->log->error(self::composeLogMessage('Bad token response.', $status, $response));
throw new RuntimeException();
}
$token = $parsedResponse->id_token ?? null;
$accessToken = $parsedResponse->access_token ?? null;
if (!$token || !is_string($token)) {
$this->log->error(self::composeLogMessage('Bad token response.', $status, $response));
throw new RuntimeException();
}
return [$token, null, $accessToken];
}
private static function composeLogMessage(string $text, ?int $status = null, ?string $response = null): string
{
if ($status === null) {
return "OIDC: $text";
}
return "OIDC: $text; Status: $status; Response: $response";
}
/**
* @throws SignatureNotVerified
* @throws Invalid
*/
private function validateToken(Token $token): void
{
$this->validator->validate($token);
$this->tokenValidator->validateFields($token);
$this->tokenValidator->validateSignature($token);
}
private function getUserInfo(Token\Payload $payload, #[SensitiveParameter] ?string $accessToken): UserInfo
{
$endpoint = $this->configDataProvider->getUserInfoEndpoint();
if (!$endpoint) {
return new UserInfo($payload, []);
}
if (!$accessToken) {
throw new RuntimeException("OIDC: No access token received.");
}
$data = $this->userInfoDataProvider->get($accessToken);
return new UserInfo($payload, $data);
}
}

61
application/Espo/Core/Authentication/Oidc/Logout.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\AuthToken\AuthToken;
use Espo\Core\Authentication\Logout as LogoutInterface;
use Espo\Core\Authentication\Logout\Params;
use Espo\Core\Authentication\Logout\Result;
/**
* @noinspection PhpUnused
*/
class Logout implements LogoutInterface
{
public function __construct(
private ConfigDataProvider $configDataProvider
) {}
public function logout(AuthToken $authToken, Params $params): Result
{
$url = $this->configDataProvider->getLogoutUrl();
$clientId = $this->configDataProvider->getClientId() ?? '';
$siteUrl = $this->configDataProvider->getSiteUrl();
if ($url) {
$url = str_replace('{clientId}', urlencode($clientId), $url);
$url = str_replace('{siteUrl}', urlencode($siteUrl), $url);
}
// @todo Check session is set in auth token to bypass fallback logins.
return Result::create()->withRedirectUrl($url);
}
}

89
application/Espo/Core/Authentication/Oidc/TokenValidator.php Normal file
View File

@@ -0,0 +1,89 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\Jwt\Exceptions\Invalid;
use Espo\Core\Authentication\Jwt\Exceptions\SignatureNotVerified;
use Espo\Core\Authentication\Jwt\SignatureVerifierFactory;
use Espo\Core\Authentication\Jwt\Token;
use RuntimeException;
class TokenValidator
{
public function __construct(
private ConfigDataProvider $configDataProvider,
private SignatureVerifierFactory $signatureVerifierFactory
) {}
/**
* @throws SignatureNotVerified
* @throws Invalid
*/
public function validateSignature(Token $token): void
{
$algorithm = $token->getHeader()->getAlg();
$allowedAlgorithmList = $this->configDataProvider->getJwtSignatureAlgorithmList();
if (!in_array($algorithm, $allowedAlgorithmList)) {
throw new Invalid("JWT signing algorithm `$algorithm` not allowed.");
}
$verifier = $this->signatureVerifierFactory->create($algorithm);
if (!$verifier->verify($token)) {
throw new SignatureNotVerified("JWT signature not verified.");
}
}
/**
* @throws Invalid
*/
public function validateFields(Token $token): void
{
$oidcClientId = $this->configDataProvider->getClientId();
if (!$oidcClientId) {
throw new RuntimeException("OIDC: No client ID.");
}
if (!in_array($oidcClientId, $token->getPayload()->getAud())) {
throw new Invalid("JWT the `aud` field does not contain matching client ID.");
}
if (!$token->getPayload()->getSub()) {
throw new Invalid("JWT does not contain the `sub` value.");
}
if (!$token->getPayload()->getIss()) {
throw new Invalid("JWT does not contain the `iss` value.");
}
}
}

121
application/Espo/Core/Authentication/Oidc/UserInfoDataProvider.php Normal file
View File

@@ -0,0 +1,121 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Utils\Json;
use Espo\Core\Utils\Log;
use JsonException;
use RuntimeException;
use SensitiveParameter;
class UserInfoDataProvider
{
private const REQUEST_TIMEOUT = 10;
public function __construct(
private ConfigDataProvider $configDataProvider,
private Log $log,
) {}
/**
* @return array<string, mixed>
*/
public function get(#[SensitiveParameter] string $accessToken): array
{
return $this->load($accessToken);
}
/**
* @return array<string, mixed>
*/
private function load(#[SensitiveParameter] string $accessToken): array
{
$endpoint = $this->configDataProvider->getUserInfoEndpoint();
if (!$endpoint) {
throw new RuntimeException("No userinfo endpoint.");
}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $endpoint,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => self::REQUEST_TIMEOUT,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_PROTOCOLS => CURLPROTO_HTTPS | CURLPROTO_HTTP,
CURLOPT_HTTPHEADER => [
'Authorization: Bearer ' . $accessToken,
'Accept: application/json',
],
]);
/** @var string|false $response */
$response = curl_exec($curl);
$error = curl_error($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
if ($response === false) {
$response = '';
}
if ($error || is_int($status) && ($status >= 400 && $status < 500)) {
$this->log->error(self::composeLogMessage('UserInfo response error.', $status, $response));
throw new RuntimeException("OIDC: Userinfo request error.");
}
$parsedResponse = null;
try {
$parsedResponse = Json::decode($response, true);
} catch (JsonException) {}
if (!is_array($parsedResponse)) {
throw new RuntimeException("OIDC: Bad userinfo response.");
}
return $parsedResponse;
}
private static function composeLogMessage(string $text, ?int $status = null, ?string $response = null): string
{
if ($status === null) {
return "OIDC: $text";
}
return "OIDC: $text; Status: $status; Response: $response";
}
}

38
application/Espo/Core/Authentication/Oidc/UserProvider.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc;
use Espo\Core\Authentication\Oidc\UserProvider\UserInfo;
use Espo\Entities\User;
interface UserProvider
{
public function get(UserInfo $userInfo): ?User;
}

171
application/Espo/Core/Authentication/Oidc/UserProvider/DefaultUserProvider.php Normal file
View File

@@ -0,0 +1,171 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\ApplicationState;
use Espo\Core\Authentication\Oidc\ConfigDataProvider;
use Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Utils\Log;
use Espo\Entities\User;
use RuntimeException;
class DefaultUserProvider implements UserProvider
{
public function __construct(
private ConfigDataProvider $configDataProvider,
private Sync $sync,
private UserRepository $userRepository,
private ApplicationState $applicationState,
private Log $log,
) {}
public function get(UserInfo $userInfo): ?User
{
$user = $this->findUser($userInfo);
if ($user === false) {
return null;
}
if ($user) {
$this->syncUser($user, $userInfo);
return $user;
}
return $this->tryToCreateUser($userInfo);
}
/**
* @return User|false|null
*/
private function findUser(UserInfo $userInfo): User|bool|null
{
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("No username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("No username claim `$usernameClaim` in token and userinfo.");
}
$username = $this->sync->normalizeUsername($username);
$user = $this->userRepository->findByUsername($username);
if (!$user) {
return null;
}
$userId = $user->getId();
if (!$user->isActive()) {
$this->log->info("Oidc: User $userId found but it's not active.");
return false;
}
$isPortal = $this->applicationState->isPortal();
if (!$isPortal && !$user->isRegular() && !$user->isAdmin()) {
$this->log->info("Oidc: User $userId found but it's neither regular user nor admin.");
return false;
}
if ($isPortal && !$user->isPortal()) {
$this->log->info("Oidc: User $userId found but it's not portal user.");
return false;
}
if ($isPortal) {
$portalId = $this->applicationState->getPortalId();
if (!$user->getPortals()->hasId($portalId)) {
$this->log->info("Oidc: User $userId found but it's not related to current portal.");
return false;
}
}
if ($user->isSuperAdmin()) {
$this->log->info("Oidc: User $userId found but it's super-admin, not allowed.");
return false;
}
if ($user->isAdmin() && !$this->configDataProvider->allowAdminUser()) {
$this->log->info("Oidc: User $userId found but it's admin, not allowed.");
return false;
}
return $user;
}
private function tryToCreateUser(UserInfo $userInfo): ?User
{
if (!$this->configDataProvider->createUser()) {
return null;
}
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("Could not create a user. No OIDC username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("Could not create a user. No username claim in token and userinfo.");
}
return $this->sync->createUser($userInfo);
}
private function syncUser(User $user, UserInfo $userInfo): void
{
if (
!$this->configDataProvider->sync() &&
!$this->configDataProvider->syncTeams()
) {
return;
}
$this->sync->syncUser($user, $userInfo);
}
}

247
application/Espo/Core/Authentication/Oidc/UserProvider/Sync.php Normal file
View File

@@ -0,0 +1,247 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Acl\Cache\Clearer as AclCacheClearer;
use Espo\Core\ApplicationState;
use Espo\Core\Authentication\Oidc\ConfigDataProvider;
use Espo\Core\Field\LinkMultiple;
use Espo\Core\Name\Field;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\PasswordHash;
use Espo\Core\Utils\Util;
use Espo\Entities\User;
use RuntimeException;
class Sync
{
public function __construct(
private UsernameValidator $usernameValidator,
private Config $config,
private ConfigDataProvider $configDataProvider,
private UserRepository $userRepository,
private PasswordHash $passwordHash,
private AclCacheClearer $aclCacheClearer,
private ApplicationState $applicationState,
) {}
public function createUser(UserInfo $userInfo): User
{
$username = $this->getUsernameFromToken($userInfo);
$this->usernameValidator->validate($username);
$user = $this->userRepository->getNew();
$user->setType(User::TYPE_REGULAR);
$user->setUserName($username);
$user->setMultiple([
'password' => $this->passwordHash->hash(Util::generatePassword(10, 4, 2, true)),
]);
$user->set($this->getUserDataFromToken($userInfo));
$user->set($this->getUserTeamsDataFromToken($userInfo));
if ($this->applicationState->isPortal()) {
$portalId = $this->applicationState->getPortalId();
$user->setType(User::TYPE_PORTAL);
$user->setPortals(LinkMultiple::create()->withAddedId($portalId));
}
$this->userRepository->save($user);
return $user;
}
public function syncUser(User $user, UserInfo $payload): void
{
$username = $this->getUsernameFromToken($payload);
$this->usernameValidator->validate($username);
if ($user->getUserName() !== $username) {
throw new RuntimeException("Could not sync user. Username mismatch.");
}
if ($this->configDataProvider->sync()) {
$user->set($this->getUserDataFromToken($payload));
}
$clearAclCache = false;
if ($this->configDataProvider->syncTeams()) {
$user->loadLinkMultipleField(Field::TEAMS);
$user->set($this->getUserTeamsDataFromToken($payload));
$clearAclCache = $user->isAttributeChanged('teamsIds');
}
$this->userRepository->save($user);
if ($clearAclCache) {
$this->aclCacheClearer->clearForUser($user);
}
}
/**
* @return array<string, mixed>
*/
private function getUserDataFromToken(UserInfo $userInfo): array
{
return [
'emailAddress' => $userInfo->get('email'),
'phoneNumber' => $userInfo->get('phone_number'),
'emailAddressData' => null,
'phoneNumberData' => null,
'firstName' => $userInfo->get('given_name'),
'lastName' => $userInfo->get('family_name'),
'middle_name' => $userInfo->get('middle_name'),
'gender' =>
in_array($userInfo->get('gender'), ['male', 'female']) ?
ucfirst($userInfo->get('gender') ?? '') :
null,
];
}
/**
* @return array<string, mixed>
*/
private function getUserTeamsDataFromToken(UserInfo $userInfo): array
{
return [
'teamsIds' => $this->getTeamIdList($userInfo),
];
}
private function getUsernameFromToken(UserInfo $userInfo): string
{
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("No OIDC username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("No username claim returned in token.");
}
if (!is_string($username)) {
throw new RuntimeException("Bad username claim returned in token.");
}
return $this->normalizeUsername($username);
}
/**
* @return string[]
*/
private function getTeamIdList(UserInfo $userInfo): array
{
$idList = $this->configDataProvider->getTeamIds() ?? [];
$columns = $this->configDataProvider->getTeamColumns() ?? (object) [];
if ($idList === []) {
return [];
}
$groupList = $this->getGroups($userInfo);
$resultIdList = [];
foreach ($idList as $id) {
$group = ($columns->$id ?? (object) [])->group ?? null;
if (!$group || in_array($group, $groupList)) {
$resultIdList[] = $id;
}
}
return $resultIdList;
}
/**
* @return string[]
*/
private function getGroups(UserInfo $userInfo): array
{
$groupClaim = $this->configDataProvider->getGroupClaim();
if (!$groupClaim) {
return [];
}
$value = $userInfo->get($groupClaim);
if (!$value) {
return [];
}
if (is_string($value)) {
return [$value];
}
if (!is_array($value)) {
return [];
}
$list = [];
foreach ($value as $item) {
if (is_string($item)) {
$list[] = $item;
}
}
return $list;
}
public function normalizeUsername(string $username): string
{
/** @var ?string $regExp */
$regExp = $this->config->get('userNameRegularExpression');
if (!$regExp) {
throw new RuntimeException("No `userNameRegularExpression` in config.");
}
$username = strtolower($username);
/** @var string $result */
$result = preg_replace("/$regExp/", '_', $username);
/** @var string */
return str_replace(' ', '_', $result);
}
}

49
application/Espo/Core/Authentication/Oidc/UserProvider/UserInfo.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Authentication\Jwt\Token\Payload;
class UserInfo
{
/**
* @internal
* @param array<string, mixed> $data
*/
public function __construct(
private Payload $payload,
private array $data,
) {}
public function get(string $name): mixed
{
return $this->payload->get($name) ?? $this->data[$name] ?? null;
}
}

85
application/Espo/Core/Authentication/Oidc/UserProvider/UserRepository.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\FieldProcessing\EmailAddress\Saver as EmailAddressSaver;
use Espo\Core\FieldProcessing\PhoneNumber\Saver as PhoneNumberSaver;
use Espo\Core\FieldProcessing\Relation\LinkMultipleSaver;
use Espo\Core\FieldProcessing\Saver\Params as SaverParams;
use Espo\Core\Name\Field;
use Espo\Core\ORM\Repository\Option\SaveOption;
use Espo\Entities\User;
use Espo\ORM\EntityManager;
class UserRepository
{
public function __construct(
private EntityManager $entityManager,
private LinkMultipleSaver $linkMultipleSaver,
private EmailAddressSaver $emailAddressSaver,
private PhoneNumberSaver $phoneNumberSaver
) {}
public function getNew(): User
{
return $this->entityManager->getRDBRepositoryByClass(User::class)->getNew();
}
public function save(User $user): void
{
$this->entityManager->saveEntity($user, [
// Prevent `user` service being loaded by hooks.
SaveOption::SKIP_HOOKS => true,
SaveOption::KEEP_NEW => true,
SaveOption::KEEP_DIRTY => true,
]);
$saverParams = SaverParams::create()->withRawOptions(['skipLinkMultipleHooks' => true]);
$this->linkMultipleSaver->process($user, Field::TEAMS, $saverParams);
$this->linkMultipleSaver->process($user, 'portals', $saverParams);
$this->linkMultipleSaver->process($user, 'portalRoles', $saverParams);
$this->emailAddressSaver->process($user, $saverParams);
$this->phoneNumberSaver->process($user, $saverParams);
$user->setAsNotNew();
$user->updateFetchedValues();
$this->entityManager->refreshEntity($user);
}
public function findByUsername(string $username): ?User
{
return $this->entityManager
->getRDBRepositoryByClass(User::class)
->where(['userName' => $username])
->findOne();
}
}

53
application/Espo/Core/Authentication/Oidc/UserProvider/UsernameValidator.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Entities\User;
use Espo\ORM\EntityManager;
use RuntimeException;
class UsernameValidator
{
public function __construct(private EntityManager $entityManager) {}
public function validate(string $username): void
{
$maxLength = $this->entityManager
->getDefs()
->getEntity(User::ENTITY_TYPE)
->getAttribute('userName')
->getLength();
if ($maxLength && $maxLength < strlen($username)) {
throw new RuntimeException("Value in username claim exceeds max length of `$maxLength`. " .
"Increase maxLength parameter for User.userName field (up to 255).");
}
}
}