diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php --- a/src/__phutil_library_map__.php +++ b/src/__phutil_library_map__.php @@ -340,6 +340,7 @@ 'PhutilOpaqueEnvelope' => 'error/PhutilOpaqueEnvelope.php', 'PhutilOpaqueEnvelopeKey' => 'error/PhutilOpaqueEnvelopeKey.php', 'PhutilOpaqueEnvelopeTestCase' => 'error/__tests__/PhutilOpaqueEnvelopeTestCase.php', + 'PhutilOpenIDConnectAuthAdapter' => 'auth/PhutilOpenIDConnectAuthAdapter.php', 'PhutilPHPCodeSnippetContextFreeGrammar' => 'grammar/code/PhutilPHPCodeSnippetContextFreeGrammar.php', 'PhutilPHPFragmentLexer' => 'lexer/PhutilPHPFragmentLexer.php', 'PhutilPHPFragmentLexerHighlighterTestCase' => 'markup/syntax/highlighter/__tests__/PhutilPHPFragmentLexerHighlighterTestCase.php', @@ -904,7 +905,7 @@ 'PhutilGitHubResponse' => 'Phobject', 'PhutilGitURI' => 'Phobject', 'PhutilGitURITestCase' => 'PhutilTestCase', - 'PhutilGoogleAuthAdapter' => 'PhutilOAuthAuthAdapter', + 'PhutilGoogleAuthAdapter' => 'PhutilOpenIDConnectAuthAdapter', 'PhutilHTTPEngineExtension' => 'Phobject', 'PhutilHTTPResponse' => 'Phobject', 'PhutilHTTPResponseParser' => 'Phobject', @@ -988,6 +989,7 @@ 'PhutilOpaqueEnvelope' => 'Phobject', 'PhutilOpaqueEnvelopeKey' => 'Phobject', 'PhutilOpaqueEnvelopeTestCase' => 'PhutilTestCase', + 'PhutilOpenIDConnectAuthAdapter' => 'PhutilOAuthAuthAdapter', 'PhutilPHPCodeSnippetContextFreeGrammar' => 'PhutilCLikeCodeSnippetContextFreeGrammar', 'PhutilPHPFragmentLexer' => 'PhutilLexer', 'PhutilPHPFragmentLexerHighlighterTestCase' => 'PhutilTestCase', diff --git a/src/auth/PhutilGoogleAuthAdapter.php b/src/auth/PhutilGoogleAuthAdapter.php --- a/src/auth/PhutilGoogleAuthAdapter.php +++ b/src/auth/PhutilGoogleAuthAdapter.php @@ -1,9 +1,9 @@ getOAuthAccountData('emails', array()); - foreach ($emails as $email) { - if (idx($email, 'type') == 'account') { - return idx($email, 'value'); - } + $email = $this->getOAuthAccountData('email', null); + + if ($email != null) { + return $email; } throw new Exception( pht( - 'Expected to retrieve an "account" email from Google Plus API call '. + 'Expected to retrieve an "account" email from Google API call '. 'to identify account, but failed.')); } @@ -40,18 +39,17 @@ } public function getAccountImageURI() { - $image = $this->getOAuthAccountData('image', array()); - $uri = idx($image, 'url'); + $image_uri = $this->getOAuthAccountData('picture', null); // Change the "sz" parameter ("size") from the default to 100 to ask for // a 100x100px image. - if ($uri !== null) { - $uri = new PhutilURI($uri); - $uri->setQueryParam('sz', 100); - $uri = (string)$uri; + if ($image_uri !== null) { + $image_uri = new PhutilURI($image_uri); + $image_uri->setQueryParam('sz', 100); + $image_uri = (string)$image_uri; } - return $uri; + return $image_uri; } public function getAccountURI() { @@ -65,10 +63,8 @@ // this should work to unbreak logins. $parts = array(); - $parts[] = idx($name, 'givenName'); - unset($name['givenName']); - $parts[] = idx($name, 'familyName'); - unset($name['familyName']); + $parts[] = $this->getOAuthAccountData('given_name', array()); + $parts[] = $this->getOAuthAccountData('family_name', array()); $parts = array_merge($parts, $name); $parts = array_filter($parts); @@ -105,8 +101,8 @@ } protected function loadOAuthAccountData() { - $uri = new PhutilURI('https://www.googleapis.com/plus/v1/people/me'); - $uri->setQueryParam('access_token', $this->getAccessToken()); + $uri = new PhutilURI('https://oauth2.googleapis.com/tokeninfo'); + $uri->setQueryParam('id_token', $this->getIdToken()); $future = new HTTPSFuture($uri); list($status, $body) = $future->resolve(); @@ -150,20 +146,9 @@ if ($domain == 'usageLimits' && $reason == 'accessNotConfigured') { throw new PhutilAuthConfigurationException( pht( - 'Google returned an "%s" error. This usually means you need to '. - 'enable the "Google+ API" in your Google Cloud Console, under '. - '"APIs".'. - "\n\n". - 'Around March 2014, Google made some API changes which require this '. - 'configuration adjustment.'. - "\n\n". - 'Normally, you can resolve this issue by going to %s, then '. - 'clicking "API Project", then "APIs & auth", then turning the '. - '"Google+ API" on. The names you see on the console may be '. - 'different depending on how your integration is set up. If you '. - 'are not sure, you can hunt through the projects until you find '. - 'the one associated with the right Application ID under '. - '"Credentials". The Application ID this install is using is "%s".'. + 'Google returned an "%s" error.'. + 'You can try checking the configuration on %s.'. + 'The Application ID this install is using is "%s".'. "\n\n". '(If you are unable to log into Phabricator, you can use '. '"%s" to recover access to an administrator account.)'. diff --git a/src/auth/PhutilOpenIDConnectAuthAdapter.php b/src/auth/PhutilOpenIDConnectAuthAdapter.php new file mode 100644 --- /dev/null +++ b/src/auth/PhutilOpenIDConnectAuthAdapter.php @@ -0,0 +1,17 @@ +getAccessTokenData('id_token'); + } +}