使用 Oauth2 通过 POST 进行 SSO Azure AD 身份验证 - PHP

Question

我已经编写了使用 Azure AD 登录的代码，它工作正常，但是当我将其重定向到下一页时，会话变量的值变空，我已粘贴代码以供参考。

$appid = "xxxxxxxxxxxx"; //(MASKING DATA FOR OBVIOUS REASONS)

$tennantid = "xxxxxxxxxxxx"; //(MASKING DATA FOR OBVIOUS REASONS)

$secret = "xxxxxxxxxxxx"; //(MASKING DATA FOR OBVIOUS REASONS)

$login_url = "https://login.microsoftonline.com/" . $tennantid . "/oauth2/v2.0/authorize";

session_start();
$_SESSION['state'] = session_id();
echo "MS OAuth2.0 Demo ";
if (isset($_SESSION['msatg'])) {
    echo "Authenticated " . $_SESSION["uname"] . "  ";
    echo 'Log Out';
} else {
    echo 'You can Log In with Microsoft';
}

if (isset($_GET['action']) && $_GET['action'] == 'login') {
    $params = array('client_id' => $appid, 'redirect_uri' => 'https://abc.xyz.com/sso/', 'response_type' => 'token', 'response_mode' => 'form_post', 'scope' => 'https://graph.microsoft.com/User.Read', 'state' => $_SESSION['state']);
    header('Location: ' . $login_url . '?' . http_build_query($params));
}
if (array_key_exists('access_token', $_POST)) {
    $_SESSION['t'] = $_POST['access_token'];
    $t = $_SESSION['t'];
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Authorization: Bearer ' . $t,
        'Content-type: application/json'
    ));
    curl_setopt($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $rez = json_decode(curl_exec($ch), 1);


    if (array_key_exists('error', $rez)) {
        var_dump($rez);
        die();
    } else {
        $_SESSION['msatg'] = 1;  //auth and verified
        $_SESSION['uname'] = $rez["displayName"];
        $_SESSION['id'] = $rez["id"];
    }
    curl_close($ch);
    header('Location: https://abc.xyz.com/sso/welcome.php');
}

if (isset($_GET['action']) && $_GET['action'] == 'logout') {
    unset($_SESSION['msatg']);
    header('Location: https://abc.xyz.com/sso/');
}

当它被重定向到welcome.php页面时，当我var_dump $_SESSION时，它会给我一个空的会话数组；

我希望我的会话数据能够反映在welcome.php页面上

有人可以解释一下我做错了什么吗？

Answer 1

在这里，我使用了

ob_start()

和

ob_end_flush()

输出缓冲有时会干扰会话数据。

代码：

<?php
ob_start(); 

session_start();

$appid = "<client_id>"; 
$tennantid = "<tenant_id>"; 
$secret = "<client_secret>"; 
$login_url = "https://login.microsoftonline.com/" . $tennantid . "/oauth2/v2.0/authorize";

$_SESSION['state'] = session_id();

if (isset($_SESSION['msatg'])) {
    echo "Authenticated " . $_SESSION["uname"] . "  ";
    echo '<a href="?action=logout">Log Out</a>';
} else {
    echo "MS OAuth2.0 Demo ";
    echo '<a href="?action=login">Log In with Microsoft</a>';
}

if (isset($_GET['action']) && $_GET['action'] == 'login') {
    $params = array(
        'client_id' => $appid,
        'redirect_uri' => 'https://abc.xyz.com/sso/',
        'response_type' => 'token',
        'response_mode' => 'form_post',
        'scope' => 'https://graph.microsoft.com/User.Read',
        'state' => $_SESSION['state']
    );
    header('Location: ' . $login_url . '?' . http_build_query($params));
    exit();
}

if (isset($_POST['access_token'])) {
    $_SESSION['t'] = $_POST['access_token'];
    $t = $_SESSION['t'];

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Authorization: Bearer ' . $t,
        'Content-type: application/json'
    ));
    curl_setopt($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $rez = json_decode(curl_exec($ch), true);

    if (isset($rez['error'])) {
        var_dump($rez);
        die();
    } else {
        $_SESSION['msatg'] = 1; 
        $_SESSION['uname'] = $rez["displayName"];
        $_SESSION['id'] = $rez["id"];
    }

    curl_close($ch);
    header('Location: https://abc.xyz.com/sso/welcome.php');
    exit();
}

if (isset($_GET['action']) && $_GET['action'] == 'logout') {
    unset($_SESSION['msatg']);
    header('Location: https://abc.xyz.com/sso/');
    exit();
}

ob_end_flush(); 
?>

我将以下 URL 添加到应用程序重定向 URL，如下所示，

enter image description here