Merge branch 'master' into feat/events

Author: mariovalney

README.md

@@ -3,7 +3,7 @@
     <img src="https://img.shields.io/packagist/dt/vizir/laravel-keycloak-web-guard.svg" />
 </p>
 
-# Keycloak Web Guard for Laravel
+# [NEEDS A MAINTAINER] Keycloak Web Guard for Laravel
 
 This packages allow you authenticate users with [Keycloak Server](https://www.keycloak.org).
 
@@ -18,7 +18,7 @@ It works on front. For APIs we recommend [laravel-keycloak-guard](https://github
 
 This package was tested with:
 
-* Laravel: 5.8 / 7 / 8 / 9
+* Laravel: 5.8 / 7 / 8 / 9 / 10
 * Keycloak: 18.0.0
 
 Any other version is not guaranteed to work.
@@ -64,6 +64,18 @@ After publishing `config/keycloak-web.php` file, you can change the routes:
 ]
 ```
 
+The scope `openid` is always included, but if you need extra scopes you can add them as strings to the array:
+
+```php
+'scopes' => [],
+```
+
+Example:
+
+```php
+'scopes' => ['example_scope_1', 'example_scope_2'],
+```
+
 Change any value to change the URL.
 
 Other configurations can be changed to have a new default value, but we recommend to use `.env` file:

config/keycloak-web.php

@@ -73,4 +73,11 @@
     * @link http://docs.guzzlephp.org/en/stable/request-options.html
     */
    'guzzle_options' => [],
+
+    /**
+     * Keycloak optional scopes
+     *
+     * array of strings
+     */
+    'scopes' => [],
 ];

src/Auth/Guard/KeycloakWebGuard.php

@@ -22,10 +22,15 @@ class KeycloakWebGuard implements Guard
     protected $user;
 
     /**
-     * Constructor.
-     *
-     * @param Request $request
+     * @var UserProvider
+     */
+    protected $provider;
+
+    /**
+     * @var Request
      */
+    protected $request;
+
     public function __construct(UserProvider $provider, Request $request)
     {
         $this->provider = $provider;
@@ -41,7 +46,10 @@ public function check()
     {
         return (bool) $this->user();
     }
-    
+
+    /**
+     * @return bool
+     */
     public function hasUser()
     {
         return (bool) $this->user();
@@ -74,7 +82,7 @@ public function user()
     /**
      * Set the current user.
      *
-     * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
+     * @param \Illuminate\Contracts\Auth\Authenticatable $user
      * @return void
      */
     public function setUser(?Authenticatable $user)
@@ -131,7 +139,7 @@ public function validate(array $credentials = [])
      * Try to authenticate the user
      *
      * @throws KeycloakCallbackException
-     * @return boolean
+     * @return bool
      */
     public function authenticate()
     {
@@ -166,7 +174,7 @@ public function authenticate()
      *
      * @param string $resource Default is empty: point to client_id
      *
-     * @return array
+     * @return bool|array
     */
     public function roles($resource = '')
     {
@@ -200,7 +208,7 @@ public function roles($resource = '')
      * @param array|string $roles
      * @param string $resource Default is empty: point to client_id
      *
-     * @return boolean
+     * @return bool
      */
     public function hasRole($roles, $resource = '')
     {

src/Auth/KeycloakAccessToken.php

@@ -85,7 +85,7 @@ public function getIdToken()
     /**
      * Check access token has expired
      *
-     * @return boolean
+     * @return bool
      */
     public function hasExpired()
     {
@@ -145,7 +145,7 @@ public function validateIdToken($claims)
     /**
      * Validate sub from ID token
      *
-     * @return boolean
+     * @return bool
      */
     public function validateSub($userSub)
     {

src/Auth/KeycloakWebUserProvider.php

@@ -84,4 +84,17 @@ public function validateCredentials(Authenticatable $user, array $credentials)
     {
         throw new \BadMethodCallException('Unexpected method [validateCredentials] call');
     }
+
+    /**
+     * Rehash the user's password if required and supported.
+     *
+     * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
+     * @param  array  $credentials
+     * @param  bool  $force
+     * @return void
+     */
+    public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false)
+    {
+        throw new \BadMethodCallException('Unexpected method [rehashPasswordIfRequired] call');
+    }
 }

src/Controllers/AuthController.php

@@ -3,6 +3,7 @@
 namespace Vizir\KeycloakWebGuard\Controllers;
 
 use Illuminate\Auth\Events\Logout;
+use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
@@ -14,7 +15,7 @@ class AuthController extends Controller
     /**
      * Redirect to login
      *
-     * @return view
+     * @return RedirectResponse
      */
     public function login()
     {
@@ -27,20 +28,22 @@ public function login()
     /**
      * Redirect to logout
      *
-     * @return view
+     * @return RedirectResponse
      */
     public function logout()
     {
         $url = KeycloakWeb::getLogoutUrl();
         KeycloakWeb::forgetToken();
+      
         event(new Logout(Auth::getDefaultDriver(), Auth()->user()));
+      
         return redirect($url);
     }
 
     /**
      * Redirect to register
      *
-     * @return view
+     * @return RedirectResponse
      */
     public function register()
     {
@@ -53,7 +56,7 @@ public function register()
      *
      * @throws KeycloakCallbackException
      *
-     * @return view
+     * @return RedirectResponse
      */
     public function callback(Request $request)
     {

src/KeycloakWebGuardServiceProvider.php

@@ -14,7 +14,6 @@
 use Vizir\KeycloakWebGuard\Middleware\KeycloakAuthenticated;
 use Vizir\KeycloakWebGuard\Middleware\KeycloakCan;
 use Vizir\KeycloakWebGuard\Middleware\KeycloakCanOne;
-use Vizir\KeycloakWebGuard\Models\KeycloakUser;
 use Vizir\KeycloakWebGuard\Services\KeycloakService;
 
 class KeycloakWebGuardServiceProvider extends ServiceProvider

src/Middleware/KeycloakCan.php

@@ -5,7 +5,6 @@
 use Closure;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Support\Facades\Auth;
-use Vizir\KeycloakWebGuard\Exceptions\KeycloakCanException;
 
 class KeycloakCan extends KeycloakAuthenticated
 {

src/Middleware/KeycloakCanOne.php

@@ -5,7 +5,6 @@
 use Closure;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Support\Facades\Auth;
-use Vizir\KeycloakWebGuard\Exceptions\KeycloakCanException;
 
 class KeycloakCanOne extends KeycloakAuthenticated
 {

src/Services/KeycloakService.php

@@ -11,19 +11,18 @@
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Route;
 use Vizir\KeycloakWebGuard\Auth\KeycloakAccessToken;
-use Vizir\KeycloakWebGuard\Auth\Guard\KeycloakWebGuard;
 
 class KeycloakService
 {
     /**
      * The Session key for token
      */
-    const KEYCLOAK_SESSION = '_keycloak_token';
+    public const KEYCLOAK_SESSION = '_keycloak_token';
 
     /**
      * The Session key for state
      */
-    const KEYCLOAK_SESSION_STATE = '_keycloak_state';
+    public const KEYCLOAK_SESSION_STATE = '_keycloak_state';
 
     /**
      * Keycloak URL
@@ -95,6 +94,11 @@ class KeycloakService
      */
     protected $httpClient;
 
+    /**
+     * @var array of strings
+     */
+    protected $scopes = ['openid'];
+
     /**
      * The Constructor
      * You can extend this service setting protected variables before call
@@ -133,6 +137,8 @@ public function __construct(ClientInterface $client)
             $this->redirectLogout = Config::get('keycloak-web.redirect_logout');
         }
 
+        $this->scopes = array_merge($this->scopes, Config::get('keycloak-web.scopes'));
+
         $this->state = $this->generateRandomState();
         $this->httpClient = $client;
     }
@@ -148,7 +154,7 @@ public function getLoginUrl()
     {
         $url = $this->getOpenIdValue('authorization_endpoint');
         $params = [
-            'scope' => 'openid',
+            'scope' => implode(' ', $this->scopes),
             'response_type' => 'code',
             'client_id' => $this->getClientId(),
             'redirect_uri' => $this->callbackUrl,
@@ -275,7 +281,7 @@ public function refreshAccessToken($credentials)
      * Invalidate Refresh
      *
      * @param  string $refreshToken
-     * @return array
+     * @return bool
      */
     public function invalidateRefreshToken($refreshToken)
     {
@@ -302,6 +308,7 @@ public function invalidateRefreshToken($refreshToken)
     /**
      * Get access token from Code
      * @param  array $credentials
+     * @throws Exception
      * @return array
      */
     public function getUserProfile($credentials)