I am integrating Google Sign in with Open ID. The documentation says that I need to create an anti-forgery state token. I have read several references about CSRF (Sitepoint, StackOverflow, Shiflett) and a couple more. I can't finish understanding how I am supposed to implement this solution.
I am pretty sure that I haven't understood properly the concept but I am trying hard. This is the process that I have coded so far:
<?php session_start();
//INCLUDE PHP CLIENT LIBRARY
require_once 'vendor/autoload.php';
$scopes = array('email', 'profile');
// Create client object
$client = new Google_Client();
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/index.php');
$client->setAuthConfig("client.json");
$client->addScope($scopes);
$client->setAccessType("offline");
if( isset($_SESSION["access_token"]) && $_SESSION["access_token"]) {
if(isset($_SESSION['tokencsrf']) && $_SESSION['tokencsrf'] !== "") {
$client->setAccessToken($_SESSION["access_token"]);
if ($client->isAccessTokenExpired()) {
$refreshTokenTxt = "refreshToken.txt";
$tokenHandle = fopen($refreshTokenTxt, "r");
$refreshToken = fread($tokenHandle, filesize($refreshTokenTxt));
$client->refreshToken($refreshToken);
$_SESSION['access_token'] = $client->getAccessToken();
$client->setAccessToken($_SESSION["access_token"]);
}
$objOAuthService = new Google_Service_Oauth2($client);
$userData = $objOAuthService->userinfo->get();
var_dump($userData);
} else {
die(" --- INVALID CSRF! ---");
}
} else {
$_SESSION['tokencsrf'] = bin2hex(openssl_random_pseudo_bytes(16));
if( !isset($_GET["code"]) ){
$authUrl = $client->createAuthUrl();
header('Location: ' . filter_var($authUrl, FILTER_SANITIZE_URL));
} else {
$client->authenticate($_GET['code']);
$_SESSION['access_token'] = $client->getAccessToken();
$refreshTokenTxt = "refreshToken.txt";
if (!file_exists($refreshTokenTxt)) {
$tokenHandle = fopen($refreshTokenTxt, "w");
fwrite($tokenHandle, $_SESSION['access_token']["refresh_token"]);
}
$redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php';
header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}
}
?>
Of course, this is a test script to see if this is the proper way of doing it. So far it works good but I am not sure if this is the correct way. I am kindly requesting support from someone that can confirm if this is ok to use or what changes can be suggested. For your valuable input, I am very thankful!
I feel so ashamed of myself right now. The documentation was very clear but my mind was not. The CSRF is implemented by passing the "state" parameter to the client object.
$state = bin2hex(openssl_random_pseudo_bytes(16));
$_SESSION["state"] = $state;
// Create client object
$client = new Google_Client();
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/index.php');
$client->setAuthConfig("client.json");
$client->addScope($scopes);
$client->setAccessType("offline");
$client->setState($state);
Then, after the authentication is done, just confirm the returned token is the same as in the session.
if( $_GET["state"] == $_SESSION["state"]) {
//do stuff here...
}