From 19dba0bb7f3291dc6583908f545391d74f098b8f Mon Sep 17 00:00:00 2001
From: Tim van Dijen <>
Date: Fri, 8 Mar 2019 16:26:44 +0100
Subject: [PATCH] Externalize authwindowslive (#1061)

 bin/                          |   1 +
 composer.json                                 |   1 +
 modules/authwindowslive/default-disable       |   3 -
 modules/authwindowslive/docs/ |  22 ---
 .../lib/Auth/Source/LiveID.php                | 167 ------------------
 modules/authwindowslive/www/linkback.php      |  50 ------
 6 files changed, 2 insertions(+), 242 deletions(-)
 delete mode 100644 modules/authwindowslive/default-disable
 delete mode 100644 modules/authwindowslive/docs/
 delete mode 100644 modules/authwindowslive/lib/Auth/Source/LiveID.php
 delete mode 100644 modules/authwindowslive/www/linkback.php

diff --git a/bin/ b/bin/
index 6820c7a53..c1f0314e8 100755
--- a/bin/
+++ b/bin/
@@ -47,6 +47,7 @@ php "$TARGET/composer.phar" config version "$VERSION" -d "$TARGET"
 php "$TARGET/composer.phar" install --no-dev --prefer-dist -o -d "$TARGET"
 # Install external modules
+php "$TARGET/composer.phar" require --update-no-dev simplesamlphp/simplesamlphp-module-authwindowslive
 php "$TARGET/composer.phar" require --update-no-dev simplesamlphp/simplesamlphp-module-cdc
 php "$TARGET/composer.phar" require --update-no-dev simplesamlphp/simplesamlphp-module-memcookie
 php "$TARGET/composer.phar" require --update-no-dev simplesamlphp/simplesamlphp-module-oauth
diff --git a/composer.json b/composer.json
index ed30be3b5..47037914d 100644
--- a/composer.json
+++ b/composer.json
@@ -41,6 +41,7 @@
         "phpmailer/phpmailer": "^6.0",
         "robrichards/xmlseclibs": "^3.0",
         "simplesamlphp/saml2": "^3.3",
+        "simplesamlphp/simplesamlphp-module-authwindowslive": "^1.0",
         "simplesamlphp/simplesamlphp-module-cdc": "^1.0",
         "simplesamlphp/simplesamlphp-module-memcookie": "^1.2",
         "simplesamlphp/simplesamlphp-module-oauth": "^1.0",
diff --git a/modules/authwindowslive/default-disable b/modules/authwindowslive/default-disable
deleted file mode 100644
index fa0bd82e2..000000000
--- a/modules/authwindowslive/default-disable
+++ /dev/null
@@ -1,3 +0,0 @@
-This file indicates that the default state of this module
-is disabled. To enable, create a file named enable in the
-same directory as this file.
diff --git a/modules/authwindowslive/docs/ b/modules/authwindowslive/docs/
deleted file mode 100644
index b80116cf3..000000000
--- a/modules/authwindowslive/docs/
+++ /dev/null
@@ -1,22 +0,0 @@
-Using the Windows Live ID authentication source with SimpleSAMLphp
-This module works around the limitation in Microsoft Online/Azure OIDC implementation of not supplying the OIDC userinfo endpoint.
-Microsoft explains the omission by suggesting that the Graph API can produce anything userinfo would have brought, in place.
-Remember to configure `authsources.php`, with both your Client ID and Secret key.
-To get an API key and a secret, register the application at:
- * <>
- * <>
-## Testing authentication
-On the SimpleSAMLphp frontpage, go to the *Authentication* tab, and use the link:
-  * *Test configured authentication sources*
-Then choose the *windowsliveid* authentication source.
-Expected behaviour would then be that you are sent to Windows Live ID and asked to login.
diff --git a/modules/authwindowslive/lib/Auth/Source/LiveID.php b/modules/authwindowslive/lib/Auth/Source/LiveID.php
deleted file mode 100644
index 1b64be62f..000000000
--- a/modules/authwindowslive/lib/Auth/Source/LiveID.php
+++ /dev/null
@@ -1,167 +0,0 @@
-namespace SimpleSAML\Module\authwindowslive\Auth\Source;
- * Authenticate using LiveID.
- *
- * @author Brook Schofield, TERENA.
- * @author Guy Halse, TENET.
- * @package SimpleSAMLphp
- */
-class LiveID extends \SimpleSAML\Auth\Source
-    /**
-     * The string used to identify our states.
-     */
-    const STAGE_INIT = 'authwindowslive:init';
-    /**
-     * The key of the AuthId field in the state.
-     */
-    const AUTHID = 'authwindowslive:AuthId';
-    /** @var string */
-    private $key;
-    /** @var string */
-    private $secret;
-    /**
-     * Constructor for this authentication source.
-     *
-     * @param array $info  Information about this authentication source.
-     * @param array $config  Configuration.
-     *
-     * @throws \Exception In case of misconfiguration.
-     */
-    public function __construct($info, $config)
-    {
-        assert(is_array($info));
-        assert(is_array($config));
-        // Call the parent constructor first, as required by the interface
-        parent::__construct($info, $config);
-        if (!array_key_exists('key', $config)) {
-            throw new \Exception('LiveID authentication source is not properly configured: missing [key]');
-        }
-        $this->key = $config['key'];
-        if (!array_key_exists('secret', $config)) {
-            throw new \Exception('LiveID authentication source is not properly configured: missing [secret]');
-        }
-        $this->secret = $config['secret'];
-    }
-    /**
-     * Log-in using LiveID platform
-     *
-     * @param array &$state  Information about the current authentication.
-     * @return void
-     */
-    public function authenticate(&$state)
-    {
-        assert(is_array($state));
-        // we are going to need the authId in order to retrieve this authentication source later
-        $state[self::AUTHID] = $this->authId;
-        $stateID = \SimpleSAML\Auth\State::saveState($state, self::STAGE_INIT);
-        \SimpleSAML\Logger::debug('authwindowslive auth state id = '.$stateID);
-        // authenticate the user
-        // documentation at:
-        //
-        $authorizeURL = ''.
-            '?client_id='.$this->key.
-            '&response_type=code'.
-            '&response_mode=query'.
-            '&redirect_uri='.urlencode(\SimpleSAML\Module::getModuleURL('authwindowslive').'/linkback.php').
-            '&state='.urlencode($stateID).
-            '&scope='.urlencode('openid')
-        ;
-        \SimpleSAML\Utils\HTTP::redirectTrustedURL($authorizeURL);
-    }
-    /**
-     * @param array &$state
-     * @return void
-     * @throws \Exception
-     */
-    public function finalStep(&$state)
-    {
-        \SimpleSAML\Logger::debug(
-            "authwindowslive oauth: Using this verification code [".$state['authwindowslive:verification_code']."]"
-        );
-        // retrieve Access Token
-        // documentation at:
-        //
-        $postData = 'client_id='.urlencode($this->key).
-            '&client_secret='.urlencode($this->secret).
-            '&scope='.urlencode('').
-            '&grant_type=authorization_code'.
-            '&redirect_uri='.urlencode(\SimpleSAML\Module::getModuleURL('authwindowslive').'/linkback.php').
-            '&code='.urlencode($state['authwindowslive:verification_code']);
-        $context = [
-            'http' => [
-                'method' => 'POST',
-                'header' => 'Content-type: application/x-www-form-urlencoded',
-                'content' => $postData,
-            ],
-        ];
-        $result = \SimpleSAML\Utils\HTTP::fetch('', $context);
-        $response = json_decode($result, true);
-        // error checking of $response to make sure we can proceed
-        if (!array_key_exists('access_token', $response)) {
-            throw new \Exception(
-                '['.$response['error'].'] '.$response['error_description'].
-                "\r\nNo access_token returned - cannot proceed\r\n".implode(', ', $response['error_codes'])
-            );
-        }
-        \SimpleSAML\Logger::debug(
-            "authwindowslive: Got an access token from the OAuth service provider [".$response['access_token']."]"
-        );
-        // documentation at:
-        $opts = [
-            'http' => ['header' => "Accept: application/json\r\nAuthorization: Bearer ".
-                $response['access_token']."\r\n"]
-        ];
-        $data = \SimpleSAML\Utils\HTTP::fetch('', $opts);
-        $userdata = json_decode($data, true);
-        // this is the simplest case
-        if (!array_key_exists('@odata.context', $userdata) || array_key_exists('error', $userdata)) {
-            throw new \Exception(
-                'Unable to retrieve userdata from Microsoft Graph ['.$userdata['error']['code'].'] '.
-                $userdata['error']['message']
-            );
-        }
-        $attributes = [];
-        $attributes['windowslive_targetedID'] = [
-            '!'.(!empty($userdata['id']) ? $userdata['id'] : 'unknown')
-        ];
-        foreach ($userdata as $key => $value) {
-            if (is_string($value)) {
-                $attributes['windowslive.'.$key] = [(string) $value];
-            }
-        }
-        \SimpleSAML\Logger::debug('LiveID Returned Attributes: '.implode(", ", array_keys($attributes)));
-        $state['Attributes'] = $attributes;
-    }
diff --git a/modules/authwindowslive/www/linkback.php b/modules/authwindowslive/www/linkback.php
deleted file mode 100644
index 3800cd180..000000000
--- a/modules/authwindowslive/www/linkback.php
+++ /dev/null
@@ -1,50 +0,0 @@
- * Handle linkback() response from Windows Live ID.
- */
-if (!array_key_exists('state', $_REQUEST)) {
-    throw new \Exception('Lost OAuth Client State');
-$state = \SimpleSAML\Auth\State::loadState(
-    $_REQUEST['state'],
-    \SimpleSAML\Module\authwindowslive\Auth\Source\LiveID::STAGE_INIT
-if (array_key_exists('code', $_REQUEST)) {
-    // good
-    $state['authwindowslive:verification_code'] = $_REQUEST['code'];
-    if (array_key_exists('exp', $_REQUEST)) {
-        $state['authwindowslive:exp'] = $_REQUEST['exp'];
-    }
-} else {
-    // In the OAuth WRAP service, error_reason = 'user_denied' means user chose
-    // not to login with LiveID. It isn't clear that this is still true in the
-    // newer API, but the parameter name has changed to error. It doesn't hurt
-    // to preserve support for this, so this is left in as a placeholder.
-    // redirect them to their original page so they can choose another auth mechanism
-    if ($_REQUEST['error'] === 'user_denied') {
-        $e = new \SimpleSAML\Error\UserAborted();
-        \SimpleSAML\Auth\State::throwException($state, $e);
-    }
-    // error
-    throw new \Exception('Authentication failed: ['.$_REQUEST['error'].'] '.$_REQUEST['error_description']);
-// find authentication source
-assert(array_key_exists(\SimpleSAML\Module\authwindowslive\Auth\Source\LiveID::AUTHID, $state));
-$sourceId = $state[\SimpleSAML\Module\authwindowslive\Auth\Source\LiveID::AUTHID];
-/** @var \SimpleSAML\Module\authwindowslive\Auth\Source\LiveID|null $source */
-$source = \SimpleSAML\Auth\Source::getById($sourceId);
-if ($source === null) {
-    throw new \Exception('Could not find authentication source with id '.$sourceId);