isLoggedIn()) { header('Location: ' . BASEURL . '/'); exit; } // Store redirect URL in session before OIDC flow. if (isset($_GET['redirect'])) $_SESSION['oidc_redirect_url'] = base64_decode($_GET['redirect']); $oidc = new OpenIDConnectClient(OIDC_PROVIDER_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET); $oidc->setRedirectURL(BASEURL . '/oidclogin/'); $oidc->addScope(['openid', 'email']); try { $oidc->authenticate(); } catch (\Exception $e) { $_SESSION['login_msg'] = ['', 'OIDC authentication failed: ' . $e->getMessage(), 'danger']; header('Location: ' . BASEURL . '/login/'); exit; } $email = $oidc->requestUserInfo('email'); if (empty($email)) { $_SESSION['login_msg'] = ['', 'No email address received from OIDC provider.', 'danger']; header('Location: ' . BASEURL . '/login/'); exit; } $user = Member::fromEmailAddress($email); if ($user === null || $user === false) { $_SESSION['login_msg'] = ['', 'No account found for this email address. Please contact an administrator.', 'danger']; header('Location: ' . BASEURL . '/login/'); exit; } $_SESSION['user_id'] = $user->getUserId(); if (!empty($_SESSION['oidc_redirect_url'])) { $redirect = $_SESSION['oidc_redirect_url']; unset($_SESSION['oidc_redirect_url']); header('Location: ' . $redirect); } elseif (!empty($_SESSION['login_url'])) { $redirect = $_SESSION['login_url']; unset($_SESSION['login_url']); header('Location: ' . $redirect); } else header('Location: ' . BASEURL . '/'); exit; } }