getLogoutUrl());
exit();
}
// Handle Keycloak Callback
if (isset($_GET['code'])) {
$tokenData = $keycloak->getToken($_GET['code']);
if ($tokenData && isset($tokenData['access_token'])) {
$userInfo = $keycloak->getUserInfo($tokenData['access_token']);
if ($userInfo && isset($userInfo['email'])) {
$email = $userInfo['email'];
// Verify user in MariaDB
try {
$pdo = new PDO(
"mysql:host=" . DB_HOST . ";dbname=" . DB_NAME . ";charset=utf8mb4",
DB_USER,
DB_PASS,
[PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]
);
} catch (PDOException $e) {
die("DB Connection failed: " . $e->getMessage());
}
$user = $keycloak->verifyUser($email, $pdo);
if ($user) {
$company = $user['company'] ?? '';
$role = $user['role'] ?? 'user';
$_SESSION['user_email'] = $email;
$_SESSION['company'] = $company;
$_SESSION['role'] = $role;
header('Location: main.php');
exit();
} else {
$message = 'Access Denied: User not found in authorized list.';
}
} else {
$message = 'Failed to retrieve user information from Keycloak.';
}
} else {
$message = 'Failed to authenticate with Keycloak.';
}
}
// If already logged in, redirect to main
if (isset($_SESSION['user_email'])) {
header('Location: main.php');
exit();
}
// If no code and not logged in, show login page or redirect
// For better UX, we can show a "Login with SSO" button or auto-redirect.
// Let's show a simple page with a button to avoid infinite loops if configuration is wrong.
$loginUrl = $keycloak->getLoginUrl();
?>
CMDB - Login