Index: openacs-4/packages/xooauth/www/azure-login-handler.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/www/Attic/azure-login-handler.tcl,v
diff -u -N -r1.1.2.2 -r1.1.2.3
--- openacs-4/packages/xooauth/www/azure-login-handler.tcl	4 May 2023 17:09:03 -0000	1.1.2.2
+++ openacs-4/packages/xooauth/www/azure-login-handler.tcl	8 May 2023 17:37:52 -0000	1.1.2.3
@@ -1,27 +1,47 @@
-set title "Azure Interface"
+ad_page_contract {
+    Azure landing page for OAuth authorization
+
+    @author Gustaf Neumann
+}
+
+set auth_obj ::ms::azure
+
+if {![nsf::is object $auth_obj]} {
+    set error "Authorization object '$auth_obj' was not configured"
+    set name Azure
+    set title "$name Authorization"
+    return
+}
+
 set swa_p [acs_user::site_wide_admin_p]
+set name [$auth_obj name]
+set title "$name Authorization"
 
-set login_url [ms::azure login_url]
-set logout_url [ms::azure logout_url]
+set login_url [$auth_obj login_url]
+set logout_url [$auth_obj logout_url]
+set data ""
 
 if {[ns_queryget id_token] ne ""} {
-    set data [ms::azure perform_login]
+    set data [$auth_obj perform_login -token [ns_queryget id_token]]
+}
 
-    if {[dict exists $data user_id] && [dict get $data user_id] > 0} {
-        #
-        # Login was performed, just redirect to the right place.
-        #
-        set redirect_url [ns_queryget state \
-                              [ms::azure cget -after_successful_login_url]]
-        if {[string range $redirect_url 0 0] eq "/"} {
-            ad_returnredirect $redirect_url
-        } else {
-            ns_log warning "Azure redirect URL looks suspicious: '$redirect_url'"
-        }
-        ad_script_abort
+if {![$auth_obj cget -debug]
+    && [dict exists $data user_id]
+    && [dict get $data user_id] > 0
+} {
+    #
+    # Login was performed, just redirect to the right place.
+    #
+    # We can use "state" on Azure as redirect URL (since it has a
+    # nonce)
+    set redirect_url [ns_queryget state \
+                          [$auth_obj cget -after_successful_login_url]]
+    if {[string range $redirect_url 0 0] eq "/"} {
+        ad_returnredirect $redirect_url
+    } else {
+        ns_log warning "Azure redirect URL looks suspicious: '$redirect_url'"
     }
-} else {
-    set data ""
+    ad_script_abort
 }
 
 if {1 || $swa_p} {
@@ -35,10 +55,11 @@
 
     if {[dict exists $data claims]} {
         set claims [dict get $data claims]
+        dict unset data claims
     }
 
-    set form_data [ns_set array [ns_conn form]]
-    set cooked_data [join [lmap {k v} $form_data { set _ "$k: $v" }] "\n"]
+    set data [dict merge $data [ns_set array [ns_conn form]]]
+    set cooked_data [join [lmap {k v} $data { set _ "$k: $v" }] "\n"]
 }
 
 if {[dict exists $data error]} {
@@ -47,7 +68,7 @@
     # error cases.
     #
     #ad_returnredirect -allow_complete_url [:logout_url]
-    ns_http run [ms::azure logout_url]
+    $auth_obj logout
 
     set error [dict get $data error]
 }