This package uses the PHP League's OAuth2 Client and this JWT Token Library to provide an OAuth2 OpenID Connect client.
The following versions of PHP are supported.
- PHP 7.4
- PHP 8.0 (coming soon, needs use
lcobucci\jwt:v4.1
)
You may test your OpenID Connect Client against bshaffer's demo oauth2 server.
<?php
$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$provider = new \OpenIDConnectClient\OpenIDConnectProvider([
'clientId' => 'demoapp',
'clientSecret' => 'demopass',
// the issuer of the identity token (id_token) this will be compared with what is returned in the token.
'idTokenIssuer' => 'brentertainment.com',
// Your server
'redirectUri' => 'http://example.com/your-redirect-url/',
'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize',
'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token',
'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource',
// Find the public key here: https://github.com/bshaffer/oauth2-demo-php/blob/master/data/pubkey.pem
// to test against brentertainment.com
'publicKey' => 'file:///myproj/data/public.key',
],
[
'signer' => $signer
]
);
// send the authorization request
if (empty($_GET['code'])) {
$redirectUrl = $provider->getAuthorizationUrl();
header(sprintf('Location: %s', $redirectUrl), true, 302);
return;
}
// receive authorization response
try {
$token = $provider->getAccessToken('authorization_code', [
'code' => $_GET['code']
]);
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
$errors = $provider->getValidatorChain()->getMessages();
return;
}
$accessToken = $token->getToken();
$refreshToken = $token->getRefreshToken();
$expires = $token->getExpires();
$hasExpired = $token->hasExpired();
$idToken = $token->getIdToken();
$email = $idToken->claims()->get('email', false);
$allClaims = $idToken->claims();
An example client has been provided and can be found in the /example directory of this repository. To run the example you can utilize PHPs built-in web server.
$ php -S localhost:8081 client.php
Then open this link: http://localhost:8081/
This should send you to bshaffer's OAuth2 Live OpenID Connect Demo site.
The id_token is verified using the lcobucci/jwt library. You will need to pass the appropriate signer and publicKey to the OpenIdConnectProvider.
Via Composer
$ composer require steverhoades/oauth2-openid-connect-client
Some clock difference can be tolerated between the IdP and the SP by using the nbfToleranceSeconds
option in the
getAccessToken
method call.
<?php
...
// receive authorization response
try {
$token = $provider->getAccessToken('authorization_code', [
'code' => $_GET['code'],
//adds 60 seconds to currentTime to tolerate 1 minute difference in clocks between IdP and SP
'nbfToleranceSeconds' => 60
]);
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
$errors = $provider->getValidatorChain()->getMessages();
return;
}
The MIT License (MIT). Please see License File for more information.
- add support for OpenID Connect Authentication Request Parameters
- add tests
- check implicit and hybrid flow support
- example endpoints showing usage