/OpenID-Connect-PHP

Minimalist OpenID Connect client

Primary LanguagePHPApache License 2.0Apache-2.0

PHP OpenID Connect Basic Client

Latest Stable Version Latest Unstable Version PHP Version Require

A simple library that allows an application to authenticate a user through the basic OpenID Connect flow. This library hopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID Connect protocol to setup authentication.

This is a fork of jumbojett/OpenID-Connect-PHP

Jumbojett`s library is great, but lacks of some features, proper testing, and it is not ready for new PHP versions. So I created this fork. This fork requires PHP 7.0 or greater, if you need to use older PHP version, please use original version.

Most important changes:

  • Added support for elliptic curve (EC) JWT token signature algorithms, that are faster than RSA signatures
  • Added support for client_secret_jwt and private_key_jwt authentication methods to token endpoint, that are more secure that traditional method
  • JWT ID Token Validation compliant to OpenID Connect standard
  • Much higher code coverage by unit tests
  • A lot of small optimisations and fixes

A special thanks goes to Michael Jett, original author of this library and Justin Richer and Amanda Anganes for their help and support of the protocol.

Requirements

  1. PHP 7.0 or greater
  2. CURL extension
  3. JSON extension
  4. APCu for caching (optional)

Install

  1. Install library using composer
composer require jakub-onderka/openid-connect-php
  1. Include composer autoloader
require __DIR__ . '/vendor/autoload.php';

Example 1: Basic Client

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere');
$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');

See openid spec for available user attributes

Example 2: Dynamic Registration

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient("https://id.provider.com");

$response = $oidc->register("Client Name");
$clientID = $response->client_id;
$clientSecret = $response->client_secret;

// Be sure to add logic to store the client id and client secret

Example 3: Network and Security

// Configure a proxy
$oidc->setHttpProxy("http://my.proxy.com:80/");

// Configure a cert
$oidc->setCertPath("/path/to/my.cert");

Example 4: Request Client Credentials Token

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere');
$oidc->providerConfigParam(['token_endpoint' => 'https://id.provider.com/connect/token']);
$oidc->addScope('my_scope');

// This assumes success (to validate check if the access_token property is there and a valid JWT):
$clientCredentialsToken = $oidc->requestClientCredentialsToken()->access_token;

Example 5: Request Resource Owners Token (with client auth)

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere','ClientSecretHere');
$oidc->providerConfigParam(['token_endpoint' => 'https://id.provider.com/connect/token']);
$oidc->addScope('my_scope');

// Add username and password
$oidc->addAuthParam([
  'username' => '<Username>',
  'password' => '<Password>',
]);

// Perform the auth and return the token (to validate check if the access_token property is there and a valid JWT):
$token = $oidc->requestResourceOwnerToken(true)->access_token;

Example 6: Basic client for implicit flow e.g. with Azure AD B2C

See https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere');
$oidc->setResponseTypes(['id_token']);
$oidc->addScope(['openid']);
$oidc->setAllowImplicitFlow(true);
$oidc->addAuthParam(['response_mode' => 'form_post']);
$oidc->setCertPath('/path/to/my.cert');
$oidc->authenticate();
$sub = $oidc->getVerifiedClaims('sub');

Example 7: Introspection of access token

See https://tools.ietf.org/html/rfc7662

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere');
$data = $oidc->introspectToken('an.access-token.as.given');
if (!$data->active) {
    // the token is no longer usable
}

Example 8: PKCE Client

use JakubOnderka\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere');
$oidc->setCodeChallengeMethod('S256');
$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');

Development Environments

In some cases you may need to disable SSL security on your development systems. Note: This is not recommended on production systems.

$oidc->setVerifyHost(false);
$oidc->setVerifyPeer(false);

Also, your local system might not support HTTPS, so you might disable upgrading to it:

$oidc->httpUpgradeInsecureRequests(false);

Todo

  • Dynamic registration does not support registration auth tokens and endpoints

Contributing

  • All pull requests, once merged, should be added to the CHANGELOG.md file.