Download the PHP package cirrusidentity/simplesamlphp-module-authoauth2 without Composer

On this page you can find all versions of the php package cirrusidentity/simplesamlphp-module-authoauth2. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of cirrusidentity/simplesamlphp-module-authoauth2

Informations about the package simplesamlphp-module-authoauth2

Build Status

SimpleSAMLphp OAuth2 Authentication Source Module

This is a generic module for authentication against an OAuth2 or OIDC server. It performs the authorization_code flow and then uses the resulting access token to query an endpoint to get the user's attributes. It is a wrapper around the excellent PHP League OAuth2 Client.

SSP 2

Compatability work for SSP2 will happen in the ssp2 branch.

SSP as an OIDC server

If you are interested in using SSP as an OIDC OP see the OIDC module.

Table of Contents generated with DocToc

Installation

The module can be installed with composer.

composer require cirrusidentity/simplesamlphp-module-authoauth2

If you are on SSP 2 use version 4. If you are on SSP 1.X use version 3.

Or you can install the latest from master

composer require cirrusidentity/simplesamlphp-module-authoauth2:dev-master

If you install into a tar ball distribution of SSP then composer, by default, will also install all dev dependencies for SSP and this module. This can be a long list. If you prefer not having dev dependencies installed, then you can use.

composer require --no-update cirrusidentity/simplesamlphp-module-authoauth2 && composer update --no-dev cirrusidentity/simplesamlphp-module-authoauth2

Changelog

View the change log

Usage

The generic OAuth2 client is configured with

Redirect URI

Almost all OAuth2/OIDC providers will require you to register a redirect URI. Use a url of the form below, and set hostname, SSP_PATH and optionally port to the correct values.

https://hostname/SSP_PATH/module.php/authoauth2/linkback.php

Provider specific Tips

scope or scopes: What parameters can be passed?

The majority of configuration items are passed through to the provider implementation so it will depend on the provider you choose. If you use the authsource authoauth2:OAuth2 without overriding the providerClass then the options from "Generic Usage" will work. If you use authoauth2:OpenIDConnect then a different set of configuration options are available.

scope vs scopes: The default provider used by authoauth2:OAuth2 supports setting 'scopes' => ['email'] or by setting scope in urlAuthorizeOptions. Other providers may only support the latter (setting in urlAuthorizeOptions).

Generic Usage

Generic usage provides enough configuration parameters to use with any OAuth2 or OIDC server.

OpenID Connect Usage

For providers that support OpenID Connect discovery protocol the configuration can be simplified a bit. Only the issuer url, client id and client secret are required..

Not all configuration options from authoauth2:OAuth2 are supported in OpenIDConnect

If your OP supports front channel single logout, you can configure https://hostname/SSP_PATH/module.php/authoauth2/logout.php?authSource=AUTHSOURCE where AUTHSOURCE is the id of your authsource in the authsources configuration (openidconnect in the example above)

Provider Specific Usage

There are numerous Official and Third-Party providers that you can use instead of the generic OAuth2 provider. Using one of those providers can simplify the configurations.

To use a provider you must first install it composer require league/oauth2-some-provider and then configure it.

Template Specific Usage

For some OAuth2 providers the generic endpoint configurations are already defined in ConfigTemplate. You can reference this to reduce the amount of typing needed in your authsource

or by using the template option

Samples

Several of these samples show how to configure the generic endpoint to authenticate against Facebook, Amazon and Google, etc. In a lot of cases you can use a template from ConfigTemplate to make the configuration cleaner or you can use a provider specific implementations of the base OAuth2 client.

Generic Facebook

You can use the Facebook template 'template' => 'Facebook', and then provide just the clientId and clientSecret to have a cleaner looking config

Generic Amazon

Generic Google

View full Google instructions.

Provider Specific Google

View full Google instructions.

Debugging

HTTP Logging

You can enable http logging with the logHttpTraffic flag and optionally customize the format with logMessageFormat. See Guzzle's MessageFormatter class for how to define a format string.

security note: enabling http logging will make your client secret and any returned access or id tokens to appear in your logs.

Using Curl

You can use curl on the command line to interact with the OAuth2/OIDC server.

Get Code

The first step is get a valid code AND ensure the module doesn't try to use it. This can be done by constructing an authorize url with an invalid state value but with all other params correct

https://as.example.com/openid/authorize?state=invalid-state&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Fmyapp.example.com%2Fsimplesaml%2Fmodule.php%2Fauthoauth2%2Flinkback.php&client_id=my_client

If you log in with the above it will redirect you back to your SSP instance with an authorization_code (which you should capture) and then your SSP instance will report an error about an invalid state parameter. The state check happens prior to consuming the authorization_code so you know SSP hasn't used it.

Get Access Token

Now you can use the code and try to get an access token

Get User Info

Take the access token from above and call the user info endpoint

curl -H "Authorization: Bearer $ACCESS_TOKEN" https://as.example.com/userInfo

Migrating from an existing auth module

If you are migrating away from an existing auth module, such as authfacebook you will need to one of the following:

Some social providers support multiple login protocols and older SSP modules may use the non-OAuth2 version for login. To migrate to this module you may need to make some application changes. For example

Calling OAuth2ResponseHandler

To migrate from an existing module you can adjust that modules linkback/redirect handler to conditionally use the OAuth2ResponseHandler In the below example the code will use the authoauth2 if that is what initiated the process else use the existing handler

Development

Docker

The preprodwarning module is include for testing authproc filters. note: The 1.0.2 version of preprodwarning has a bug in the redirect url. If using it you need to change showwarning.php to warning in your browser url.

and visit (which resolves to localhost, and the docker container) the test authsource page to test some pre-configured social integrations (yes, you can see the app passwords, these apps are only used for this demo).

Facebook test user

The pre-configured Facebook apps can only be accessed with a test account. You must be signed out of Facebook, otherwise you will get an error saying the application is not active.

Code style

Run phpcs to check code style

php vendor/bin/phpcs

All versions of simplesamlphp-module-authoauth2 with dependencies

PHP Build Version
Package Version
Requires php Version >=7.4 || ^8.0
simplesamlphp/composer-module-installer Version ^1.1
league/oauth2-client Version ^2.7
simplesamlphp/simplesamlphp Version ^v2.0.0
firebase/php-jwt Version ^5.5|^6
kevinrob/guzzle-cache-middleware Version ^4.1.1
psr/cache Version ^1.0|^2.0|^3.0
symfony/cache Version ^6.0|^5.0|^4.3|^3.4
ext-json Version *
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package cirrusidentity/simplesamlphp-module-authoauth2 contains the following files

Loading the files please wait ....