Download the PHP package cloudcogsio/oauth2-keycloak without Composer
On this page you can find all versions of the php package cloudcogsio/oauth2-keycloak. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download cloudcogsio/oauth2-keycloak
More information about cloudcogsio/oauth2-keycloak
Files in cloudcogsio/oauth2-keycloak
Informations about the package oauth2-keycloak
Keycloak Provider for OAuth 2.0 Client
This package provides Keycloak OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
The client uses Keycloak's services endpoint to query the OpenID Provider Metadata for autodiscovery of relevant endpoints for authorization, tokens and public keys for token introspection.
Installation
To install, use composer:
Usage
Usage is the same as The League's OAuth client, using \Cloudcogs\OAuth2\Client\Provider\Keycloak
as the provider.
Configuration via Keycloak OIDC JSON file
The client can be configured by passing the Keycloak OIDC JSON file that can be downloaded from your Keycloak server.
- Go to your Keycloak Admin
- Select the "Clients" option
- Select the Client ID of the required client
- Select the "Installation" tab
- In the "Format Option" dropdown, choose "Keycloak OIDC JSON"
- Download. (Default filename is "keycloak.json")
When using the Keycloak OIDC JSON file, only the file and a redirectUri is required to setup the client.
Provider Configuration with Keycloak OIDC JSON (keycloak.json)
Configuration via Options
The client can also be configured without a Keycloak OIDC JSON file by passing (at minimum) the and options required for endpoint autodiscovery.
You will still need to reference the OIDC JSON configuration in Keycloak to retrieve the values for and . These would be the and .
Provider Configuration with and options
Authorization Code Flow
Assuming was configured as outlined via one of the methods above.
Refreshing a Token
Client Logout
The client provides a method to conveniently process a logout action.
A redirect URI can be passed to the method or the option of the client will be used for redirection. The URI must be configured in the "Valid Redirect URIs" field of the client definition in Keycloak.
Resource Owner Password Credentials Grant
🛑 DANGER! We advise against using this grant type if the service provider supports the authorization code grant type (see above), as this reinforces the password anti-pattern, allowing users to think it’s okay to trust third-party applications with their usernames and passwords.
That said, there are use-cases where the resource owner password credentials grant is acceptable and useful.
Client Credentials Grant
When your application acts on its own behalf to access resources it controls or owns in a service provider, it may use the client credentials grant type.
The client credentials grant type is best when storing the credentials for your application privately and never exposing them (e.g., through the web browser, etc.) to end-users. This grant type functions like the resource owner password credentials grant type, but it does not request a user’s username or password. It uses only the client ID and client secret issued to your client by the service provider.
Additional Notes
OpenID Connect Discovery endpoint
By default, this client uses the endpoint to discover all other endpoints for the Keycloak server once the and options are supplied to create the client.
This is handled by the library. See https://github.com/cloudcogsio/oauth2-openid-connect-discovery
Keycloak Public Key(s)
During endpoint discovery, the Keycloak realm public key(s) are retrieved and cached locally. This is needed to decode the access token which is then added to the object as additional values.
Caching of Public Keys
Caching of JWKs are handled by an instance of which is installed with .
You can provide your own instance of a to handle storage of the Keycloak realm's public key.
Token Introspection
By default, the accessToken is decoded locally using the cached public keys. Decoded data is populated and made available in the object.
This is performed automatically by the client and requires no additional configuration.
Token Introspection via Keycloak Server
All tokens issued by the Keycloak server (accessToken, refreshToken etc.) can be introspected using the Keycloak token introspection endpoint.
The client provides an method to carry out this operation.
Custom Access Token Class
The branch of this repository implements a custom class that extends the base class.
Keycloak provides a property This custom class adds additional methods that checks and detects the validity of the . The theory of operation is the same as that provided by the base class for checking and detecting the validity of the .
NOTE: At this time a custom AccessToken class is not supported by the base AbstractProvider class of .
Method signature changes are required before custom Access Token classes (such as the one provided above) can be used. See https://github.com/thephpleague/oauth2-client/issues/897
License
The MIT License (MIT). Please see License File for more information.
All versions of oauth2-keycloak with dependencies
laminas/laminas-http Version ~2.14.3
laminas/laminas-diactoros Version ^2.6.0
fig/http-message-util Version ~1.1.5
ext-json Version *
ext-curl Version *