Download the PHP package italia/spid-laravel without Composer

On this page you can find all versions of the php package italia/spid-laravel. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package spid-laravel

Join the #spid-laravel channel Get invited SPID on forum.italia.it

SPID authentication package for Laravel

CircleCI Codecov PDS Skeleton License

This is a package to provide a simple SPID authentication system to web applications based on Laravel.

See Changelog for more informations about versions and breaking changes.

Installation

  1. Before installing this package patching must be enabled in composer.json. This is necessary because this patch has to be applied to onelogin/php-saml for SPID compatibility.

    Edit your composer.json like this:

    or simply run:

    composer config extra.enable-patching true.

    Since this package is still in beta, minimum-stability option must be set to beta and the prefer-stable option must be set to true in composer.json.

    These options can be set by running:

    For Windows only

    Composer needs the patch command to be installed (it is not part of Windows). To enable it install Git then add the C:\Program Files\Git\usr\bin folder to the system path.

    This installation step will be removed before the first stable release of this package.

  2. Require this package with composer.

    composer require italia/spid-laravel

  3. Exclude the URIs used by this package from CSRF protection because the the Identity Providers can't know what CSRF token include in their POST requests sent to your routes.

    In your app/Http/Middleware/VerifyCsrfToken.php set '/spid/*' as an element of the $except array.

Configuration

Publish the configuration with:

This will create a spid-auth.php file in your config directory where you can set these options:

Service Provider options

These options must be set accordingly to the official SPID technical rules.

The values entered in the config file will be used to generate the SAML Service Provider metadata at runtime. The generated metadata will be available in XML format at /spid/metadata.

Bindings

Due to limitations of onelogin/php-saml, only the HTTP-POST binding is supported for the AssertionConsumerService endpoint and the HTTP-Redirect for the the SingleLogoutService endpoint.

Application options

Please note that the php artisan vendor:publish --provider="Italia\SPIDAuth\ServiceProvider" command will copy some static assets to your public directory. You can publish configuration and assets separately adding --tag=spid-config and --tag=spid-assets options on the command line.

Cookies

Due to the specific working mode of the SameSite cookie parameter, this package can only work with lax or none policy. Thus the config option session.same_site MUST be set accordingly.

Usage

The SPID authentication process is completely agnostic about the authentication system of your application. If you plan to integrate your authentication system with SPID, you can listen to the LoginEvent and LogoutEvent (see Example).

SPIDAuth Service Provider

If you need more customization in the authentication logic of your application, you can use the methods available in the SPIDAuth Service Provider.

First you need an instance of the Service Provider from the Service Container:

The following public methods can be used in your application.

Method Description
login Show the configured login_view with a SPID button, if authenticated redirect to after_login_url.
doLogin Attempt login with the SPID Identity Provider in the current request and redirect to the intended or configured after_login_url if authenticated.
acs Process the POST response from Identity Providers, set session variables and redirect to the intended or configured after_login_url.
logout Attempt logout with the SPID Identity Provider stored in the current session.
isAuthenticated Check if the current session is authenticated with SPID.
metadata Show metadata for this SPID Service Provider.
providers Identity Providers list in JSON format used by the SPID smart button.
getSPIDUser Return the current authenticated SPIDUser or null if not authenticated.

Button

You can display a simple SPID access button by including the spid-auth::spid-button view in your template:

Optionally you can specify the button size (s, m, l or xl):

To display the button dropdown right aligned you can set the rightAlign parameter to true.

Your templates must include a @stack('styles') directive inside the head tag and a @stack('scripts') directive inside the body tag (after the SPID access button markup code).

The button is the official spid-sp-access-button and requires jQuery.

Scenario

  1. The user clicks on the button and a list of Identity Provider is displayed;
  2. The user choose an Identity Provider and is redirected to the corresponding login page;
  3. After a successful login the user is redirected to the URL specified in the after_login_url option and a LoginEvent is triggered.

Middleware

You can assign the spid.auth middleware to specific routes like so:

Or you can assign the spid.auth middleware to application controllers:

Scenario

  1. The user requests a resource which spid.auth middleware is assigned to.
  2. The user is redirected to /spid/login and the view specified in login_view option is displayed;
  3. The user choose an Identity Provider and is redirected to the corresponding login page;
  4. After a successful login the user is redirected to the URL of the original resource and a LoginEvent is triggered.

Events

LoginEvent and LogoutEvent can be listened to get some useful information about the authenticated user. Both events share these methods:

To listen to both events using the same object, you can use an Event Subscriber class that can be defined as follow:

The SPIDEventSubscriber class must be added to the $subscribe array in app/Providers/EventServiceProvider.php:

The SPIDUser class provides <attribute> properties for the attributes specified in the sp_requested_attributes option (e.g. for the name attribute you find a SPIDUser->name property). If the attribute is not available null is returned.

Logout

Simply provide your users a link pointing to /spid/logout.

Scenario

  1. The user clicks on a link pointing to /spid/logout;
  2. After a successful logout the user is redirected to the URL specified in the after_logout_url option and a LogoutEvent is triggered.

Example

This package comes with a simple set of controllers, views and routes that can be run as an example in a fresh installed Laravel application.

To publish the needed files run the command:

This will create the following files:

Next add the SPIDEventSubscriber class in app/Providers/EventServiceProvider.php as described above.

You can open storage/logs/laravel.log to read some example informations logged by the SPIDEventSubscriber.

Notes

Security

Make sure to set your timezone in app/config/app.php because the id of every assertion consumed is cached to prevent replay attacks. This feature rely on a correct timezone configuration of your app.

HTTPS

As required in the SPID technical specifications, the Service Provider MUST accept messages in HTTPS only. According to this requirement, some cookies in this package are created with Secure policy, thus the authentication does not work in an unsecure context.

Test Identity Provider

In the spid-idps.php file are defined the official SPID Identity Providers.

For testing purposes, this file includes also a test Identity Provider. Refer to the SPID Test Environment to get more informations about SPID authentication testing.

The test Identity Provider can be enabled/disabled using the test_idp entry in your config/spid-auth.php file.

Set to disable.

Service Provider certificate and private key

In the spid-auth.php file are defined the X.509 certificate and the private key of the Service Provider. Please note that the values provided are only for testing purposes and can't be used in production.

You can set your own X.509 certificate and private key in the config/spid-auth.php file of your application (which overrides the one in the package).

The X.509 certificate and the private key can be configured as strings or as paths to files. If both are specified in your config/spid-auth.php then the ones specified as strings will take precedence.

Change the values and keep the private key secret.

Licenses

BSD-3-Clause License is generally applied to all the code in this repository if not otherwise specified.

MIT License is applied to some portions of code as reported in this README.

SIL Open Font License 1.1 is applied to the Titillium font included from CSS files.

FOSSA Status


All versions of spid-laravel with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
illuminate/config Version >=9.52.4
illuminate/support Version >=9.52.4
onelogin/php-saml Version >=4.1.0
cweagans/composer-patches Version ^1.7
nesbot/carbon Version ^2.66
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package italia/spid-laravel contains the following files

Loading the files please wait ....