Download the PHP package jmluang/sso-consumer without Composer

On this page you can find all versions of the php package jmluang/sso-consumer. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package sso-consumer

jmluang/sso-consumer

Latest Version on Packagist Tests

A Laravel consumer package for an upstream SSO portal. Verifies portal-signed JWT tickets and bridges upstream identity to the consuming app's local admin auth.

The companion portal application signs the tickets; integrators receive the architecture and contract specs separately. The key pieces (JWT claims v1/v2, error codes) are mirrored below for consumers.

Requirements

Installation

Publish the config:

Optionally publish views & translations:

Configuration

Fill in .env:

The SSO_PORTAL_PUBLIC_KEY value must be wrapped in double quotes so phpdotenv interprets the \n escapes as real newlines. Single-quoted or unquoted values will be passed to OpenSSL with literal \n, and signature verification will silently fail.

Then point the resolver to your implementation in config/sso-consumer.php:

A full integration guide is distributed with the portal application; ask your portal admin for it if you need the end-to-end setup.

How it works

JWT Claims

Ticket is RS256-signed by the portal; consumer must verify using the portal's public key.

Claim Type Required Notes
iss string Must be sso-portal
aud string Must equal config('sso-consumer.system_code')
sub string v2: phone. v1 legacy: email
phone string v2 only Primary lookup key for v2 tickets
email string v1 required, v2 optional Secondary legacy lookup key
name string optional Display name from portal/upstream identity
tenant_domain string Must match SSO_EXPECTED_HOST or one of SSO_EXPECTED_HOSTS; outside production, falls back to the request host with port when neither is configured
tenant_id int
tenant_system string Same as aud
jti string 32 hex chars, one-time-use
v int 2 for phone-primary tickets, 1 for legacy email tickets
iat / exp int 120s TTL recommended
nbf int optional

Error Codes

Rendered on the error page and emitted via SsoLoginFailed events.

ticket_missing, ticket_invalid, ticket_expired, ticket_replayed, ticket_version_unsupported, audience_mismatch, tenant_mismatch, user_not_found, identity_conflict, resolver_failed

The SsoUserResolver contract

The package does not touch Auth or session directly — that's your job inside login(). The package does orchestrate the phone/email lookups and detects conflicts, so a careless implementation can no longer silently log an attacker into the wrong account.

You implement three primitives:

The library will:

  1. Call findByPhone() if (and only if) the verified ticket carries a non-empty phone claim.
  2. Call findByEmail() if (and only if) the verified ticket carries a non-empty email claim.
  3. Throw IdentityConflictException (error code identity_conflict) if both lookups succeed but return users with different identifiers — login() is not called.
  4. Throw UserNotFoundException if both lookups return null.
  5. Otherwise call login($user, $claims, $request) exactly once.

Phone format

The portal issues phone claims in one of two canonical shapes:

Use Jmluang\SsoConsumer\Support\PhoneNormalizer::normalize($phone) on both the inbound claim and the locally stored column before comparing — operators typing 159-1234-0001, (415) 555-0123, or +852-9123-4567 all collapse to the canonical form, so lookups don't miss because of formatting drift. The helper returns null for empty input and throws InvalidArgumentException for inputs that can't be parsed (letters, too few digits, missing separator between country code and local number, etc.).

If your local column already stores normalized values, you only need to normalize the inbound claim. If you're migrating an existing column, run the helper during the backfill described below.

Upgrading To Phone-Primary Tickets

Before enabling portal-issued v2 tickets:

  1. Add a normalized phone column to the consuming app's admin user table.
  2. Backfill existing admin users from the trusted upstream SSO phone value.
  3. Implement findByPhone() using the normalized column, and findByEmail() for legacy rows.
  4. Deploy the resolver before switching the portal kill-switch from v1 to v2.
  5. Monitor user_not_found, identity_conflict, and resolver failures during the rollout window.

Production Hardening

The defaults are safe to use in development, but a production deployment must review the following:

  1. At least one expected host is required. In production, set SSO_EXPECTED_HOST for a single callback domain or SSO_EXPECTED_HOSTS for comma-separated multi-tenant callback domains. Consume requests fail when the expected host list is empty; php artisan sso:check also reports the misconfiguration. Outside production, the consumer can fall back to the request host with port for local testing.
  2. replay_cache_store must be a shared, atomic cache (Redis, Memcached, or Database). The array driver gives each PHP worker its own memory, which silently disables replay protection. The file driver is not atomic. php artisan sso:check enforces this in production.
  3. The consume route is rate-limited by default (throttle:sso-consume). Each request triggers an RSA signature verification, which is CPU-expensive — without throttling the endpoint is a DoS amplifier. The package registers a default sso-consume limiter at 60 requests/minute per IP; override it in App\Providers\AppServiceProvider::boot() when your app needs tenant-aware or user-aware limits:

    Override consume_middleware if your app already has a tenant-aware throttle.

  4. HTTPS enforcement depends on trusted proxy configuration. Production consume requests must be HTTPS. If TLS terminates at a load balancer or reverse proxy, configure Laravel trusted proxies so $request->isSecure() honors X-Forwarded-Proto: https; otherwise the package will correctly reject the internal plaintext hop as ticket_invalid.
  5. SsoLoginFailed events carry the full claim array, including phone, email, and name. Listeners that ship to log aggregators or alerting systems should redact or hash PII before forwarding.
  6. Octane / Swoole / RoadRunner caveat. The verifier mutates the static Firebase\JWT\JWT::$leeway while decoding. Concurrent requests sharing a worker process can race on this state. Pin a single value via config and avoid hot-reloading it, or run under traditional php-fpm if this is a concern.

Events

Write your own listeners for audit logging / alerting.

Commands

Testing

The RSA key pair under tests/Fixtures/keys/ is only for automated tests. Never use it to sign or verify production SSO tickets.

Versioning

License

MIT — see LICENSE.md.


All versions of sso-consumer with dependencies

PHP Build Version
Package Version
Requires php Version ^8.3
illuminate/support Version ^11.0 || ^12.0 || ^13.0
illuminate/http Version ^11.0 || ^12.0 || ^13.0
illuminate/contracts Version ^11.0 || ^12.0 || ^13.0
firebase/php-jwt Version ^6.10
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package jmluang/sso-consumer contains the following files

Loading the files please wait ...