Download the PHP package maicol07/oidc-client without Composer
On this page you can find all versions of the php package maicol07/oidc-client. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package oidc-client
PHP OpenID Connect Basic Client
A simple library that allows an application to authenticate a user through the basic OpenID Connect flow. This library hopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID Connect protocol to setup authentication.
Supported Specifications
- OpenID Connect Core 1.0
- OpenID Connect Discovery 1.0 (finding the issuer is missing)
- OpenID Connect RP-Initiated Logout 1.0 - draft 01
- OpenID Connect Dynamic Client Registration 1.0
- RFC 6749: The OAuth 2.0 Authorization Framework
- RFC 7009: OAuth 2.0 Token Revocation
- RFC 7636: Proof Key for Code Exchange by OAuth Public Clients
- RFC 7662: OAuth 2.0 Token Introspection
- Draft: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
Tested providers
Note: This list is not exhaustive. Other generic OIDC providers should work as well. If you have tested this library with a provider not listed here, please open a PR to add it to the list and add a test configuration (.run directory).
Provider | Is tested? | Notes |
---|---|---|
Keycloak | ✅ | Client authenticator must be set to "Client id and secret" |
Casdoor | ✅ | Code challenge must be set to S256 or PKCE should be disabled |
Requirements
- PHP 8.1+
- JSON extension
- MBString extension
- (Optional) One between GMP or BCMath extension to allow faster cipher key operations (for JWT; see here for more information)
Install
Install using composer:
Examples
Example 1: Basic Client
This example uses the Authorization Code flow and will also use PKCE if the OpenID Provider announces it in his Discovery document. If you are not sure, which flow you should choose: This one is the way to go. It is the most secure and versatile.
See OpenID Connect spec for available user attributes
Example 2: Dynamic Registration
Example 3: Network and Security
You should always use HTTPS for your application. If you are using a self-signed certificate, you can disable the SSL
verification by setting the verify_ssl
property on the client and, if you have it, set a custom certificate in the cert_path
property
(this works only if verifySsl is set to false).
You can also setup a proxy via the http_proxy
.
Example 4: Implicit flow
Reference: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
The implicit flow should be considered a legacy flow and not used if authorization code grant can be used. Due to its disadvantages and poor security, the implicit flow will be obsoleted with the upcoming OAuth 2.1 standard. See Example 1 for alternatives.
Example 5: Introspection of an access token
Reference: https://tools.ietf.org/html/rfc7662
Example 6: PKCE Client
PKCE is already configured and used in most scenarios in Example 1. This example shows you how to explicitly set the Code Challenge Method in the initial config. This enables PKCE in case your OpenID Provider doesn’t announce support for it in the discovery document, but supports it anyway.
Example 7: Token endpoint authentication method
By default, only client_secret_basic
is enabled on client side which was the only supported for a long time.
Recently client_secret_jwt
and private_key_jwt
have been added, but they remain disabled until explicitly enabled.
Note: A JWT generator is not included in this library yet.
Development Environments
Sometimes you may need to disable SSL security on your development systems. You can do it by calling the verify
method
with the false
parameter. Note: This is not recommended on production systems.
Testing
To run the tests, you need to have a running OpenID Connect provider
Keycloak
-
Run a Keycloak docker container
- Create a realm named
test
- Create a client named
test-client
withconfidential
access type - Set the
Valid Redirect URIs
tohttp://localhost:8080/callback
- Set the
Web Origins
tohttp://localhost:8080
- Set the
Access Type
toBearer-only
- Set the
Client Authenticator
toClient id and secret
- Set the
Client ID
totest-client
- Set the
Client Secret
totest-client-secret
- Set the
Root URL
tohttp://localhost:8080
Todo
- Dynamic registration does not support registration auth tokens and endpoints
Contributing
- Issues and pull requests are welcome.
All versions of oidc-client with dependencies
ext-json Version *
ext-mbstring Version *
cse/helpers-session Version ^1
guzzlehttp/guzzle Version >=7
illuminate/collections Version >=8
illuminate/http Version >=8
illuminate/support Version >=8
web-token/jwt-library Version ^4.0.1