Download the PHP package sk-id-solutions/smart-id-php-client without Composer

On this page you can find all versions of the php package sk-id-solutions/smart-id-php-client. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of sk-id-solutions/smart-id-php-client

Informations about the package smart-id-php-client

Smart-ID PHP client

This library supports Smart-ID API v3.

Table of contents

Introduction

The Smart-ID PHP client can be used for easy integration of the Smart-ID solution to information systems or e-services.

Features

Requirements

Getting the library

Install via Composer:

Changelog

Changes introduced with new library versions are described in CHANGELOG.md.

How to use it with RP API v3

Import the relevant classes from the Sk\SmartId namespace:

Test accounts for testing

Test accounts for testing

Note: Smart-ID Basic level accounts (certificate level ADVANCED) are not supported in the demo environment.

Uploading certificates to demo OCSP

Smart-ID demo certificates are not automatically available in the demo AIA OCSP responder (aia.demo.sk.ee). To make them available for OCSP revocation checking, upload them via SK's certificate upload interface:

Setting up SmartIdClient

SmartIdClient is the main entry point for using Smart-ID services. It wires together the connector, session status poller, and request builders.

You can also use the connector directly for lower-level control (see Setting up the connector).

Setting up the connector

Configure to use with Smart-ID Demo environment

Setting up HTTPS public key pinning

HTTPS public key pinning is used to prevent man-in-the-middle attacks against the Smart-ID API connection.

Live SSL certificates: https://sk-eid.github.io/smart-id-documentation/https_pinning.html#_rp_api_smart_id_com_certificates

Demo SSL certificates: https://sk-eid.github.io/smart-id-documentation/https_pinning.html#_sid_demo_sk_ee_certificates

Demo / testing

For development against sid.demo.sk.ee, the SDK bundles demo keys:

Providing SSL public key hashes manually

For production, you must configure your own SPKI hashes. Download the current certificates from SK's HTTPS pinning documentation and extract each certificate's SPKI hash:

Then provide the hashes:

Loading hashes from a directory

You can load hashes from a directory of .key files (each containing one sha256//... hash):

Loading hashes from an environment variable

When hashes are stored in a single environment variable (e.g. from .env or container config):

A custom separator can be provided as the second argument:

Loading hashes from an array (secret managers, config files)

When your secret manager or configuration returns an array of hash strings:

All methods that accept hashes (addPublicKeyHash(), fromString(), fromArray()) validate every hash immediately and throw \InvalidArgumentException if the format is invalid or the input is empty.

Device link flows

Device link flows are the more secure way to ensure the user who started the authentication is in control of the device. More info: https://sk-eid.github.io/smart-id-documentation/rp-api/device_link_flows.html

Device link authentication session

Request parameters

Response parameters

Using the request builder

The builder automatically generates the RP challenge and calculates the verification code. If needed, you can provide your own RP challenge:

Using request objects directly

For lower-level control, construct request objects directly:

Generating QR code or device link

Documentation: https://sk-eid.github.io/smart-id-documentation/rp-api/device_link_flows.html

To use the Smart-ID demo environment, you must specify SchemeName::DEMO as the scheme name (use ->withDemoEnvironment() or ->withSchemeName(SchemeName::DEMO)). See: https://sk-eid.github.io/smart-id-documentation/environments.html#_demo

Device link parameters

Generating QR code URL

QR code URLs must be refreshed every second because the authCode changes based on elapsed time to prevent replay attacks.

Using the DeviceLinkBuilder for more control:

Generating Web2App URL

For mobile web browsers where the user can open the Smart-ID app directly:

Overriding default values

Examples of allowed device link interactions

An app can support different interaction types, and a Relying Party can specify preferred interactions with or without fallback options. For device link flows, the available interaction types are limited to displayTextAndPIN and confirmationMessage. displayTextAndPIN is used for short text with PIN-code input, while confirmationMessage is used for longer text with Confirm and Cancel buttons and a second screen to enter the PIN-code.

Example 1: confirmationMessage with fallback to displayTextAndPIN

The RP's first choice is confirmationMessage; if not available, then fall back to displayTextAndPIN.

Example 2: confirmationMessage only (no fallback)

If the interaction is not supported by the app, the process will fail if no fallback is provided.

Notification-based flows

Differences between notification-based and device link flows

Notification-based authentication session

Request parameters

Response parameters

Initiating with semantics identifier

More info about Semantics Identifiers: ETSI EN 319 412-1

Jump to Querying session status for an example of session status polling.

Initiating with document number

Examples of allowed notification-based interactions

Notification-based flows support additional interaction types compared to device link flows. Available types are displayTextAndPIN, confirmationMessage, and confirmationMessageAndVerificationCodeChoice.

Example 1: confirmationMessageAndVerificationCodeChoice with fallback to confirmationMessage and displayTextAndPIN

The RP's first choice is confirmationMessageAndVerificationCodeChoice; the second choice is confirmationMessage; the third choice is displayTextAndPIN.

Example 2: confirmationMessageAndVerificationCodeChoice only (no fallback)

Process will fail if interaction is not supported and there is no fallback.

Querying session status

Session status response

The session status response includes various fields depending on whether the session has completed or is still running:

End result values

The result.endResult field may contain the following values:

End result to exception mapping

When using SessionStatusPoller, non-OK end results are automatically converted to typed exceptions:

End result Exception
USER_REFUSED_INTERACTION UserRefusedInteractionException
USER_REFUSED, USER_REFUSED_CERT_CHOICE, USER_REFUSED_DISPLAYTEXTANDPIN, USER_REFUSED_VC_CHOICE, USER_REFUSED_CONFIRMATIONMESSAGE, USER_REFUSED_CONFIRMATIONMESSAGE_WITH_VC_CHOICE UserRefusedException
TIMEOUT SessionTimeoutException
DOCUMENT_UNUSABLE DocumentUnusableException
WRONG_VC WrongVerificationCodeException
REQUIRED_INTERACTION_NOT_SUPPORTED_BY_APP RequiredInteractionNotSupportedException
PROTOCOL_FAILURE ProtocolFailureException
SERVER_ERROR ServerErrorException
ACCOUNT_UNUSABLE, EXPECTED_LINKED_SESSION, other SmartIdException

Note: UserRefusedInteractionException extends UserRefusedException. The poller checks for USER_REFUSED_INTERACTION first, so catching UserRefusedException after UserRefusedInteractionException handles all other user refusal variants.

Polling for final session status

Using SessionStatusPoller to poll until the session completes:

The poller automatically throws typed exceptions for error results (see Exception handling).

You can configure polling parameters:

Single status query

For device link flows where you need to generate a fresh QR code every second, use single status queries:

Or query the connector directly:

Validating authentication response

It is critical to validate the authentication response to ensure the signature and certificate are trustworthy.

Setting up trusted CA certificates

OCSP certificate revocation checking

OCSP revocation checking is enabled automatically when creating a validator via SmartIdClient::createAuthenticationResponseValidator(). The checker verifies that the end-entity certificate has not been revoked by reading the OCSP responder URL from the certificate's Authority Information Access (AIA) extension.

Note: For the demo environment, you must first upload your test certificates to the demo OCSP responder — see Uploading certificates to demo OCSP.

Validating device link authentication

The validator performs the following checks:

  1. Session state is COMPLETE and result is OK
  2. Signature protocol is ACSP_V2
  3. Certificate level meets the requested level (if specified)
  4. Certificate is signed by a trusted CA and within its validity period
  5. Certificate basic constraints (not a CA certificate)
  6. Certificate policies contain Smart-ID scheme OIDs
  7. Certificate key usage includes digitalSignature
  8. Certificate Extended Key Usage includes Smart-ID authentication or clientAuth
  9. signatureAlgorithmParameters validation (hashAlgorithm, saltLength, maskGenAlgorithm, trailerField)
  10. RSA-PSS signature verification against the ACSP_V2 payload

Validating notification-based authentication

Validation is the same as device link. The only difference is how the session was initiated — the validation step uses the same AuthenticationResponseValidator::validate() method.

Web2App flow validation

When using Web2App or App2App flows, the Smart-ID app redirects the user back to the Relying Party via the callback URL. The received callback URL will contain additional query parameters that must be validated.

Example callback URL for authentication:

Validation steps:

  1. Verify that the value query parameter matches the random value you included when creating the callback URL.
  2. Verify sessionSecretDigest matches Base64URL(SHA-256(Base64Decode(sessionSecret))) where sessionSecret is from the session init response.
  3. For authentication flows, verify userChallengeVerifier — its SHA-256 hash (Base64URL-encoded) must match signature.userChallenge from the session status response.

Validating callback URL with CallbackUrlUtil

The CallbackUrlUtil helper simplifies creating and validating callback URLs for Web2App/App2App flows.

Creating a callback URL with a random token

Validating session secret digest from callback

When the Smart-ID app redirects back to your callback URL, validate the sessionSecretDigest query parameter:

Extracting user identity

After successful validation, the AuthenticationIdentity object provides:

The document number can be retrieved from the session result for future requests:

Additional request properties

Requesting IP address of user's device

For the IP address to be returned, the service provider (SK) must enable this option for your account. More info: https://sk-eid.github.io/smart-id-documentation/rp-api/3.0.3/request_properties.html

The same withShareMdClientIpAddress() method is available on both DeviceLinkAuthenticationRequestBuilder and NotificationAuthenticationRequestBuilder.

Exception handling

The library provides specific exceptions for different error scenarios. All exceptions extend SmartIdException.

Permanent exceptions

These indicate client-side configuration or input errors.

User action exceptions

These cover scenarios where user actions or inactions lead to session termination.

User account exceptions

Protocol and server exceptions

Validation exceptions

Technical exceptions

Server-side exceptions

Example of handling exceptions

Logging

The SDK supports optional PSR-3 logging. Pass any LoggerInterface implementation (e.g. Monolog) to SmartIdClient and AuthenticationResponseValidator. If no logger is provided, a NullLogger is used and no output is produced.

What is logged

Component Level What
SmartIdRestConnector debug Outgoing HTTP request method and URL
SmartIdRestConnector debug Successful response status code
SmartIdRestConnector warning Error response status code
SessionStatusPoller debug Each poll attempt (session ID)
SessionStatusPoller info Session completed (session ID, end result)
SessionStatusPoller warning Authentication failed (end result: TIMEOUT, USER_REFUSED, etc.)
SessionStatusPoller warning Polling timed out (session ID, attempts)
Request builders info Session initiation
Request builders debug Session initiated (session ID)
AuthenticationResponseValidator info Validation start and success
AuthenticationResponseValidator error Validation failed (error message)
AuthenticationResponseValidator debug Each validation step (trust chain, constraints, policies, signature)
OcspCertificateRevocationChecker debug OCSP request/response and success
OcspCertificateRevocationChecker warning OCSP check failure

Note: The SDK never logs request/response bodies, personal data, or secrets. Only metadata such as URLs, status codes, and session IDs are logged.

Using with SmartIdClient

The logger is passed as the last constructor parameter and automatically propagated to the connector, session status poller, and request builders.

All versions of smart-id-php-client with dependencies

PHP Build Version
Package Version
Requires php Version >=8.4
ext-json Version *
ext-curl Version *
ext-openssl Version *
phpseclib/phpseclib Version ~3.0
guzzlehttp/guzzle Version ^7.0
guzzlehttp/psr7 Version ^2.0
psr/log Version ^3.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package sk-id-solutions/smart-id-php-client contains the following files

Loading the files please wait ...