Download the PHP package thenetworg/oauth2-azure without Composer
On this page you can find all versions of the php package thenetworg/oauth2-azure. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download thenetworg/oauth2-azure
More information about thenetworg/oauth2-azure
Files in thenetworg/oauth2-azure
Package oauth2-azure
Short Description Azure Active Directory OAuth 2.0 Client Provider for The PHP League OAuth2-Client
License MIT
Informations about the package oauth2-azure
Azure Active Directory Provider for OAuth 2.0 Client
This package provides Azure Active Directory OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
Table of Contents
- Installation
- Usage
- Authorization Code Flow
- Advanced flow
- Using custom parameters
- NEW - Call on behalf of a token provided by another app
- NEW - Logging out
- Authorization Code Flow
- Making API Requests
- Variables
- Resource Owner
- UPDATED - Microsoft Graph
- NEW - Protecting your API - experimental
- Azure Active Directory B2C - experimental
- Multipurpose refresh tokens - experimental
- Known users
- Contributing
- Credits
- Support
- License
Installation
To install, use composer:
Usage
Usage is the same as The League's OAuth client, using \TheNetworg\OAuth2\Client\Provider\Azure
as the provider.
Authorization Code Flow
Advanced flow
The Authorization Code Grant Flow is a little bit different for Azure Active Directory. Instead of scopes, you specify the resource which you would like to access - there is a param $provider->authWithResource
which will automatically populate the resource
param of request with the value of either $provider->resource
or $provider->urlAPI
. This feature is mostly intended for v2.0 endpoint of Azure AD (see more here).
Using custom parameters
With oauth2-client of version 1.3.0 and higher, it is now possible to specify custom parameters for the authorization URL, so you can now make use of options like prompt
, login_hint
and similar. See the following example of obtaining an authorization URL which will force the user to reauthenticate:
You can find additional parameters here.
Using a certificate key pair instead of the shared secret
-
Generate a key pair, e.g. with:
- Upload the
publickey.cer
to your app in the Azure portal - Note the displayed thumbprint for the certificate (it looks like
B4A94A83092455AC4D3AC827F02B61646EAAC43D
) - Put that thumbprint into the
clientCertificateThumbprint
constructor option - Put the contents of
private.key
into theclientCertificatePrivateKey
constructor option - You can omit the
clientSecret
constructor option
Logging out
If you need to quickly generate a logout URL for the user, you can do following:
Call on behalf of a token provided by another app
Making API Requests
This library also provides easy interface to make it easier to interact with Azure Graph API and Microsoft Graph, the following methods are available on provider
object (it also handles automatic token refresh flow should it be needed during making the request):
get($ref, $accessToken, $headers = [])
post($ref, $body, $accessToken, $headers = [])
put($ref, $body, $accessToken, $headers = [])
delete($ref, $body, $accessToken, $headers = [])
patch($ref, $body, $accessToken, $headers = [])
getObjects($tenant, $ref, $accessToken, $headers = [])
This is used for example for listing large amount of data - where you need to list all users for example - it automatically followsodata.nextLink
until the end.$tenant
tenant has to be provided since theodata.nextLink
doesn't contain it.
request($method, $ref, $accessToken, $options = [])
See #36 for use case.
Please note that if you need to create a custom request, the method getAuthenticatedRequest and getResponse can still be used.
Variables
$ref
The URL reference without the leading/
, for examplemyOrganization/groups
$body
The contents of the request, make has to be either string (so make sure to usejson_encode
to encode the request)s or stream (see Guzzle HTTP)$accessToken
The access token object obtained by usinggetAccessToken
method$headers
Ability to set custom headers for the request (see Guzzle HTTP)
Resource Owner
With version 1.1.0 and onward, the Resource Owner information is parsed from the JWT passed in access_token
by Azure Active Directory. It exposes few attributes and one function.
Example:
The exposed attributes and function are:
getId()
- Gets user's object id - unique for each usergetFirstName()
- Gets user's first namegetLastName()
- Gets user's family name/surnamegetTenantId()
- Gets id of tenant which the user is member ofgetUpn()
- Gets user's User Principal Name, which can be also used as user's e-mail addressclaim($name)
- Gets any other claim (specified as$name
) from the JWT, full list can be found here
Microsoft Graph
Calling Microsoft Graph is very simple with this library. After provider initialization simply change the API URL followingly (replace v1.0
with your desired version):
After that, when requesting access token, refresh token or so, provide the resource
with value https://graph.microsoft.com/
in order to be able to make calls to the Graph (see more about resource
here).
Protecting your API - experimental
With version 1.2.0 you can now use this library to protect your API with Azure Active Directory authentication very easily. The Provider now also exposes validateAccessToken(string $token)
which lets you pass an access token inside which you for example received in the Authorization
header of the request on your API. You can use the function followingly (in vanilla PHP):
You may also need to access some other resource from the API like the Microsoft Graph to get some additional information. In order to do that, there is urn:ietf:params:oauth:grant-type:jwt-bearer
grant available (RFC). An example (assuming you have the code above working and you have the required permissions configured correctly in the Azure AD application):
Just to make it easier so you don't have to remember entire name for grant_type
(urn:ietf:params:oauth:grant-type:jwt-bearer
), you just use short jwt_bearer
instead.
Azure Active Directory B2C - experimental
You can also now very simply make use of Azure Active Directory B2C. Before authentication, change the endpoints using pathAuthorize
, pathToken
and scope
and additionally specify your login policy. Please note that the B2C support is still experimental and wasn't fully tested.
Multipurpose refresh tokens - experimental
In cause that you need to access multiple resources (like your API and Microsoft Graph), you can use multipurpose refresh tokens. Once obtaining a token for first resource, you can simply request another token for different resource like so:
At the moment, there is one issue: When you make a call to your API and the token has expired, it will have the value of $provider->urlAPI
which is obviously wrong for $accessToken2
. The solution is very simple - set the $provider->urlAPI
to the resource which you want to call. This issue will be addressed in future release. Please note that this is experimental and wasn't fully tested.
Known users
If you are using this library and would like to be listed here, please let us know!
Contributing
We accept contributions via Pull Requests on Github.
Credits
- Jan Hajek (TheNetw.org)
- Vittorio Bertocci (Microsoft)
- Thanks for the splendid support while implementing #16
- Martin Cetkovský (cetkovsky.eu]
- All Contributors
Support
If you find a bug or encounter any issue or have a problem/question with this library please create a new issue.
License
The MIT License (MIT). Please see License File for more information.
All versions of oauth2-azure with dependencies
ext-openssl Version *
php Version ^7.1|^8.0
league/oauth2-client Version ~2.0
firebase/php-jwt Version ~3.0||~4.0||~5.0||~6.0