Download the PHP package vizir/laravel-keycloak-web-guard without Composer

On this page you can find all versions of the php package vizir/laravel-keycloak-web-guard. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-keycloak-web-guard

[NEEDS A MAINTAINER] Keycloak Web Guard for Laravel

This packages allow you authenticate users with Keycloak Server.

It works on front. For APIs we recommend laravel-keycloak-guard.

Requirements

Support

This package was tested with:

Any other version is not guaranteed to work.

This is project is open source and maintained on my free time. So, if you have any problem you can open a Issue with all details (laravel version, keycloak version, the description of problem...) and I'll be happy to try to help.

The flow

  1. User access a guarded route and is redirected to Keycloak login.
  2. User signin and obtains a code.
  3. He's redirected to callback page and we change the code for a access token.
  4. We store it on session and validate user.
  5. User is logged.
  6. We redirect the user to "redirect_url" route (see config) or the intended one.

Install

Require the package

If you want to change routes or the default values for Keycloak, publish the config file:

Configuration

After publishing config/keycloak-web.php file, you can change the routes:

The scope openid is always included, but if you need extra scopes you can add them as strings to the array:

Example:

Change any value to change the URL.

Other configurations can be changed to have a new default value, but we recommend to use .env file:

The Keycloak Server url. Generally is something like: https://your-domain.com/auth.

The Keycloak realm. The default is master.

The Keycloak Server realm public key (string).

In dashboard go to: Keycloak >> Realm Settings >> Keys >> RS256 >> Public Key.

Keycloak Client ID.

In dashboard go to: Keycloak >> Clients >> Installation.

Keycloak Client Secret. If empty we'll not send it to Token Endpoint.

In dashboard go to: Keycloak >> Clients >> Installation.

We can cache the OpenId Configuration: it's a list of endpoints we require to Keycloak.

If you activate it, remember to flush the cache when change the realm or url.

Just add the options you would like as an array to the" to "Just add the options you would like to guzzle_options array on keycloak-web.php config file. For example:

Laravel Auth

You should add Keycloak Web guard to your config/auth.php.

Just add keycloak-web to "driver" option on configurations you want.

As my default is web, I add to it:

And change your provider config too:

Note: if you want use another User Model, check the FAQ How to implement my Model?.

API

We implement the Illuminate\Contracts\Auth\Guard. So, all Laravel default methods will be available.

Ex: Auth::user() returns the authenticated user.

Roles

You can check user has a role simply by Auth::hasRole('role');

This method accept two parameters: the first is the role (string or array of strings) and the second is the resource.

If not provided, resource will be the client_id, which is the regular check if you authenticating into this client to your front.

Keycloak Web Gate

You can use Laravel Authorization Gate to check user against one or more roles (and resources).

For example, in your Controller you can check one role:

Or multiple roles:

And roles for a resource:

This last use is not trivial, but you can extend the Guard to request authentication/authorization to multiple resources. By default, we request only the current client.

Keycloak Can Middleware

If you do not want to use the Gate or already implemented middlewares, you can check user against one or more roles using the keycloak-web-can Middleware.

Add this to your Controller's __construct method:

This middleware works searching for all roles on default resource (client_id).

You can extend it and register your own middleware on Kernel.php or just use Auth::hasRole($roles, $resource) on your Controller.

FAQ

How to implement my Model?

We registered a new user provider that you configured on config/auth.php called "keycloak-users".

In this same configuration you setted the model. So you can register your own model extending Vizir\KeycloakWebGuard\Models\KeycloakUser class and changing this configuration.

You can implement your own User Provider: just remember to implement the retrieveByCredentials method receiving the Keycloak Profile information to retrieve a instance of model.

Eloquent/Database User Provider should work well as they will parse the Keycloak Profile and make a "where" to your database. So your user data must match with Keycloak Profile.

I cannot find my login form.

We register a login route to redirect to Keycloak Server. After login we'll receive and proccess the token to authenticate your user.

There's no login/registration form.

How can I protect a route?

Just add the keycloak-web middleware:

Where the access/refresh tokens and state are persisted?

On session. We recommend implement the database driver if you have load balance.

What's a state?

State is a unique and non-guessable string used to mitigate CSRF attacks.

We associate each authentication request about to be initiated with one random state and check on callback. You should do it if you are extending/implementing your own Auth controller.

Use KeycloakWeb::saveState() method to save the already generated state to session and KeycloakWeb::validateState() to check the current state against the saved one.

I'm having problems with session (stuck on login loop)

For some reason Laravel can present a problem with EncryptCookies middleware changing the session ID.

In this case, we will always try to login, as tokens cannot be retrieved.

You can remove session_id cookie from encryption:

My client is not public.

If your client is not public, you should provide a KEYCLOAK_CLIENT_SECRET on your .env.

How can I override the default Guzzle options?

In some use cases you may need to override the default Guzzle options - likely either to disable SSL verification or to set a Proxy to route all requests through.

Every Guzzle Request Option is supported and is passed directly to the Guzzle Client instance.

Just add the options you would like to guzzle_options array on keycloak-web.php config file. For example:

Developers

With contributors on GitHub :heart:


All versions of laravel-keycloak-web-guard with dependencies

PHP Build Version
Package Version
Requires guzzlehttp/guzzle Version ^6.5|^7.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package vizir/laravel-keycloak-web-guard contains the following files

Loading the files please wait ....