Skip to content

A simple OpenID Connect (OIDC) client for browser-based applications in PHP

License

Notifications You must be signed in to change notification settings

rciam/simple-oidc-client-php

Repository files navigation

simple-oidc-client-php

A simple OpenID Connect (OIDC) client in PHP that uses authorization code flow and/or PKCE

Simple OIDC Client - setup

You can either clone repo from github or download the project from releases. (Instructions have been tested on Debian 10 and PHP 7).

Clone repo

First you need to install apache and composer

sudo apt-get update
sudo apt-get install apache2 curl php-cli php-json php-xml git
php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer

Click here for more info about composer installation

Then clone the repo to this directory:

cd /var/www/html
git clone https://github.com/rciam/simple-oidc-client-php.git

Install the requirements with composer:

cd simple-oidc-client-php
composer install

Download from releases

Install Apache

sudo apt-get update
sudo apt-get install apache2

Download the file from releases and extract it in apache home directory

cd /var/www/html
wget https://github.com/rciam/simple-oidc-client-php/releases/download/vX.Y.Z/simple-oidc-client-php-X.Y.Z.tar.gz
tar -zxvf simple-oidc-client-php-X.Y.Z.tar.gz

Simple OIDC Client - authentication

Now that you have everything you need, you can configure your login settings in config.php. First, copy the configuration file, using the command:

cp example-config.php config.php

Then open the file and configure the portal.

<?php

// index.php interface configuration
$title = "Generate Tokens";
$img = "https://www.pngkey.com/png/detail/233-2332677_image-500580-placeholder-transparent.png";
$scopeInfo = "This service requires the following permissions for your account:";

// Client configuration
$issuer = "https://example.com/auth/realms/rciam";
$clientId = "some-client-id";
$clientSecret = "some-client-secret";  // comment if you are using PKCE
// $pkceCodeChallengeMethod = "S256";   // uncomment to use PKCE
$redirectPage = "refreshtoken.php";  // select between "refreshtoken.php" and "auth.php"
$redirectUrl = "http://localhost/simple-oidc-client-php/" . $redirectPage;
// add scopes as keys and a friendly message of the scope as value
$scopesDefine = array(
    'openid' => 'log in using your identity',
    'email' => 'read your email address',
    'profile' => 'read your basic profile info',
);
// refreshtoken.php interface configuration
$refreshTokenNote = "NOTE: New refresh tokens expire in 12 months.";
$accessTokenNote = "NOTE: New access tokens expire in 1 hour.";
$manageTokenNote = "You can manage your refresh tokens in the following link: ";
$manageTokens = $issuer . "/account/#/applications";
$sessionName = "simple-oidc-client-php";  // This value must be the same with the name of the parent directory
$sessionLifetime = 60 * 60;  // must be equal to access token validation time in seconds
$bannerText = "";
$bannerType = "info";  // Select one of "info", "warning", "error" or "success"
$allowIntrospection = false;
$enableActiveTokensTable = false;  // This option works only for MITREid Connect based OPs
$showIdToken = false;

Let’s go quickly through the settings:

  • title required, is the title on the navigation bar
  • img required, is the source of the logo
  • scopeInfo optional, is a message that informs the user for the application requirements
  • issuer required, is the base URL of your OpenID Provider instance. This will allow oidc-client to query the metadata endpoint so it can validate the tokens
  • clientId required, is the id of the client you want to use when hitting the authorization endpoint
  • clientSecret optional, a value the offers better security to the message flow
  • pkceCodeChallengeMethod optional, a string that defines the code challenge method for PKCE. Choose between plain or S256.
  • redirectPage required, the page to redirect the user. Currently, there are available 2 pages for that purpose:
    • refreshtoken.php: The users can request Refresh Tokens. Also, they can see all the issued active Refresh Tokens for this client.
    • auth.php: The users can obtain their user information from the obtained Access (and Refresh) Token.
  • redirectUrl required, is the redirect URL where the client and the browser agree to send and receive correspondingly the code.
  • scopesDefine required, defines the scopes the client supports
  • refreshTokenNote optional, info for the refresh token
  • accessTokenNote optional, info for the access token
  • manageTokenNote optional, message the informs the user where can manage his tokens
  • manageTokens optional, URL of the manage tokens service
  • sessionName required, define the name of the cookie session. The value must be the same with the name of the parent directory
  • sessionLifetime required, define the duration of the session. This must be equal to the validity time of the access token.
  • bannerText optional, the text that the banner will contain.
  • bannerType required if bannerText is omitted, otherwise is optional, define the type (color) of the banner. Options:
    • info
    • error
    • success
    • warning
  • allowIntrospection required, define to show/hide the introspection command
  • enableActiveTokensTable required, define to show/hide the Active Refresh Token table in refreshtoken.php. Important note: This option works only for MITREid Connect based OPs!
  • showIdToken required, define to show/hide the ID Token from the dashboard