A simple OpenID Connect (OIDC) client in PHP that uses authorization code flow and/or PKCE
You can either clone repo from github or download the project from releases. (Instructions have been tested on Debian 10 and PHP 7).
First you need to install apache and composer
sudo apt-get update
sudo apt-get install apache2 curl php-cli php-json php-xml git
php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
Click here for more info about composer installation
Then clone the repo to this directory:
cd /var/www/html
git clone https://github.com/rciam/simple-oidc-client-php.git
Install the requirements with composer:
cd simple-oidc-client-php
composer install
Install Apache
sudo apt-get update
sudo apt-get install apache2
Download the file from releases and extract it in apache home directory
cd /var/www/html
wget https://github.com/rciam/simple-oidc-client-php/releases/download/vX.Y.Z/simple-oidc-client-php-X.Y.Z.tar.gz
tar -zxvf simple-oidc-client-php-X.Y.Z.tar.gz
Now that you have everything you need, you can configure your login settings in
config.php
.
First, copy the configuration file, using the command:
cp example-config.php config.php
Then open the file and configure the portal.
<?php
// index.php interface configuration
$title = "Generate Tokens";
$img = "https://www.pngkey.com/png/detail/233-2332677_image-500580-placeholder-transparent.png";
$scopeInfo = "This service requires the following permissions for your account:";
// Client configuration
$issuer = "https://example.com/auth/realms/rciam";
$clientId = "some-client-id";
$clientSecret = "some-client-secret"; // comment if you are using PKCE
// $pkceCodeChallengeMethod = "S256"; // uncomment to use PKCE
$redirectPage = "refreshtoken.php"; // select between "refreshtoken.php" and "auth.php"
$redirectUrl = "http://localhost/simple-oidc-client-php/" . $redirectPage;
// add scopes as keys and a friendly message of the scope as value
$scopesDefine = array(
'openid' => 'log in using your identity',
'email' => 'read your email address',
'profile' => 'read your basic profile info',
);
// refreshtoken.php interface configuration
$refreshTokenNote = "NOTE: New refresh tokens expire in 12 months.";
$accessTokenNote = "NOTE: New access tokens expire in 1 hour.";
$manageTokenNote = "You can manage your refresh tokens in the following link: ";
$manageTokens = $issuer . "/account/#/applications";
$sessionName = "simple-oidc-client-php"; // This value must be the same with the name of the parent directory
$sessionLifetime = 60 * 60; // must be equal to access token validation time in seconds
$bannerText = "";
$bannerType = "info"; // Select one of "info", "warning", "error" or "success"
$allowIntrospection = false;
$enableActiveTokensTable = false; // This option works only for MITREid Connect based OPs
$showIdToken = false;
Let’s go quickly through the settings:
title
required, is the title on the navigation barimg
required, is the source of the logoscopeInfo
optional, is a message that informs the user for the application requirementsissuer
required, is the base URL of your OpenID Provider instance. This will allow oidc-client to query the metadata endpoint so it can validate the tokensclientId
required, is the id of the client you want to use when hitting the authorization endpointclientSecret
optional, a value the offers better security to the message flowpkceCodeChallengeMethod
optional, a string that defines the code challenge method for PKCE. Choose betweenplain
orS256
.redirectPage
required, the page to redirect the user. Currently, there are available 2 pages for that purpose:refreshtoken.php
: The users can request Refresh Tokens. Also, they can see all the issued active Refresh Tokens for this client.auth.php
: The users can obtain their user information from the obtained Access (and Refresh) Token.
redirectUrl
required, is the redirect URL where the client and the browser agree to send and receive correspondingly the code.scopesDefine
required, defines the scopes the client supportsrefreshTokenNote
optional, info for the refresh tokenaccessTokenNote
optional, info for the access tokenmanageTokenNote
optional, message the informs the user where can manage his tokensmanageTokens
optional, URL of the manage tokens servicesessionName
required, define the name of the cookie session. The value must be the same with the name of the parent directorysessionLifetime
required, define the duration of the session. This must be equal to the validity time of the access token.bannerText
optional, the text that the banner will contain.bannerType
required ifbannerText
is omitted, otherwise is optional, define the type (color) of the banner. Options:info
error
success
warning
allowIntrospection
required, define to show/hide the introspection commandenableActiveTokensTable
required, define to show/hide the Active Refresh Token table inrefreshtoken.php
. Important note: This option works only for MITREid Connect based OPs!showIdToken
required, define to show/hide the ID Token from the dashboard