The library try to choose the best authentication method depending of the OP options for the endpoint token. But you can force it. The methods allowed are :
pkce : if you used pkce for authorization (no client_secret needed)
client_secret_basic (client_secret needed)
client_secret_post (client_secret needed)
client_secret_jwt (client_secret needed)
private_key_jwt (no client_secret needed)
For that, you need to use the method set_auth_method.
Example : force to client_secret_basic
$client = new Svgta\OidcClient\init(
'https://id.provider.com/.well-known/openid-configuration',
'Your_client_id',
'Your_client_secret'
);
$tokenRes = $client->token();
$tokenRes->set_auth_method('client_secret_basic'); // optional, to force the authentication method
...
Usign the method client_secret_jwt
The authentication to the token_endpoint is made by sending a JWT signed with the client_ secret. The default algorithm used by the libray is HS256
The RFC 7518 indicate the minimum length that client_secret must have
The JWT can be signed with :
HS256 : minimum length of client_secret 256 bits
HS384 : minimum length of client_secret 384 bits
HS512 : minimum length of client_secret 512 bits
// Example
$tokenRes->setSigAlg('HS512');
Usign the method private_key_jwt
The authentication to the token_endpoint is made by sending a JWT signed with a RSA or Elliptic private key. The public key or certificate must be known by the OP.
The private key can be given in multiple format :
//From PEM
$privateKey = <<<EOD
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINrfGx+a3flbw/2bjiiDkF8+VMpqjE751+ILDkzxM8FvoAoGCCqGSM49
AwEHoUQDQgAED2XFGdEmpygLSqqn5SMXeR740smRBfULJet3hzkUZ+YySKzjCHkS
LVxw3dimCk14de2ANcVxosOU5hOCP6SDBw==
-----END EC PRIVATE KEY-----
EOD;
$client->keysManager()
->set_private_key_pem($privateKey, $password) // $password is OPTIONNAL. Set it if the key is protected by a password
->use_for_signVerify()
->set_kid('my key id') //optionnal
->build();
//From file contening pem
$client->keysManager()
->set_private_key_pem_file($pathOfFile, $password) // $password is OPTIONNAL. Set it if the key is protected by a password
->use_for_signVerify()
->set_kid('my key id') //optionnal
->build();
//From p12 file
$client->keysManager()
->set_p12_file($pathOfFile, $password) // $password is OPTIONNAL. Set it if the p12 is protected by a password
->use_for_signVerify()
->set_kid('my key id') //optionnal
->build();
//From X509 certificate
$cert = <<<EOD
-----BEGIN CERTIFICATE-----
// Certificate informations to PEM format
-----END CERTIFICATE-----
EOD;
$client->keysManager()
->set_private_key_pem($privateKey, $password) // $password is OPTIONNAL. Set it if the key is protected by a password
->set_x509($cert)
->use_for_signVerify()
->set_kid('my key id') //optionnal
->build();
//From X509 certificate file
$client->keysManager()
->set_private_key_pem_file($pathToPrivateKey, $password) // $password is OPTIONNAL. Set it if the key is protected by a password
->set_x509($pathToCert)
->use_for_signVerify()
->set_kid('my key id') //optionnal
->build();
//Use certificate Info for the signed JWT header in the tokens requests
// -- used to authentificate to microsoft azure with a certificate
$tokenRes = $client->token();
$tokenRes->jwt_headers_options('kid'); //add the kid from the certificate
$tokenRes->jwt_headers_options('x5t'); //add x5t from the certificate
For RSA key, the default algorithm used by the library is RS256. Theses algorithms can be used :
RS256
RS384
RS512
PS256
PS384
PS512
// Example
$tokenRes->setSigAlg('PS512');
For Ellyptic key, the algorithm is automatically set from the curve present in the key :
