Tokens managment

Information

All tokens get by the differents methods are set in session.

The id_token must be a JWS (JWT signed by the OP with a key known in it's jwks_uri endpoint or signed with the client_secret).

Flow code, implicit, hybrid

Generaly used by the callback url after the authorization on the OP for code or hybrid.

Basic usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->get_tokens();

Password grant

The Password grant flow should not be used. See explanation on : https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

If your OP don't accept it, you can not used it.

Basic usage :

Client credentials

This flow is used when applications request an access_token to access their own resources.

Basic usage :

Refresh token

To get new access_token and id_token. The refresh_token must be send with the others tokens. Generaly, in the authorization flow, the scope offline_access must be used.

Basic usage :

Introspect token

The OP must have introspection_endpoint set.

The instrospection endpoint is not defined in OpenId Connect Provider Metadata (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). You can add it with (it's an example) :

Based on rfc7662, the token must be an access_token or a refresh_token.

Usage :

Revoke token

Only access_token and refresh_token can be used.

The OP must have revocation_endpoint set.

The revocation endpoint is not defined in OpenId Connect Provider Metadata (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). You can add it with (it's an example) :

Usage :

PreviousToken endpointNextUserInfo

Last updated