All tokens get by the differents methods are set in session.
The id_token must be a JWS (JWT signed by the OP with a key known in it's jwks_uri endpoint or signed with the client_secret).
Flow code, implicit, hybrid
Generaly used by the callback url after the authorization on the OP for code or hybrid.
Basic usage :
$client = new Svgta\OidcClient\init(
'https://id.provider.com/.well-known/openid-configuration',
'Your_client_id',
'Your_client_secret'
);
$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->get_tokens();
Password grant
The Password grant flow should not be used. See explanation on : https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
If your OP don't accept it, you can not used it.
Basic usage :
$client = new Svgta\OidcClient\init(
'https://id.provider.com/.well-known/openid-configuration',
'Your_client_id',
'Your_client_secret'
);
$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->password_grant($username, $password);
Client credentials
This flow is used when applications request an access_token to access their own resources.
Basic usage :
$client = new Svgta\OidcClient\init(
'https://id.provider.com/.well-known/openid-configuration',
'Your_client_id',
'Your_client_secret'
);
$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$scopes = 'write read';
$tokens = $tokenRes->client_credentials($scopes); //$scopes is optionnal
Refresh token
To get new access_token and id_token. The refresh_token must be send with the others tokens. Generaly, in the authorization flow, the scope offline_access must be used.
Basic usage :
$client = new Svgta\OidcClient\init(
'https://id.provider.com/.well-known/openid-configuration',
'Your_client_id',
'Your_client_secret'
);
$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->refresh_token($refresh_token);
// the var refresh_token is optionnal. If not set, the library try to find it in its session.