Tokens managment

Information

All tokens get by the differents methods are set in session.

The id_token must be a JWS (JWT signed by the OP with a key known in it's jwks_uri endpoint or signed with the client_secret).


Flow code, implicit, hybrid

Generaly used by the callback url after the authorization on the OP for code or hybrid.

Basic usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->get_tokens(); 

Password grant

The Password grant flow should not be used. See explanation on : https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

If your OP don't accept it, you can not used it.

Basic usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->password_grant($username, $password); 

Client credentials

This flow is used when applications request an access_token to access their own resources.

Basic usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$scopes = 'write read';
$tokens = $tokenRes->client_credentials($scopes); //$scopes is optionnal

Refresh token

To get new access_token and id_token. The refresh_token must be send with the others tokens. Generaly, in the authorization flow, the scope offline_access must be used.

Basic usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->refresh_token($refresh_token); 
// the var refresh_token is optionnal. If not set, the library try to find it in its session.

Introspect token

The OP must have introspection_endpoint set.

The instrospection endpoint is not defined in OpenId Connect Provider Metadata (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). You can add it with (it's an example) :

 $client->add_OP_info('introspection_endpoint', 'https://id.provider.com/intro');

Based on rfc7662, the token must be an access_token or a refresh_token.

Usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);
// ...

$tokenRes = $client->token();
// ...

$token = '...AccessTokenValue';
$type = 'access_token';
// OR
$token = '...refreshTokenValue';
$type = 'refresh_token';
// $type is optional. If set, it must have 'refresh_token' or 'access_token' value
//..
$revokeResponse = $tokens->introspect_token($token, $type); 

Revoke token

Only access_token and refresh_token can be used.

The OP must have revocation_endpoint set.

The revocation endpoint is not defined in OpenId Connect Provider Metadata (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). You can add it with (it's an example) :

 $client->add_OP_info('revocation_endpoint', 'https://id.provider.com/revoke');

Usage :

$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);
// ...

$tokenRes = $client->token();
// ...

$token = '...AccessTokenValue';
$type = 'access_token';
// OR
$token = '...refreshTokenValue';
$type = 'refresh_token';
// $type is optionnal. If set, it must have 'refresh_token' or 'access_token' value
//..
$revokeResponse = $tokens->revoke_token($token, $type); 

Last updated