Generic use of the library
Introduction
In theses examples, your provider must accept common openId Connect protocol.
The project organization is set like that for the example :
- /src : directory with your scripts
| - authorization.php
| - callback.php
| - logout.php
- /vendor : externals library
- composer.json
- composer.lock
You must known :
the discovery url of your provider
the cllient_id
the client_secret
Authorization
Create a script authorization.php in src. This script need to load the vendor autoload.php script.
For authorization, you don't need to authentificate your app
<?php
require dirname(__FILE__, 2) . '/vendor/autoload.php';
$disco_url = 'https://Provider.tld/.well-known/openid-configuration';
$client_id = 'yourClient_id';
$session_key = 'YWQ4Q1Hpb_zQliS5wGYDDPZm2xC7PzyfjgLKBNodkazkN_pEPlm7yVBw5r9_pDzSwHJRsFVZShQyb_LFUSMBGQ';
$callback_url = 'https://yourAPPurl/callback.php';
$client = new Svgta\OidcClient\init($disco_url, $client_id);
$client->setSessionKey($session_key);
$auth = $client->authorization($callback_url);
$auth->addScope('email profile');
$auth->addScope('offline_access'); // To get a refresh_token if needed and accepted by your provider
$auth->set_state(); //RECOMMENDED
$auth->set_nonce(); //RECOMMENDED
$auth->exec();
The user is redirect to the provider login page.
Callback
callback.php is the script in /src directory you have created to deal with the callback after user authentication on the provider. It will be used to get user informations.
<?php
require dirname(__FILE__, 2) . '/vendor/autoload.php';
$disco_url = 'https://Provider.tld/.well-known/openid-configuration';
$client_id = 'yourClient_id';
$client_secret = 'yourClient_secret';
$session_key = 'YWQ4Q1Hpb_zQliS5wGYDDPZm2xC7PzyfjgLKBNodkazkN_pEPlm7yVBw5r9_pDzSwHJRsFVZShQyb_LFUSMBGQ';
$client = new Svgta\OidcClient\init($disco_url, $client_id, $client_secret);
$client->setSessionKey($session_key);
$tokenRes = $client->token();
$tokens = $tokenRes->get_tokens();
$userInfo = $client->userInfo();
At this point, you can authorize the user to your application with the userinfo you get.
You can leave the tokens in the session. But, if you get the refresh_token, it's recommended to save it a database to use it for your personnal reasons.
Refresh token
You need the refresh_token get in your callback script.
In the example, the refresh_token is get from the session.
<?php
require dirname(__FILE__, 2) . '/vendor/autoload.php';
$disco_url = 'https://Provider.tld/.well-known/openid-configuration';
$client_id = 'yourClient_id';
$client_secret = 'yourClient_secret';
$session_key = 'YWQ4Q1Hpb_zQliS5wGYDDPZm2xC7PzyfjgLKBNodkazkN_pEPlm7yVBw5r9_pDzSwHJRsFVZShQyb_LFUSMBGQ';
$client = new Svgta\OidcClient\init($disco_url, $client_id, $client_secret);
$client->setSessionKey($session_key);
$tokenRes = $client->token();
$tokens = $tokenRes->getTokensFromSession();
$refresh_token = $tokens['refresh_token'];
$newTokens = $tokenRes->refresh_token($refresh_token);
You must received new access_token and new id_token. If a new refresh_token is given, you have to save it.
Revoke token or logout
In theses examples, the tokens are get from the session.
You can revoke :
access_token
refresh_token
It's recommended to do the logout process with the id_token.
Revoke tokens
<?php
require dirname(__FILE__, 2) . '/vendor/autoload.php';
$disco_url = 'https://Provider.tld/.well-known/openid-configuration';
$client_id = 'yourClient_id';
$client_secret = 'yourClient_secret';
$session_key = 'YWQ4Q1Hpb_zQliS5wGYDDPZm2xC7PzyfjgLKBNodkazkN_pEPlm7yVBw5r9_pDzSwHJRsFVZShQyb_LFUSMBGQ';
$client = new Svgta\OidcClient\init($disco_url, $client_id, $client_secret);
$client->setSessionKey($session_key);
$tokenRes = $client->token();
$tokens = $tokenRes->getTokensFromSession();
//access_token
$tokenRes->revoke_token($tokens['access_token'], 'access_token');
//refresh_token
$tokenRes->revoke_token($tokens['refresh_token'], 'refresh_token');
Logout
Logout use the session to find the id_token. You can give it manually in first argument.
You can specify a logout url for callback. It must been known by the provider.
<?php
require dirname(__FILE__, 2) . '/vendor/autoload.php';
$disco_url = 'https://Provider.tld/.well-known/openid-configuration';
$logout_url_callback = 'https://yourAPPurl/callback.php';
$session_key = 'YWQ4Q1Hpb_zQliS5wGYDDPZm2xC7PzyfjgLKBNodkazkN_pEPlm7yVBw5r9_pDzSwHJRsFVZShQyb_LFUSMBGQ';
$client = new Svgta\OidcClient\init($disco_url);
$client->setSessionKey($session_key);
$client->logout(null, $logout_url_callback);
Last updated