A simple OpenID Connect (OIDC) client in PHP that uses authorization code flow and/or PKCE
You can either clone repo from github or download the project from releases. (Instructions have been tested on Debian 10 and PHP 7).
First you need to install apache and composer
sudo apt-get update
sudo apt-get install apache2 curl php-cli git
php -r "copy('https://getcomposer.org/installer', '/tmp/composer-setup.php');"
sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composerClick here for more info about composer installation
Then clone the repo to this directory:
cd /var/www/html
git clone https://github.com/rciam/simple-oidc-client-php.gitInstall the requirements with composer:
cd simple-oidc-client-php
composer installInstall Apache
sudo apt-get update
sudo apt-get install apache2Download the file from releases and extract it in apache home directory
cd /var/www/html
wget https://github.com/rciam/simple-oidc-client-php/releases/download/vX.Y.Z/simple-oidc-client-php-X.Y.Z.tar.gz
tar -zxvf simple-oidc-client-php-X.Y.Z.tar.gzNow that we have everything we need, we can configure our login settings in
config.php.
<?php
// index.php interface configuration
$title = "Generate Tokens";
$img = "https://clickhelp.co/images/feeds/blog/2016.05/keys.jpg";
$scopeInfo = "This service requires the following permissions for your account:";
// Client configuration
$issuer = "https://example.com/oidc/";
$clientId = "some-client-id";
$clientSecret = "some-client-secret"; // comment if you are using PKCE
// $pkceCodeChallengeMethod = "S256"; // uncomment to use PKCE
$redirectUrl = "http://localhost/simple-oidc-client-php/refreshtoken.php";
// add scopes as keys and a friendly message of the scope as value
$scopesDefine = array(
'openid' => 'log in using your identity',
'email' => 'read your email address',
'profile' => 'read your basic profile info',
);
// refreshtoken.php interface configuration
$refreshTokenNote = "NOTE: New refresh tokens expire in 12 months.";
$accessTokenNote = "NOTE: New access tokens expire in 1 hour.";
$manageTokenNote = "You can manage your refresh tokens in the following link: ";
$manageTokens = $issuer . "manage/user/services";
$sessionName = "oidc-client";
$sessionLifetime = 60 * 60; // must be equal to access token validation time in seconds
$allowIntrospection = false;
$enableActiveTokensTable = false;Let’s go quickly through the settings:
titlerequired, is the title on the navigation barimgrequired, is the source of the logoscopeInfooptional, is a message that informs the user for the application requirementsissuerrequired, is the base URL of our IdentityServer instance. This will allow oidc-client to query the metadata endpoint so it can validate the tokensclientIdrequired, is the id of the client we want to use when hitting the authorization endpointclientSecretoptional, a value the offers better security to the message flowpkceCodeChallengeMethodoptional, a string that defines the code challenge method for PKCE. Choose betweenplainorS256.redirectUrlrequired, is the redirect URL where the client and the browser agree to send and receive correspondingly the code. Currently, there are available 2 pages for that purpose:refreshtoken.php: The users can request Refresh Tokens. Also, they can see all the issued active Refresh Tokens for this client.auth.php: The users can obtain their user information from the obtained Access (and Refresh) Token.
scopesDefinerequired, defines the scopes the client supportsrefreshTokenNoteoptional, info for the refresh tokenaccessTokenNoteoptional, info for the access tokenmanageTokenNoteoptional, message the informs the user where can manage his tokensmanageTokensoptional, URL of the manage tokens servicesessionNamerequired, define the name of the cookie sessionsessionLifetimerequired, define the duration of the session. This must be equal to the validity time of the access token.allowIntrospectionrequired, define to show/hide the introspection commandenableActiveTokensTablerequired, define to show/hide the Active Refresh Token table inrefreshtoken.php