通过 
搜索
搜索alancting / oauth2-microsoft-openid
Microsoft Azure Active Directory (Azure AD)、Microsoft Active Directory Federation Services (ADFS) OpenId 集成于 Symfony
1.0.2
2020-11-10 12:54 UTC
Requires
- alancting/php-microsoft-jwt: ^1.0
- knpuniversity/oauth2-client-bundle: ^2.3
- league/oauth2-client: ^2.0
- symfony/dependency-injection: ^4.4|^5.0
- symfony/framework-bundle: ^4.3|^5.0
Requires (Dev)
- mockery/mockery: ^1.3.3
- php-coveralls/php-coveralls: ^2.3
- phpunit/phpunit: ^7
- symfony/security-guard: ^5.1
This package is auto-updated.
Last update: 2024-09-10 21:20:49 UTC
README
Microsoft Adfs / AzureAD OpenId 集成于 Symfony
Microsoft Azure Active Directory (Azure AD)、Microsoft Active Directory Federation Services (Adfs) OpenId 集成于 Symfony
- 使用 Adfs / AzureAd 登录
- 所有令牌处理都封装在 guard authenticator 中
- 轻松从已注册服务中获取存储的令牌
此包与 knpuniversity/oauth2-client-bundle 集成
此包为 PHP League 的 OAuth 2.0 客户端 提供了 Microsoft OAuth 2.0 支持。
从 stevenmaguire/oauth2-microsoft 分支而来
安装
要安装,请使用 composer
composer require alancting/oauth2-microsoft-openid
开始使用
步骤 1 - 包含在包中
# config/bundles.php return [ Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true], ... Alancting\OAuth2\OpenId\Client\MicrosoftBundle::class => ['all' => true], ];
步骤 2 - 配置提供商
我们使用 knpuniversity/oauth2-client-bundle 的配置
Adfs
# config/packages/knpu_oauth2_client.yaml knpu_oauth2_client: clients: microsoft_openid: type: generic provider_class: Alancting\OAuth2\OpenId\Client\Provider\AdfsProvider client_class: Alancting\OAuth2\OpenId\Client\Client\AdfsClient client_id: "%env(ADFS_CLIENT_ID)%" client_secret: "%env(ADFS_CLIENT_SECRET)%" redirect_route: microsoft_openid_connect provider_options: hostname: "%env(ADFS_HOSTNAME)%" user_key: unique_name microsoft_resource_scopes: - profile - offline_access other_resource_scopes: - "%env(ADFS_API_RESOURCE_1)%" - "%env(ADFS_API_RESOURCE_2)%"
Azure Ad
# config/packages/knpu_oauth2_client.yaml knpu_oauth2_client: clients: microsoft_openid: type: generic provider_class: Alancting\OAuth2\OpenId\Client\Provider\AzureAdProvider client_class: Alancting\OAuth2\OpenId\Client\Client\AzureAdClient client_id: "%env(AZURE_AD_CLIENT_ID)%" client_secret: "%env(AZURE_AD_CLIENT_SECRET)%" redirect_route: microsoft_openid_connect provider_options: tenant: "%env(AZURE_AD_TENANT)%" tenant_id: "%env(AZURE_AD_TENANT_ID)%" user_key: upn microsoft_resource_scopes: - profile - offline_access other_resource_scopes: - "%env(AZURE_AD_API_RESOURCE_1)%" - "%env(AZURE_AD_API_RESOURCE_2)%"
步骤 3 - 配置使用 authenticator
Adfs
# config/packages/security.yaml security: providers: microsoft_openid_oauth: id: alancting.microsoft.user_provider firewalls: secure_firewall: pattern: ^/([a-z]) anonymous: ~ logout: path: microsoft_openid_logout success_handler: App\Utility\LogoutHandler guard: provider: microsoft_openid_oauth authenticators: - alancting.microsoft.adfs.authenticator
Azure Ad
# config/packages/security.yaml security: providers: microsoft_openid_oauth: id: alancting.microsoft.user_provider firewalls: secure_firewall: pattern: ^/([a-z]) anonymous: ~ logout: path: microsoft_openid_logout success_handler: App\Utility\LogoutHandler guard: provider: microsoft_openid_oauth authenticators: - alancting.microsoft.azure_ad.authenticator
步骤 4 - 注册路径 server
我们需要注册两个路径以与 OAuth2 服务器通信
- connect
- logout
Adfs
namespace App\Controller; use KnpU\OAuth2ClientBundle\Client\ClientRegistry; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\HttpFoundation\Response; class AdfsController extends AbstractController { /** * After going to microsoft, you're redirected back here * because this is the "redirect_route" you configured * in config/packages/knpu_oauth2_client.yaml * * @Route("/adfs/connect", name="microsoft_openid_connect") */ public function connectCheckAction(Request $request, ClientRegistry $clientRegistry) { return new Response(); } /** * After going to microsoft, you're redirected back here * because this is the "redirect_route" you configured * in config/packages/knpu_oauth2_client.yaml * * @Route("/adfs/logout", name="microsoft_openid_logout") */ public function logoutAction(Request $request, ClientRegistry $clientRegistry) { return new Response(); } }
Azure Ad
namespace App\Controller; use KnpU\OAuth2ClientBundle\Client\ClientRegistry; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\HttpFoundation\Response; class AzureAdController extends AbstractController { /** * After going to microsoft, you're redirected back here * because this is the "redirect_route" you configured * in config/packages/knpu_oauth2_client.yaml * * @Route("/azure_ad/connect", name="microsoft_openid_connect") */ public function connectCheckAction(Request $request, ClientRegistry $clientRegistry) { return new Response(); } /** * After going to microsoft, you're redirected back here * because this is the "redirect_route" you configured * in config/packages/knpu_oauth2_client.yaml * * @Route("/azure_ad/logout", name="microsoft_openid_logout") */ public function logoutAction(Request $request, ClientRegistry $clientRegistry) { return new Response(); } }
用法
用户登录后,
- 您可以获取登录凭据
- 用户已使用以下角色登录:ROLE_USER 和 ROLE_OAUTH_USER
Adfs
use Alancting\OAuth2\OpenId\Client\Client\AdfsClient; public index(AdfsClient $adfsClient) { /** * Get credential for main scope */ $mainScopeCredential = $adfsClient->getOAuthCredential(); // Get access token $accessToken = $mainScopeCredential->getAccessToken(); // Get id token $idTokenJWT = $mainScopeCredential->getIdTokenJWT(); // Get id token payload $idTokenPayload = $idTokenJWT->getPayload(); // Get value for a specific attr from id token payload $idTokenPayloadAttr1 = $idTokenJWT->get('attr1'); /** * If have other resource scopes, you can loop to fetch credentials for other scopes */ $otherScopeCredentials = []; foreach ($mainScopeCredential->getOtherResourceCredentials() as $scope => $credential) { $otherScopeCredentials[$scope] = $credential; } /** * You can also get the credential from scope name by */ $otherScopeCredential = $mainScopeCredential->getOtherResourceCredential('other_scope_name'); }
Azure Ad
use Alancting\OAuth2\OpenId\Client\Client\AzureAdClient; public index(AzureAdClient $azureAdClient) { /** * Get credential for main scope */ $mainScopeCredential = $azureAdClient->getOAuthCredential(); // Get access token $accessToken = $mainScopeCredential->getAccessToken(); // Get id token $idTokenJWT = $mainScopeCredential->getIdTokenJWT(); // Get id token payload $idTokenPayload = $idTokenJWT->getPayload(); // Get value for a specific attr from id token payload $idTokenPayloadAttr1 = $idTokenJWT->get('attr1'); /** * If have other resource scopes, you can loop to fetch credentials for other scopes */ $otherScopeCredentials = []; foreach ($mainScopeCredential->getOtherResourceCredentials() as $scope => $credential) { $otherScopeCredentials[$scope] = $credential; } /** * You can also get the credential from scope name by */ $otherScopeCredential = $mainScopeCredential->getOtherResourceCredential('other_scope_name'); }
注销处理
在 symfony 中,要注销用户,您应使用
- 4.4: 注销成功处理器
- 5.x+: 注销事件
在您的应用转到注销处理器 / 事件后,您应将用户重定向到 Adfs / Azure AD 注销 URL,您可以通过以下方式获取 URL:
// Logout url for Adfs $logoutUrl = $adfsClient->getLogoutUrl(); // Logout url for Azure Ad $logoutUrl = $azureAdClient->getLogoutUrl();
测试
使用 phpunit 运行测试
$ composer install
$ composer run test
贡献
有关详细信息,请参阅 CONTRIBUTING
致谢
许可
MIT 许可证 (MIT)。有关更多信息,请参阅 许可文件