通过
进行搜索
进行搜索marcing / php-openid-client
OpenID (OIDC) 客户端
0.3.0
2022-06-24 10:09 UTC
Requires
- php: ^7.4 || ^8.0
- ext-json: *
- facile-it/php-jose-verifier: ^0.3 || ^0.4
- php-http/discovery: ^1.6
- psr/http-client: ^1.0
- psr/http-client-implementation: ^1.0
- psr/http-factory: ^1.0
- psr/http-factory-implementation: ^1.0
- psr/http-message: ^1.0
- psr/http-message-implementation: ^1.0
- psr/http-server-middleware: ^1.0
- web-token/jwt-checker: ^2.0 || ^3.0
- web-token/jwt-core: ^2.0 || ^3.0
- web-token/jwt-encryption: ^2.0 || ^3.0
- web-token/jwt-key-mgmt: ^2.0.7 || ^3.0
- web-token/jwt-signature: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-rsa: ^2.0 || ^3.0
Requires (Dev)
- dflydev/fig-cookies: ^2.0 || ^3.0
- facile-it/facile-coding-standard: ^0.5.2
- friendsofphp/php-cs-fixer: ^3.0
- laminas/laminas-component-installer: ^2.1
- laminas/laminas-config-aggregator: ^1.1
- laminas/laminas-di: ^3.1
- laminas/laminas-diactoros: ^2.1
- laminas/laminas-servicemanager: ^3.4
- php-http/cache-plugin: ^1.6
- php-http/curl-client: ^2.0
- php-http/guzzle7-adapter: ^0.1.0 || ^1.0
- phpspec/prophecy: ^1.10.3
- phpspec/prophecy-phpunit: ^1.1 || ^2.0
- phpunit/phpunit: ^8.5.14 || ^9.3
- symfony/console: ^4.3 || ^5.0 || ^6.0
- vimeo/psalm: ^4.7.2
- web-token/jwt-encryption-algorithm-aescbc: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-aesgcm: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-aesgcmkw: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-aeskw: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-dir: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-ecdh-es: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-experimental: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-pbes2: ^2.0 || ^3.0
- web-token/jwt-encryption-algorithm-rsa: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-ecdsa: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-eddsa: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-experimental: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-hmac: ^2.0 || ^3.0
- web-token/jwt-signature-algorithm-none: ^2.0 || ^3.0
Suggests
- dflydev/fig-cookies: To use the SessionCookieMiddleware
- facile-it/php-oauth2-http-client: To use a PSR HTTP client to interact with OAuth2/OpenID protected APIs
- web-token/jwt-signature-algorithm-hmac: To use the client_secret_jwt auth method and symmetric key signature
This package is auto-updated.
Last update: 2024-09-19 22:44:38 UTC
README
完整的OpenID客户端实现。
大部分库代码基于优秀的node-openid-client。
可能需要PHP扩展gmp。
实现的规范和功能
- OAuth 2.0 RFC 6749 & OpenID Connect Core 1.0
- 授权(授权码流、隐式流、混合流)
- 用户信息端点和ID令牌,包括签名和加密(使用JWT框架库)
- 通过值或引用传递请求对象,包括签名和加密
- 离线访问/刷新令牌授权
- 客户端凭据授权
- 客户端身份验证,包括
client_secret_jwt和private_key_jwt方法
- OpenID Connect发现1.0
- OpenID Connect动态客户端注册1.0和RFC7591 OAuth 2.0动态客户端注册协议
- OAuth 2.0表单提交响应模式
- RFC7009 - OAuth 2.0令牌撤销
- RFC7662 - OAuth 2.0令牌洞察
- RFC7592 - OAuth 2.0动态客户端注册管理协议
支持以下草案规范
- OAuth令牌洞察的JWT响应 - 草案03
- OAuth 2.0 JWT安全授权响应模式(JARM)- 草案02
- OAuth 2.0 JWT安全授权请求(JAR)
- OAuth 2.0相互TLS客户端身份验证和证书绑定访问令牌(MTLS)- 草案15
安装
要求
psr/http-client-implementation实现psr/http-factory-implementation实现psr/http-message-implementation实现
composer require facile-it/php-openid-client
RSA签名算法已从JWT框架包中包含。如果需要其他算法,您应该手动安装。
基本用法
对于基本用法,您不需要其他任何依赖包。
每个构建器都有方法来使用其他依赖项自定义实例。
use Facile\OpenIDClient\Client\ClientBuilder; use Facile\OpenIDClient\Issuer\IssuerBuilder; use Facile\OpenIDClient\Client\Metadata\ClientMetadata; use Facile\OpenIDClient\Service\Builder\AuthorizationServiceBuilder; use Facile\OpenIDClient\Service\Builder\UserInfoServiceBuilder; use Psr\Http\Message\ServerRequestInterface; $issuer = (new IssuerBuilder()) ->build('https://example.com/.well-known/openid-configuration'); $clientMetadata = ClientMetadata::fromArray([ 'client_id' => 'client-id', 'client_secret' => 'my-client-secret', 'token_endpoint_auth_method' => 'client_secret_basic', // the auth method tor the token endpoint 'redirect_uris' => [ 'https://my-rp.com/callback', ], ]); $client = (new ClientBuilder()) ->setIssuer($issuer) ->setClientMetadata($clientMetadata) ->build(); // Authorization $authorizationService = (new AuthorizationServiceBuilder())->build(); $redirectAuthorizationUri = $authorizationService->getAuthorizationUri( $client, ['login_hint' => 'user_username'] // custom params ); // you can use this uri to redirect the user // Get access token /** @var ServerRequestInterface::class $serverRequest */ $serverRequest = null; // get your server request $callbackParams = $authorizationService->getCallbackParams($serverRequest, $client); $tokenSet = $authorizationService->callback($client, $callbackParams); $idToken = $tokenSet->getIdToken(); // Unencrypted id_token $accessToken = $tokenSet->getAccessToken(); // Access token $refreshToken = $tokenSet->getRefreshToken(); // Refresh token $claims = $tokenSet->claims(); // IdToken claims (if id_token is available) // Refresh token $tokenSet = $authorizationService->refresh($client, $tokenSet->getRefreshToken()); // Get user info $userInfoService = (new UserInfoServiceBuilder())->build(); $userInfo = $userInfoService->getUserInfo($client, $tokenSet);
客户端注册
请参阅OpenID Connect动态客户端注册1.0和RFC7591 OAuth 2.0动态客户端注册协议。
use Facile\OpenIDClient\Service\Builder\RegistrationServiceBuilder; $registration = (new RegistrationServiceBuilder())->build(); // registration $metadata = $registration->register( $issuer, [ 'client_name' => 'My client name', 'redirect_uris' => ['https://my-rp.com/callback'], ], 'my-initial-token' ); // read $metadata = $registration->read($metadata['registration_client_uri'], $metadata['registration_access_token']); // update $metadata = $registration->update( $metadata['registration_client_uri'], $metadata['registration_access_token'], array_merge($metadata, [ // new metadata ]) ); // delete $registration->delete($metadata['registration_client_uri'], $metadata['registration_access_token']);
令牌洞察
use Facile\OpenIDClient\Service\Builder\IntrospectionServiceBuilder; $service = (new IntrospectionServiceBuilder())->build(); $params = $service->introspect($client, $token);
令牌撤销
use Facile\OpenIDClient\Service\Builder\RevocationServiceBuilder; $service = (new RevocationServiceBuilder())->build(); $params = $service->revoke($client, $token);
请求对象
您可以使用Facile\OpenIDClient\RequestObject\RequestObjectFactory类创建请求对象授权请求。
这将根据您的客户端元数据创建一个签名(可选加密)的JWT令牌。
use Facile\OpenIDClient\RequestObject\RequestObjectFactory; $factory = new RequestObjectFactory(); $requestObject = $factory->create($client, [/* custom claims to include in the JWT*/]);
然后您可以使用它来创建AuthRequest
use Facile\OpenIDClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'client_id' => $client->getMetadata()->getClientId(), 'redirect_uri' => $client->getMetadata()->getRedirectUris()[0], 'request' => $requestObject, ]);
聚合和分布式声明
该库可以处理聚合和分布式声明
use Facile\OpenIDClient\Claims\AggregateParser; use Facile\OpenIDClient\Claims\DistributedParser; $aggregatedParser = new AggregateParser(); $claims = $aggregatedParser->unpack($client, $userInfo); $distributedParser = new DistributedParser(); $claims = $distributedParser->fetch($client, $userInfo);
使用中间件
有一些中间件和处理程序可用
SessionCookieMiddleware
此中间件应始终位于中间件链的顶部,以提供用于 state 和 nonce 参数的会话。
要使用它,您应该安装 dflydev/fig-cookies 包
$ composer require "dflydev/fig-cookies:^2.0"
use Facile\OpenIDClient\Middleware\SessionCookieMiddleware; use Psr\SimpleCache\CacheInterface; // Use your PSR-16 simple-cache implementation to persist sessions /** @var CacheInterface $cache */ $middleware = new SessionCookieMiddleware($cache/* , $cookieName = "openid", $ttl = 300 */);
中间件提供了一个 Facile\OpenIDClient\Session\AuthSessionInterface 属性,该属性包含用于持久化会话数据的 Facile\OpenIDClient\Session\AuthSessionInterface 状态实例。
使用另一个会话存储
如果您有另一个会话存储,您可以在 Facile\OpenIDClient\Session\AuthSessionInterface 属性中处理它并提供一个 Facile\OpenIDClient\Session\AuthSessionInterface 实例。
ClientProviderMiddleware
此中间件应始终位于中间件链的顶部,以向其他中间件提供客户端。
use Facile\OpenIDClient\Middleware\ClientProviderMiddleware; $client = $container->get('openid.clients.default'); $middleware = new ClientProviderMiddleware($client);
AuthRequestProviderMiddleware
此中间件提供用于与 AuthRedirectHandler 一起使用的认证请求。
use Facile\OpenIDClient\Middleware\AuthRequestProviderMiddleware; use Facile\OpenIDClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'scope' => 'openid', // other params... ]); $middleware = new AuthRequestProviderMiddleware($authRequest);
AuthRedirectHandler
此处理程序将用户重定向到 OpenID 认证页面。
use Facile\OpenIDClient\Middleware\AuthRedirectHandler; use Facile\OpenIDClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new AuthRedirectHandler($authorizationService);
CallbackMiddleware
此中间件将处理来自 OpenID 提供者的回调。
它将提供 Facile\OpenIDClient\Token\TokenSetInterface 属性,其中包含最终的 TokenSet 对象。
use Facile\OpenIDClient\Middleware\CallbackMiddleware; use Facile\OpenIDClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new CallbackMiddleware($authorizationService);
UserInfoMiddleware
此中间件将从 userinfo 端点获取用户数据,并将提供 Facile\OpenIDClient\Middleware\UserInfoMiddleware 属性,其中包含用户信息数组。
use Facile\OpenIDClient\Middleware\UserInfoMiddleware; use Facile\OpenIDClient\Service\UserInfoService; /** @var UserInfoService $userInfoService */ $userInfoService = $container->get(UserInfoService::class); $middleware = new UserInfoMiddleware($userInfoService);
生产环境中的性能改进
使用缓存以避免在每次请求时获取发行者配置和密钥是非常重要的。
use Psr\SimpleCache\CacheInterface; use Facile\OpenIDClient\Issuer\IssuerBuilder; use Facile\OpenIDClient\Issuer\Metadata\Provider\MetadataProviderBuilder; use Facile\JoseVerifier\JWK\JwksProviderBuilder; /** @var CacheInterface $cache */ $cache = $container->get(CacheInterface::class); // get your simple-cache implementation $metadataProviderBuilder = (new MetadataProviderBuilder()) ->setCache($cache) ->setCacheTtl(86400*30); // Cache metadata for 30 days $jwksProviderBuilder = (new JwksProviderBuilder()) ->setCache($cache) ->setCacheTtl(86400); // Cache JWKS for 1 day $issuerBuilder = (new IssuerBuilder()) ->setMetadataProviderBuilder($metadataProviderBuilder) ->setJwksProviderBuilder($jwksProviderBuilder); $issuer = $issuerBuilder->build('https://example.com/.well-known/openid-configuration');
使用 Psalm
如果您需要使用 Psalm,您可以在 psalm.xml 中包含插件。
<plugins>
<pluginClass class="Facile\JoseVerifier\Psalm\Plugin" />
</plugins>