myits / openid-connect-client

连接到myITS SSO的包

维护者

详细信息

github.com/dptsi/php-openid-connect-client

源代码

问题

安装次数: 23,861

依赖项: 2

建议者: 0

安全: 0

星星: 5

关注者: 0

分支: 2

公开问题: 0

1.4.2 2020-11-24 05:31 UTC

Requires

Apache-2.0 e5dc97c501ebe2715ebf6a0252dc639f69a01095

  • DPTSI ITS <mobile.woop@its.ac.id>

This package is auto-updated.

Last update: 2024-08-30 01:39:34 UTC

README

这是一个简单的库,允许应用程序通过基本的OpenID Connect流程进行用户身份验证。这个库希望通过使其足够简单,即使是对于对OpenID Connect协议了解不多的开发者也能轻松设置身份验证。

专门开发用于连接想要与myITS SSO连接的应用程序。

先决条件

您的应用程序必须在系统中注册,您可以通过访问DPTSI-ITS并申请注册您的应用程序来注册您的应用程序

需求

  1. PHP 5.4或更高版本
  2. phpseclib/phpseclib 2.0或更高版本
  3. CURL扩展
  4. JSON扩展

安装

  1. 使用composer安装库
composer require myits/openid-connect-client:*
  1. 包含composer自动加载器并使用类OpenIDConnectClient
require __DIR__ . '/vendor/autoload.php';

use Its\Sso\OpenIDConnectClient;
use Its\Sso\OpenIDConnectClientException;

示例登录

<?php
require './vendor/autoload.php';

use Its\Sso\OpenIDConnectClient;
use Its\Sso\OpenIDConnectClientException;

try {
    $oidc = new OpenIDConnectClient(
                    'https://dev-my.its.ac.id', // authorization_endpoint
		    'XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX', // Client ID
		    '***********************' // Client Secret
		);
 
    $oidc->setRedirectURL('https://myweb.site/auth.php'); // must be the same as you registered
    $oidc->addScope('openid code phone profile'); //must be the same as you registered
    
    // remove this if in production mode
    $oidc->setVerifyHost(false);
    $oidc->setVerifyPeer(false);

    $oidc->authenticate(); //call the main function of myITS SSO login

    $_SESSION['id_token'] = $oidc->getIdToken(); // must be save for check session dan logout proccess
    $user = $oidc->requestUserInfo(); // this will return user information from myITS SSO database
} catch (OpenIDConnectClientException $e) {
    echo $e->getMessage();
}

示例注销

<?php
require './vendor/autoload.php';

use Its\OpenIDConnectClient;
use Its\OpenIDConnectClientException;

try {
    session_start();
    $redirect = 'https://myweb.site/index.php'; // set https://dev-my.its.ac.id or https://my.its.ac.id if you don't register post-logout URI

    if (isset($_SESSION['id_token'])) {
        $accessToken = $_SESSION['id_token'];

        session_destroy();

        $oidc = new OpenIDConnectClient(
                    'https://dev-my.its.ac.id', // authorization_endpoint
		    'XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX', // Client ID
		    '***********************' // Client Secret
		);
	
	// remove this if in production mode
	$oidc->setVerifyHost(false);
	$oidc->setVerifyPeer(false);

        $oidc->signOut($accessToken, $redirect);
    }

    header("Location: " . $redirect);
} catch (OpenIDConnectClientException $e) {
    echo $e->getMessage();
}

客户端发起的后端认证(CIBA)请求

此功能用于支持CIBA的Institut Teknologi Sepuluh Nopember(ITS)授权服务器。

a. 未签名请求

    $oidc = new OpenIDConnectClient(
                'https://dev-my.its.ac.id', // authorization_endpoint
        'XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX', // Client ID
        '***********************' // Client Secret
    );
    // Note that only ping and push modes require this token
    // but please for the sake of the library's function, pass this value even if you're not using ping or push.
    $clientNotificationToken = 'some random unguessable token used by the OP to as Authorization Bearer';
    
    // Hint currently supports only login_hint, which is the user's identifier
    $userId = 'user identifier as login hint';
    
    // how long should the authentication request id be valid for in seconds
    $requestedExpiry = '60';

       try {
            $response = (array)$this->oidcClient->authenticationRequestCiba($clientNotificationToken, $userId, $requestedExpiry);
                
        } catch (OpenIDConnectClientException $e) {
            echo $e->getMessage();
                
            return false;
        }

        // authentication request id is in here
        var_dump($response);

b. 签名请求

    $oidc = new OpenIDConnectClient(
                'https://dev-my.its.ac.id', // authorization_endpoint
        'XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX', // Client ID
        '***********************' // Client Secret
    );
    // Note that only ping and push modes require this token
    // but please for the sake of the library's function, pass this value even if you're not using ping or push.
    $clientNotificationToken = 'some random unguessable token used by the OP to as Authorization Bearer';
    
    // Hint currently supports only login_hint, which is the user's identifier
    $userId = 'user identifier as login hint';
    
    // how long should the authentication request id be valid for in seconds
    $requestedExpiry = '60';
    
    // this is used to sign the parameters
    $privateKey = 'private key for your client app.';
    $kid = 'key id for the private key';
    $alg = 'RS256'; // the default for function signedAuthenticationRequestCiba is RS256. Please look at CIBA specs for the supported alg.
       try {
            $response = (array)$this->oidcClient->signedAuthenticationRequestCiba($clientNotificationToken, $userId, $privateKey, $kid, $alg, $requestedExpiry);
                
        } catch (OpenIDConnectClientException $e) {
            echo $e->getMessage();
                
            return false;
        }

        // authentication request id is in here
        var_dump($response);

d. 令牌请求

仅适用于轮询和ping模式。

    $authReqId = 'authentication request id from ciba request.';
    $response = (array)$this->oidcClient->cibaTokenRequest($authReqId);
    
    // token is in here
    var_dump($response);

更多信息

更多信息和此包的示例,您可以在我们的维基百科中查看。