通过 
搜索
搜索shihjay2 / openid-connect-uma-php
基础的 OpenID Connect 和 UMA 客户端
dev-master
2019-12-24 06:49 UTC
Requires
- php: >=5.4
- ext-curl: *
- ext-json: *
- phpseclib/phpseclib: 2.0.1
Requires (Dev)
- phpunit/phpunit: ^4.8
- roave/security-advisories: dev-master
This package is auto-updated.
Last update: 2024-09-24 17:19:40 UTC
README
这是一个简单的库,允许应用程序通过基本的 OpenID Connect 流程以及用户管理的访问(UMA)2.0 对用户进行认证。此库旨在通过简化设置,鼓励开发者使用 OpenID Connect 和 UMA 2.0 协议进行认证和资源保护。
首先感谢 Michael Jett,他创建了最初的 PHP OpenID Connect 库,本库即基于此库开发。
需求
- PHP 5.4 或更高版本
- CURL 扩展
- JSON 扩展
安装
- 使用 composer 安装库
composer require shihjay2/openid-connect-uma-php
- 除非您使用 Laravel,否则请包含 composer 自动加载器
require __DIR__ . '/vendor/autoload.php';
示例 1:动态注册
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectClient("https://id.provider.com"); $oidc->register(); $client_id = $oidc->getClientID(); $client_secret = $oidc->getClientSecret(); // Be sure to add logic to store the client id and client secret
示例 2:向 UMA 服务器动态注册
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectClient("https://uma.provider.com"); // in case your resource has same domain as your UMA or OIDC server $oidc->setSessionName('create_your_own_session_name'); $oidc->addRedirectURLs('https://client.url1.com'); $oidc->addRedirectURLs('https://client.url2.com'); $oidc->addRedirectURLs('https://client.url3.com'); $oidc->addRedirectURLs('https://client.url4.com'); $oidc->addScope('openid'); $oidc->addScope('email'); $oidc->addScope('profile'); $oidc->addScope('address'); $oidc->addScope('phone'); $oidc->addScope('offline_access'); $oidc->addScope('uma_authorization'); // If you plan to register your client as an UMA resource, set uma_protection as a scope $oidc->addScope('uma_protection'); $oidc->setUMA(true); $oidc->register(); $client_id = $oidc->getClientID(); $client_secret = $oidc->getClientSecret(); // Be sure to add logic to store the client id and client secret
示例 3:基本 OpenID Connect 客户端
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setCertPath('/path/to/my.cert'); $oidc->authenticate(); $name = $oidc->requestUserInfo('given_name');
示例 4:将资源服务器连接到 UMA 服务器并注册资源
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setCertPath('/path/to/my.cert'); $oidc->setRedirectURL('https://resource.url.com'); $oidc->setSessionName('create_your_own_session_name'); $oidc->setUMA(true); $oidc->setUMAType('resource_server'); $oidc->authenticate(); // This is the Protection Access Token (PAT) - this is saved in the next call to register resources $pat = $oidc->getAccessToken(); // Save your refresh token in your database $refresh_token = $oidc->getRefreshToken(); // Register resource sets $resource_set_array[] = [ 'name' => 'Resource 1', 'icon' => 'https://icon1.png', 'scopes' => [ 'https://resource.url.com/resource1', 'view', 'edit' ] ]; $resource_set_array[] = [ 'name' => 'Resource 2', 'icon' => 'https://icon2.png', 'scopes' => [ 'https://resource.url.com/resource2', 'view', 'edit' ] ]; $resource_set_array[] = [ 'name' => 'Resource 3', 'icon' => 'https://icon3.png', 'scopes' => [ 'https://resource.url.com/resource3', 'view', 'edit' ] ]; foreach ($resource_set_array as $resource_set_item) { $response = $oidc->resource_set($resource_set_item['name'], $resource_set_item['icon'], $resource_set_item['scopes']); if (isset($response['resource_set_id'])) { // Success! $resource_set_id = $response['resource_set_id']; $user_access_policy_uri = $response['user_access_policy_uri']; // Save the resource set ID and user access policy URI in your database // Also a good idea to save the scopes of each resource } }
示例 5:将客户端连接到 UMA 服务器
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setSessionName('create_your_own_session_name'); $oidc->setUMA(true); $oidc->setUMAType('client'); $oidc->authenticate(); $access_token = $oidc->getAccessToken(); // Save this access token as a session for future calls such as Example 7
示例 6:UMA 2.0 流程中的请求方令牌请求,步骤 1
use Shihjay2\OpenIDConnectUMAClient; // Permission ticket received when initially making a call to the resource without a Requesting Party Token (RPT) $permission_ticket = 'permission_ticket' $oidc = new OpenIDConnectUMAClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setRedirectURL('https://client.url.com'); $oidc->rqp_claims($permission_ticket); // You'll be then redirected to the UMA server for claims gathering...
示例 7:UMA 2.0 流程中的请求方令牌请求,步骤 2
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setSessionName('create_your_own_session_name'); // Access token from Example 5 $oidc->setAccessToken($access_token); $oidc->setRedirectURL($url); $result = $oidc->rpt_request($permission_ticket); // If claims gathering successful, RPT will be granted by the UMA server $rpt = $result['access_token'];
示例 9:资源服务器代表客户端向 UMA 服务器请求权限
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setUMA(true); // Resource set ID taken from Example 4 // Scopes as an array, taken from Example 4 $resource_set_id = 'resource_set_id'; $scopes = array('scope1', 'scope2'); $permission_ticket = $oidc->permission_request($resource_set_id, $scopes); // Send permission ticket back as a WWW-Authticate header back to client
示例 10:资源服务器确定 RPT 状态
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://uma.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setUMA(true); // RPT comes from Authorization: Bearer request header, in Laravel, get it like this: $payload = $request->header('Authorization'); if ($payload) { // RPT, Perform Token Introspection $rpt = str_replace('Bearer ', '', $payload); } else { // Go back to Example 9 to get permission ticket } $result = $oidc->introspect($rpt); if ($result['active'] == false) { // respond back to client why the RPT status failed } else { // redirect to the resource }
示例 11:网络和安全
// Configure a proxy $oidc->setHttpProxy("http://my.proxy.com:80/"); // Configure a cert $oidc->setCertPath("/path/to/my.cert");
示例 12:请求客户端凭证令牌
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->providerConfigParam(array('token_endpoint'=>'https://id.provider.com/connect/token')); $oidc->addScope('my_scope'); // this assumes success (to validate check if the access_token property is there and a valid JWT) : $clientCredentialsToken = $oidc->requestClientCredentialsToken()->access_token;
示例 13:请求资源所有者令牌(带有客户端认证)
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->providerConfigParam(array('token_endpoint'=>'https://id.provider.com/connect/token')); $oidc->addScope('my_scope'); //Add username and password $oidc->addAuthParam(array('username'=>'<Username>')); $oidc->addAuthParam(array('password'=>'<Password>')); //Perform the auth and return the token (to validate check if the access_token property is there and a valid JWT) : $token = $oidc->requestResourceOwnerToken(TRUE)->access_token;
示例 14:基本客户端用于隐式流程,例如 Azure AD B2C(请参阅 http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)
use Shihjay2\OpenIDConnectUMAClient; $oidc = new OpenIDConnectUMAClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setResponseTypes(array('id_token')); $oidc->addScope(array('openid')); $oidc->setAllowImplicitFlow(true); $oidc->addAuthParam(array('response_mode' => 'form_post')); $oidc->setCertPath('/path/to/my.cert'); $oidc->authenticate(); $sub = $oidc->getVerifiedClaims('sub');
开发环境
在某些情况下,您可能需要在开发系统上禁用 SSL 安全性。注意:在生产系统上不推荐这样做。
$oidc->setVerifyHost(false); $oidc->setVerifyPeer(false);
贡献
- 欢迎所有拉取请求!