Require the CURL and JSON PHP extensions to be installed. More...

Collaboration diagram for Jumbojett\OpenIDConnectClient:

Public Member Functions
	__construct ($provider_url=null, $client_id=null, $client_secret=null, $issuer=null)

	setProviderURL ($provider_url)

	setIssuer ($issuer)

	setResponseTypes ($response_types)

	authenticate ()

	signOut ($accessToken, $redirect)
	It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application). More...

	addScope ($scope)

	addAuthParam ($param)

	addRegistrationParam ($param)

	setWellKnownConfigParameters (array $params=[])
	Set optionnal parameters for .well-known/openid-configuration. More...

	setRedirectURL ($url)

	getRedirectURL ()
	Gets the URL of the current page we are on, encodes, and returns it. More...

	requestClientCredentialsToken ()
	Requests a client credentials token. More...

	requestResourceOwnerToken ($bClientAuth=FALSE)
	Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4.3) More...

	refreshToken ($refresh_token)
	Requests Access token with refresh token. More...

	verifyJWTsignature ($jwt)

	requestUserInfo ($attribute=null)

	getVerifiedClaims ($attribute=null)

	getWellKnownIssuer ($appendSlash=false)

	getIssuer ()

	getProviderURL ()

	redirect ($url)

	setHttpProxy ($httpProxy)

	setCertPath ($certPath)

	getCertPath ()

	setVerifyPeer ($verifyPeer)

	setVerifyHost ($verifyHost)

	getVerifyHost ()

	getVerifyPeer ()

	setIssuerValidator ($issuerValidator)
	Use this for custom issuer validation The given function should accept the issuer string from the JWT claim as the only argument and return true if the issuer is valid, otherwise return false. More...

	setAllowImplicitFlow ($allowImplicitFlow)

	getAllowImplicitFlow ()

	providerConfigParam ($array)
	Use this to alter a provider's endpoints and other attributes. More...

	setClientSecret ($clientSecret)

	setClientID ($clientID)

	register ()
	Dynamic registration. More...

	introspectToken ($token, $token_type_hint='', $clientId=null, $clientSecret=null)
	Introspect a given token - either access token or refresh token. More...

	revokeToken ($token, $token_type_hint='', $clientId=null, $clientSecret=null)
	Revoke a given token - either access token or refresh token. More...

	getClientName ()

	setClientName ($clientName)

	getClientID ()

	getClientSecret ()

	canVerifySignatures ()

	setAccessToken ($accessToken)
	Set the access token. More...

	getAccessToken ()

	getRefreshToken ()

	getIdToken ()

	getAccessTokenHeader ()

	getAccessTokenPayload ()

	getIdTokenHeader ()

	getIdTokenPayload ()

	getTokenResponse ()

	getResponseCode ()
	Get the response code from last action/curl request. More...

	setTimeout ($timeout)
	Set timeout (seconds) More...

	getTimeout ()

	setUrlEncoding ($curEncoding)

	getScopes ()

	getResponseTypes ()

	getAuthParams ()

	getIssuerValidator ()

	getLeeway ()

	getCodeChallengeMethod ()

	setCodeChallengeMethod ($codeChallengeMethod)

Protected Member Functions
	addAdditionalJwk ($jwk)

	getProviderConfigValue ($param, $default=null)
	Get's anything that we need configuration wise including endpoints, and other values. More...

	generateRandString ()
	Used for arbitrary value generation for nonces and state. More...

	requestTokens ($code)
	Requests ID and Access tokens. More...

	verifyJWTclaims ($claims, $accessToken=null)

	urlEncode ($str)

	decodeJWT ($jwt, $section=0)

	fetchURL ($url, $post_body=null, $headers=array())

	setNonce ($nonce)
	Stores nonce. More...

	getNonce ()
	Get stored nonce. More...

	unsetNonce ()
	Cleanup nonce. More...

	setState ($state)
	Stores $state. More...

	getState ()
	Get stored state. More...

	unsetState ()
	Cleanup state. More...

	setCodeVerifier ($codeVerifier)
	Stores $codeVerifier. More...

	getCodeVerifier ()
	Get stored codeVerifier. More...

	unsetCodeVerifier ()
	Cleanup state. More...

	startSession ()
	Use session to manage a nonce. More...

	commitSession ()

	getSessionKey ($key)

	setSessionKey ($key, $value)

	unsetSessionKey ($key)

Protected Attributes
	$accessToken

	$idToken

	$timeOut = 60

	$verifiedClaims = array()

	$enc_type = PHP_QUERY_RFC1738

Private Member Functions
	getWellKnownConfigValue ($param, $default=null)
	Get's anything that we need configuration wise including endpoints, and other values. More...

	requestAuthorization ()
	Start Here. More...

	get_key_for_header ($keys, $header)

	verifyRSAJWTsignature ($hashtype, $key, $payload, $signature, $signatureType)

	verifyHMACJWTsignature ($hashtype, $key, $payload, $signature)

Static Private Member Functions
static	safeLength ($str)
	Safely calculate length of binary string. More...

static	hashEquals ($str1, $str2)
	Where has_equals is not available, this provides a timing-attack safe string comparison. More...

Private Attributes
	$clientID

	$clientName

	$clientSecret

	$providerConfig = array()

	$httpProxy

	$certPath

	$verifyPeer = true

	$verifyHost = true

	$refreshToken

	$tokenResponse

	$scopes = array()

	$responseCode

	$responseTypes = array()

	$userInfo = array()

	$authParams = array()

	$registrationParams = array()

	$wellKnown = false

	$wellKnownConfigParameters = array()

	$leeway = 300

	$additionalJwks = array()

	$issuerValidator

	$allowImplicitFlow = false

	$redirectURL

	$codeChallengeMethod = false

	$pkceAlgs = array('S256' => 'sha256', 'plain' => false)

Detailed Description

Require the CURL and JSON PHP extensions to be installed.

Please note this class stores nonces by default in $_SESSION['openid_connect_nonce']

Definition at line 89 of file OpenIDConnectClient.php.

Constructor & Destructor Documentation

◆ __construct()

Jumbojett\OpenIDConnectClient::__construct	(	$provider_url = `null`,
		$client_id = `null`,
		$client_secret = `null`,
		$issuer = `null`
	)

Parameters

	$provider_url	string optional
	$client_id	string optional
	$client_secret	string optional
null	$issuer

Definition at line 247 of file OpenIDConnectClient.php.

References $client_id, and $issuer.

                                                                                                                 {
         $this->setProviderURL($provider_url);
         if ($issuer === null) {
             $this->setIssuer($provider_url);
         } else {
             $this->setIssuer($issuer);
         }
 
         $this->clientID = $client_id;
         $this->clientSecret = $client_secret;
 
         $this->issuerValidator = function($iss){
                 return ($iss === $this->getIssuer() || $iss === $this->getWellKnownIssuer() || $iss === $this->getWellKnownIssuer(true));
         };
     }

Member Function Documentation

◆ addAdditionalJwk()

Jumbojett\OpenIDConnectClient::addAdditionalJwk ( $jwk )

protected

Parameters

$jwk	object - example: (object) array('kid' => ..., 'nbf' => ..., 'use' => 'sig', 'kty' => "RSA", 'e' => "", 'n' => "")

Definition at line 481 of file OpenIDConnectClient.php.

                                               {
         $this->additionalJwks[] = $jwk;
     }

◆ addAuthParam()

Jumbojett\OpenIDConnectClient::addAuthParam ( $param )

Parameters

array $param - example: prompt=login

Definition at line 467 of file OpenIDConnectClient.php.

                                          {
         $this->authParams = array_merge($this->authParams, (array)$param);
     }

◆ addRegistrationParam()

Jumbojett\OpenIDConnectClient::addRegistrationParam ( $param )

Parameters

array $param - example: post_logout_redirect_uris=[http://example.com/successful-logout]

Definition at line 474 of file OpenIDConnectClient.php.

                                                  {
         $this->registrationParams = array_merge($this->registrationParams, (array)$param);
     }

◆ addScope()

Jumbojett\OpenIDConnectClient::addScope ( $scope )

Parameters

array $scope - example: openid, given_name, etc...

Definition at line 460 of file OpenIDConnectClient.php.

                                      {
         $this->scopes = array_merge($this->scopes, (array)$scope);
     }

◆ authenticate()

Jumbojett\OpenIDConnectClient::authenticate ( )

Returns: bool

Exceptions

OpenIDConnectClientException

Definition at line 288 of file OpenIDConnectClient.php.

References $code.

                                    {
 
         // Do a preemptive check to see if the provider has thrown an error from a previous redirect
         if (isset($_REQUEST['error'])) {
             $desc = isset($_REQUEST['error_description']) ? ' Description: ' . $_REQUEST['error_description'] : '';
             throw new OpenIDConnectClientException('Error: ' . $_REQUEST['error'] .$desc);
         }
 
         // If we have an authorization code then proceed to request a token
         if (isset($_REQUEST['code'])) {
 
             $code = $_REQUEST['code'];
             $token_json = $this->requestTokens($code);
 
             // Throw an error if the server returns one
             if (isset($token_json->error)) {
                 if (isset($token_json->error_description)) {
                     throw new OpenIDConnectClientException($token_json->error_description);
                 }
                 throw new OpenIDConnectClientException('Got response: ' . $token_json->error);
             }
 
             // Do an OpenID Connect session check
             if ($_REQUEST['state'] !== $this->getState()) {
                 throw new OpenIDConnectClientException('Unable to determine state');
             }
 
             // Cleanup state
             $this->unsetState();
 
             if (!property_exists($token_json, 'id_token')) {
                 throw new OpenIDConnectClientException('User did not authorize openid scope.');
             }
 
             $claims = $this->decodeJWT($token_json->id_token, 1);
 
             // Verify the signature
             if ($this->canVerifySignatures()) {
                 if (!$this->getProviderConfigValue('jwks_uri')) {
                     throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
                 }
                 if (!$this->verifyJWTsignature($token_json->id_token)) {
                     throw new OpenIDConnectClientException ('Unable to verify signature');
                 }
             } else {
                 user_error('Warning: JWT signature verification unavailable.');
             }
 
             // Save the id token
             $this->idToken = $token_json->id_token;
 
             // Save the access token
             $this->accessToken = $token_json->access_token;
 
             // If this is a valid claim
             if ($this->verifyJWTclaims($claims, $token_json->access_token)) {
 
                 // Clean up the session a little
                 $this->unsetNonce();
 
                 // Save the full response
                 $this->tokenResponse = $token_json;
 
                 // Save the verified claims
                 $this->verifiedClaims = $claims;
 
                 // Save the refresh token, if we got one
                 if (isset($token_json->refresh_token)) {
                     $this->refreshToken = $token_json->refresh_token;
                 }
 
                 // Success!
                 return true;
 
             }
 
             throw new OpenIDConnectClientException ('Unable to verify JWT claims');
         }
 
         if ($this->allowImplicitFlow && isset($_REQUEST['id_token'])) {
             // if we have no code but an id_token use that
             $id_token = $_REQUEST['id_token'];
 
             $accessToken = null;
             if (isset($_REQUEST['access_token'])) {
                 $accessToken = $_REQUEST['access_token'];
             }
 
             // Do an OpenID Connect session check
             if ($_REQUEST['state'] !== $this->getState()) {
                 throw new OpenIDConnectClientException('Unable to determine state');
             }
 
             // Cleanup state
             $this->unsetState();
 
             $claims = $this->decodeJWT($id_token, 1);
 
             // Verify the signature
             if ($this->canVerifySignatures()) {
                 if (!$this->getProviderConfigValue('jwks_uri')) {
                     throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
                 }
                 if (!$this->verifyJWTsignature($id_token)) {
                     throw new OpenIDConnectClientException ('Unable to verify signature');
                 }
             } else {
                 user_error('Warning: JWT signature verification unavailable.');
             }
 
             // Save the id token
             $this->idToken = $id_token;
 
             // If this is a valid claim
             if ($this->verifyJWTclaims($claims, $accessToken)) {
 
                 // Clean up the session a little
                 $this->unsetNonce();
 
                 // Save the verified claims
                 $this->verifiedClaims = $claims;
 
                 // Save the access token
                 if ($accessToken) {
                     $this->accessToken = $accessToken;
                 }
 
                 // Success!
                 return true;
 
             }
 
             throw new OpenIDConnectClientException ('Unable to verify JWT claims');
         }
 
         $this->requestAuthorization();
         return false;
 
     }

◆ canVerifySignatures()

Jumbojett\OpenIDConnectClient::canVerifySignatures ( )

Returns: bool

Definition at line 1496 of file OpenIDConnectClient.php.

                                           {
         return class_exists('\phpseclib\Crypt\RSA') || class_exists('Crypt_RSA');
     }

◆ commitSession()

Jumbojett\OpenIDConnectClient::commitSession ( )

protected

Definition at line 1727 of file OpenIDConnectClient.php.

                                        {
         $this->startSession();
 
         session_write_close();
     }

◆ decodeJWT()

Jumbojett\OpenIDConnectClient::decodeJWT	(	$jwt,
		$section = `0`
	)

protected

Parameters

string	$jwt	encoded JWT
int	$section	the section we would like to decode

Returns: object

Definition at line 1027 of file OpenIDConnectClient.php.

References $section, and Jumbojett\base64url_decode().

                                                      {
 
         $parts = explode('.', $jwt);
         return json_decode(base64url_decode($parts[$section]));
     }

Here is the call graph for this function:

◆ fetchURL()

Jumbojett\OpenIDConnectClient::fetchURL	(	$url,
		$post_body = `null`,
		$headers = `array()`
	)

protected

Parameters

string	$url
string \| null	$post_body	string If this is set the post type will be POST
array	$headers	Extra headers to be send with the request. Format as 'NameHeader: ValueHeader'

Exceptions

OpenIDConnectClientException

Returns: mixed

Set cert Otherwise ignore SSL peer verification

Definition at line 1129 of file OpenIDConnectClient.php.

References $info, Sabre\VObject\$output, and $url.

                                                                              {
 
 
         // OK cool - then let's create a new cURL resource handle
         $ch = curl_init();
 
         // Determine whether this is a GET or POST
         if ($post_body !== null) {
             // curl_setopt($ch, CURLOPT_POST, 1);
             // Alows to keep the POST method even after redirect
             curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
             curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body);
 
             // Default content type is form encoded
             $content_type = 'application/x-www-form-urlencoded';
 
             // Determine if this is a JSON payload and add the appropriate content type
             if (is_object(json_decode($post_body))) {
                 $content_type = 'application/json';
             }
 
             // Add POST-specific headers
             $headers[] = "Content-Type: {$content_type}";
 
         }
 
         // If we set some headers include them
         if(count($headers) > 0) {
             curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
         }
 
         // Set URL to download
         curl_setopt($ch, CURLOPT_URL, $url);
 
         if (isset($this->httpProxy)) {
             curl_setopt($ch, CURLOPT_PROXY, $this->httpProxy);
         }
 
         // Include header in result? (0 = yes, 1 = no)
         curl_setopt($ch, CURLOPT_HEADER, 0);
 
         // Allows to follow redirect
         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
 
         if (isset($this->certPath)) {
             curl_setopt($ch, CURLOPT_CAINFO, $this->certPath);
         }
 
         if($this->verifyHost) {
             curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
         } else {
             curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
         }
 
         if($this->verifyPeer) {
             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
         } else {
             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
         }
 
         // Should cURL return or print out the data? (true = return, false = print)
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
         // Timeout in seconds
         curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeOut);
 
         // Download the given URL, and return output
         $output = curl_exec($ch);
 
         // HTTP Response code from server may be required from subclass
         $info = curl_getinfo($ch);
         $this->responseCode = $info['http_code'];
 
         if ($output === false) {
             throw new OpenIDConnectClientException('Curl error: (' . curl_errno($ch) . ') ' . curl_error($ch));
         }
 
         // Close the cURL resource, and free system resources
         curl_close($ch);
 
         return $output;
     }

◆ generateRandString()

Jumbojett\OpenIDConnectClient::generateRandString ( )

protected

Used for arbitrary value generation for nonces and state.

Returns: string

Exceptions

OpenIDConnectClientException

Definition at line 615 of file OpenIDConnectClient.php.

                                             {
         // Error and Exception need to be catched in this order, see https://github.com/paragonie/random_compat/blob/master/README.md
         // random_compat polyfill library should be removed if support for PHP versions < 7 is dropped
         try {
             return \bin2hex(\random_bytes(16));
         } catch (Error $e) {
             throw new OpenIDConnectClientException('Random token generation failed.');
         } catch (Exception $e) {
             throw new OpenIDConnectClientException('Random token generation failed.');
         };
     }

◆ get_key_for_header()

Jumbojett\OpenIDConnectClient::get_key_for_header	(	$keys,
		$header
	)

private

Parameters

array	$keys
array	$header

Exceptions

OpenIDConnectClientException

Returns: object

Definition at line 833 of file OpenIDConnectClient.php.

References $header, $key, and $keys.

                                                         {
         foreach ($keys as $key) {
             if ($key->kty === 'RSA') {
                 if (!isset($header->kid) || $key->kid === $header->kid) {
                     return $key;
                 }
             } else {
                 if (isset($key->alg) && $key->alg === $header->alg && $key->kid === $header->kid) {
                     return $key;
                 }
             }
         }
         if ($this->additionalJwks) {
             foreach ($this->additionalJwks as $key) {
                 if ($key->kty === 'RSA') {
                     if (!isset($header->kid) || $key->kid === $header->kid) {
                         return $key;
                     }
                 } else {
                     if (isset($key->alg) && $key->alg === $header->alg && $key->kid === $header->kid) {
                         return $key;
                     }
                 }
             }
         }
         if (isset($header->kid)) {
             throw new OpenIDConnectClientException('Unable to find a key for (algorithm, kid):' . $header->alg . ', ' . $header->kid . ')');
         }
 
         throw new OpenIDConnectClientException('Unable to find a key for RSA');
     }

◆ getAccessToken()

Jumbojett\OpenIDConnectClient::getAccessToken ( )

Returns: string

Definition at line 1515 of file OpenIDConnectClient.php.

                                      {
         return $this->accessToken;
     }

◆ getAccessTokenHeader()

Jumbojett\OpenIDConnectClient::getAccessTokenHeader ( )

Returns: object

Definition at line 1536 of file OpenIDConnectClient.php.

                                            {
         return $this->decodeJWT($this->accessToken);
     }

◆ getAccessTokenPayload()

Jumbojett\OpenIDConnectClient::getAccessTokenPayload ( )

Returns: object

Definition at line 1543 of file OpenIDConnectClient.php.

                                             {
         return $this->decodeJWT($this->accessToken, 1);
     }

◆ getAllowImplicitFlow()

Jumbojett\OpenIDConnectClient::getAllowImplicitFlow ( )

Returns: bool

Definition at line 1332 of file OpenIDConnectClient.php.

     {
         return $this->allowImplicitFlow;
     }

◆ getAuthParams()

Jumbojett\OpenIDConnectClient::getAuthParams ( )

Returns: array

Definition at line 1788 of file OpenIDConnectClient.php.

     {
         return $this->authParams;
     }

◆ getCertPath()

Jumbojett\OpenIDConnectClient::getCertPath ( )

Returns: string|null

Definition at line 1276 of file OpenIDConnectClient.php.

     {
         return $this->certPath;
     }

◆ getClientID()

Jumbojett\OpenIDConnectClient::getClientID ( )

Returns: string

Definition at line 1482 of file OpenIDConnectClient.php.

                                   {
         return $this->clientID;
     }

◆ getClientName()

Jumbojett\OpenIDConnectClient::getClientName ( )

Returns: string

Definition at line 1468 of file OpenIDConnectClient.php.

                                     {
         return $this->clientName;
     }

◆ getClientSecret()

Jumbojett\OpenIDConnectClient::getClientSecret ( )

Returns: string

Definition at line 1489 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientSecret.

                                       {
         return $this->clientSecret;
     }

◆ getCodeChallengeMethod()

Jumbojett\OpenIDConnectClient::getCodeChallengeMethod ( )

Returns: string

Definition at line 1812 of file OpenIDConnectClient.php.

                                              {
         return $this->codeChallengeMethod;
     }

◆ getCodeVerifier()

Jumbojett\OpenIDConnectClient::getCodeVerifier ( )

protected

Get stored codeVerifier.

Returns: string

Definition at line 1642 of file OpenIDConnectClient.php.

                                          {
         return $this->getSessionKey('openid_connect_code_verifier');
     }

◆ getIdToken()

Jumbojett\OpenIDConnectClient::getIdToken ( )

Returns: string

Definition at line 1529 of file OpenIDConnectClient.php.

                                  {
         return $this->idToken;
     }

◆ getIdTokenHeader()

Jumbojett\OpenIDConnectClient::getIdTokenHeader ( )

Returns: object

Definition at line 1550 of file OpenIDConnectClient.php.

                                        {
         return $this->decodeJWT($this->idToken);
     }

◆ getIdTokenPayload()

Jumbojett\OpenIDConnectClient::getIdTokenPayload ( )

Returns: object

Definition at line 1557 of file OpenIDConnectClient.php.

                                         {
         return $this->decodeJWT($this->idToken, 1);
     }

◆ getIssuer()

Jumbojett\OpenIDConnectClient::getIssuer ( )

Returns: string

Exceptions

OpenIDConnectClientException

Definition at line 1230 of file OpenIDConnectClient.php.

                                 {
 
         if (!isset($this->providerConfig['issuer'])) {
             throw new OpenIDConnectClientException('The issuer has not been set');
         }
 
         return $this->providerConfig['issuer'];
     }

◆ getIssuerValidator()

Jumbojett\OpenIDConnectClient::getIssuerValidator ( )

Returns: callable

Definition at line 1796 of file OpenIDConnectClient.php.

     {
         return $this->issuerValidator;
     }

◆ getLeeway()

Jumbojett\OpenIDConnectClient::getLeeway ( )

Returns: int

Definition at line 1804 of file OpenIDConnectClient.php.

     {
         return $this->leeway;
     }

◆ getNonce()

Jumbojett\OpenIDConnectClient::getNonce ( )

protected

Get stored nonce.

Returns: string

Definition at line 1584 of file OpenIDConnectClient.php.

                                   {
         return $this->getSessionKey('openid_connect_nonce');
     }

◆ getProviderConfigValue()

Jumbojett\OpenIDConnectClient::getProviderConfigValue	(	$param,
		$default = `null`
	)

protected

Get's anything that we need configuration wise including endpoints, and other values.

Parameters

string	$param
string	$default	optional

Exceptions

OpenIDConnectClientException

Returns: string

Definition at line 494 of file OpenIDConnectClient.php.

References $default.

                                                                        {
 
         // If the configuration value is not available, attempt to fetch it from a well known config endpoint
         // This is also known as auto "discovery"
         if (!isset($this->providerConfig[$param])) {
             $this->providerConfig[$param] = $this->getWellKnownConfigValue($param, $default);
         }
 
         return $this->providerConfig[$param];
     }

◆ getProviderURL()

Jumbojett\OpenIDConnectClient::getProviderURL ( )

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 1243 of file OpenIDConnectClient.php.

                                      {
         if (!isset($this->providerConfig['providerUrl'])) {
             throw new OpenIDConnectClientException('The provider URL has not been set');
         }
 
         return $this->providerConfig['providerUrl'];
     }

◆ getRedirectURL()

Jumbojett\OpenIDConnectClient::getRedirectURL ( )

Gets the URL of the current page we are on, encodes, and returns it.

Returns: string

Thank you http://stackoverflow.com/questions/189113/how-do-i-get-current-page-full-url-in-php-on-a-windows-iis-server

Definition at line 568 of file OpenIDConnectClient.php.

References $_SERVER, and GuzzleHttp\Psr7\$protocol.

                                      {
 
         // If the redirect URL has been set then return it.
         if (property_exists($this, 'redirectURL') && $this->redirectURL) {
             return $this->redirectURL;
         }
 
         // Other-wise return the URL of the current page
 
         /*
          * Compatibility with multiple host headers.
          * The problem with SSL over port 80 is resolved and non-SSL over port 443.
          * Support of 'ProxyReverse' configurations.
          */
 
         if (isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) {
             $protocol = 'https';
         } else {
             $protocol = @$_SERVER['HTTP_X_FORWARDED_PROTO']
                 ?: @$_SERVER['REQUEST_SCHEME']
                     ?: ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https' : 'http');
         }
 
         $port = @intval($_SERVER['HTTP_X_FORWARDED_PORT'])
             ?: @intval($_SERVER['SERVER_PORT'])
                 ?: (($protocol === 'https') ? 443 : 80);
 
         $host = @explode(':', $_SERVER['HTTP_HOST'])[0]
             ?: @$_SERVER['SERVER_NAME']
                 ?: @$_SERVER['SERVER_ADDR'];
 
         $port = (443 === $port) || (80 === $port) ? '' : ':' . $port;
 
         return sprintf('%s://%s%s/%s', $protocol, $host, $port, @trim(reset(explode('?', $_SERVER['REQUEST_URI'])), '/'));
     }

◆ getRefreshToken()

Jumbojett\OpenIDConnectClient::getRefreshToken ( )

Returns: string

Definition at line 1522 of file OpenIDConnectClient.php.

                                       {
         return $this->refreshToken;
     }

◆ getResponseCode()

Jumbojett\OpenIDConnectClient::getResponseCode ( )

Get the response code from last action/curl request.

Returns: int

Definition at line 1660 of file OpenIDConnectClient.php.

     {
         return $this->responseCode;
     }

◆ getResponseTypes()

Jumbojett\OpenIDConnectClient::getResponseTypes ( )

Returns: array

Definition at line 1780 of file OpenIDConnectClient.php.

     {
         return $this->responseTypes;
     }

◆ getScopes()

Jumbojett\OpenIDConnectClient::getScopes ( )

Returns: array

Definition at line 1772 of file OpenIDConnectClient.php.

     {
         return $this->scopes;
     }

◆ getSessionKey()

Jumbojett\OpenIDConnectClient::getSessionKey ( $key )

protected

Definition at line 1733 of file OpenIDConnectClient.php.

References $_SESSION, and $key.

                                            {
         $this->startSession();
 
         return $_SESSION[$key];
     }

◆ getState()

Jumbojett\OpenIDConnectClient::getState ( )

protected

Get stored state.

Returns: string

Definition at line 1613 of file OpenIDConnectClient.php.

                                   {
         return $this->getSessionKey('openid_connect_state');
     }

◆ getTimeout()

Jumbojett\OpenIDConnectClient::getTimeout ( )

Returns: int

Definition at line 1678 of file OpenIDConnectClient.php.

     {
         return $this->timeOut;
     }

◆ getTokenResponse()

Jumbojett\OpenIDConnectClient::getTokenResponse ( )

Returns: string

Definition at line 1564 of file OpenIDConnectClient.php.

                                        {
         return $this->tokenResponse;
     }

◆ getVerifiedClaims()

Jumbojett\OpenIDConnectClient::getVerifiedClaims ( $attribute = null )

Parameters

string | null $attribute optional

Attribute Type Description exp int Expires at nbf int Not before ver string Version iss string Issuer sub string Subject aud string Audience nonce string nonce iat int Issued At auth_time int Authenatication time oid string Object id

Returns: mixed

Definition at line 1109 of file OpenIDConnectClient.php.

                                                          {
 
         if($attribute === null) {
             return $this->verifiedClaims;
         }
 
         if (property_exists($this->verifiedClaims, $attribute)) {
             return $this->verifiedClaims->$attribute;
         }
 
         return null;
     }

◆ getVerifyHost()

Jumbojett\OpenIDConnectClient::getVerifyHost ( )

Returns: bool

Definition at line 1298 of file OpenIDConnectClient.php.

     {
         return $this->verifyHost;
     }

◆ getVerifyPeer()

Jumbojett\OpenIDConnectClient::getVerifyPeer ( )

Returns: bool

Definition at line 1306 of file OpenIDConnectClient.php.

     {
         return $this->verifyPeer;
     }

◆ getWellKnownConfigValue()

Jumbojett\OpenIDConnectClient::getWellKnownConfigValue	(	$param,
		$default = `null`
	)

private

Get's anything that we need configuration wise including endpoints, and other values.

Parameters

string	$param
string	$default	optional

Exceptions

OpenIDConnectClientException

Returns: string

Definition at line 514 of file OpenIDConnectClient.php.

References $default.

                                                                       {
 
         // If the configuration value is not available, attempt to fetch it from a well known config endpoint
         // This is also known as auto "discovery"
         if(!$this->wellKnown) {
             $well_known_config_url = rtrim($this->getProviderURL(), '/') . '/.well-known/openid-configuration';
             if (count($this->wellKnownConfigParameters) > 0){
                 $well_known_config_url .= '?' .  http_build_query($this->wellKnownConfigParameters) ;
             }
             $this->wellKnown = json_decode($this->fetchURL($well_known_config_url));
         }
 
         $value = false;
         if(isset($this->wellKnown->{$param})){
             $value = $this->wellKnown->{$param};
         }
 
         if ($value) {
             return $value;
         }
 
         if (isset($default)) {
             // Uses default value if provided
             return $default;
         }
 
         throw new OpenIDConnectClientException("The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.");
     }

◆ getWellKnownIssuer()

Jumbojett\OpenIDConnectClient::getWellKnownIssuer ( $appendSlash = false )

Parameters

bool $appendSlash

Returns: string

Exceptions

OpenIDConnectClientException

Definition at line 1221 of file OpenIDConnectClient.php.

                                                              {
 
         return $this->getWellKnownConfigValue('issuer') . ($appendSlash ? '/' : '');
     }

◆ hashEquals()

static Jumbojett\OpenIDConnectClient::hashEquals	(	$str1,
		$str2
	)

staticprivate

Where has_equals is not available, this provides a timing-attack safe string comparison.

Parameters

string	$str1
string	$str2

Returns: bool

Definition at line 1702 of file OpenIDConnectClient.php.

References $i.

     {
         $len1=static::safeLength($str1);
         $len2=static::safeLength($str2);
 
         //compare strings without any early abort...
         $len = min($len1, $len2);
         $status = 0;
         for ($i = 0; $i < $len; $i++) {
             $status |= (ord($str1[$i]) ^ ord($str2[$i]));
         }
         //if strings were different lengths, we fail
         $status |= ($len1 ^ $len2);
         return ($status === 0);
     }

◆ introspectToken()

Jumbojett\OpenIDConnectClient::introspectToken	(	$token,
		$token_type_hint = `''`,
		$clientId = `null`,
		$clientSecret = `null`
	)

Introspect a given token - either access token or refresh token.

See also: https://tools.ietf.org/html/rfc7662

Parameters

string	$token
string	$token_type_hint
string \| null	$clientId
string \| null	$clientSecret

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 1414 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientId, PHPMailer\PHPMailer\$clientSecret, and PHPMailer\PHPMailer\$token.

                                                                                                            {
         $introspection_endpoint = $this->getProviderConfigValue('introspection_endpoint');
 
         $post_data = array(
             'token'    => $token,
         );
         if ($token_type_hint) {
             $post_data['token_type_hint'] = $token_type_hint;
         }
         $clientId = $clientId !== null ? $clientId : $this->clientID;
         $clientSecret = $clientSecret !== null ? $clientSecret : $this->clientSecret;
 
         // Convert token params to string format
         $post_params = http_build_query($post_data, null, '&');
         $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
             'Accept: application/json'];
 
         return json_decode($this->fetchURL($introspection_endpoint, $post_params, $headers));
     }

◆ providerConfigParam()

Jumbojett\OpenIDConnectClient::providerConfigParam ( $array )

Use this to alter a provider's endpoints and other attributes.

Parameters

array $array simple key => value

Definition at line 1344 of file OpenIDConnectClient.php.

                                                 {
         $this->providerConfig = array_merge($this->providerConfig, $array);
     }

◆ redirect()

Jumbojett\OpenIDConnectClient::redirect ( $url )

Parameters

string $url

Definition at line 1254 of file OpenIDConnectClient.php.

References $url, and exit.

                                    {
         header('Location: ' . $url);
         exit;
     }

◆ refreshToken()

Jumbojett\OpenIDConnectClient::refreshToken ( $refresh_token )

Requests Access token with refresh token.

Parameters

string $refresh_token

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 799 of file OpenIDConnectClient.php.

                                                  {
         $token_endpoint = $this->getProviderConfigValue('token_endpoint');
 
         $grant_type = 'refresh_token';
 
         $token_params = array(
             'grant_type' => $grant_type,
             'refresh_token' => $refresh_token,
             'client_id' => $this->clientID,
             'client_secret' => $this->clientSecret,
         );
 
         // Convert token params to string format
         $token_params = http_build_query($token_params, null, '&', $this->enc_type);
 
         $json = json_decode($this->fetchURL($token_endpoint, $token_params));
 
         if (isset($json->access_token)) {
             $this->accessToken = $json->access_token;
         }
 
         if (isset($json->refresh_token)) {
             $this->refreshToken = $json->refresh_token;
         }
 
         return $json;
     }

◆ register()

Jumbojett\OpenIDConnectClient::register ( )

Dynamic registration.

Exceptions

OpenIDConnectClientException

Definition at line 1368 of file OpenIDConnectClient.php.

References $response.

                                {
 
         $registration_endpoint = $this->getProviderConfigValue('registration_endpoint');
 
         $send_object = (object ) array_merge($this->registrationParams, array(
             'redirect_uris' => array($this->getRedirectURL()),
             'client_name' => $this->getClientName()
         ));
 
         $response = $this->fetchURL($registration_endpoint, json_encode($send_object));
 
         $json_response = json_decode($response);
 
         // Throw some errors if we encounter them
         if ($json_response === false) {
             throw new OpenIDConnectClientException('Error registering: JSON response received from the server was invalid.');
         }
 
         if (isset($json_response->{'error_description'})) {
             throw new OpenIDConnectClientException($json_response->{'error_description'});
         }
 
         $this->setClientID($json_response->{'client_id'});
 
         // The OpenID Connect Dynamic registration protocol makes the client secret optional
         // and provides a registration access token and URI endpoint if it is not present
         if (isset($json_response->{'client_secret'})) {
             $this->setClientSecret($json_response->{'client_secret'});
         } else {
             throw new OpenIDConnectClientException('Error registering:
                                                     Please contact the OpenID Connect provider and obtain a Client ID and Secret directly from them');
         }
 
     }

◆ requestAuthorization()

Jumbojett\OpenIDConnectClient::requestAuthorization ( )

private

Start Here.

Returns: void

Exceptions

OpenIDConnectClientException

Definition at line 632 of file OpenIDConnectClient.php.

References $state, and GuzzleHttp\Psr7\hash().

                                             {
 
         $auth_endpoint = $this->getProviderConfigValue('authorization_endpoint');
         $response_type = 'code';
 
         // Generate and store a nonce in the session
         // The nonce is an arbitrary value
         $nonce = $this->setNonce($this->generateRandString());
 
         // State essentially acts as a session key for OIDC
         $state = $this->setState($this->generateRandString());
 
         $auth_params = array_merge($this->authParams, array(
             'response_type' => $response_type,
             'redirect_uri' => $this->getRedirectURL(),
             'client_id' => $this->clientID,
             'nonce' => $nonce,
             'state' => $state,
             'scope' => 'openid'
         ));
 
         // If the client has been registered with additional scopes
         if (count($this->scopes) > 0) {
             $auth_params = array_merge($auth_params, array('scope' => implode(' ', array_merge($this->scopes, array('openid')))));
         }
 
         // If the client has been registered with additional response types
         if (count($this->responseTypes) > 0) {
             $auth_params = array_merge($auth_params, array('response_type' => implode(' ', $this->responseTypes)));
         }
 
         // If the client supports Proof Key for Code Exchange (PKCE)
         if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue('code_challenge_methods_supported'))) {
             $codeVerifier = bin2hex(random_bytes(64));
             $this->setCodeVerifier($codeVerifier);
             if (!empty($this->pkceAlgs[$this->getCodeChallengeMethod()])) {
                 $codeChallenge = rtrim(strtr(base64_encode(hash($this->pkceAlgs[$this->getCodeChallengeMethod()], $codeVerifier, true)), '+/', '-_'), '=');
             } else {
                 $codeChallenge = $codeVerifier;
             }
             $auth_params = array_merge($auth_params, array(
                 'code_challenge' => $codeChallenge,
                 'code_challenge_method' => $this->getCodeChallengeMethod()
             ));
         }
 
         $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, null, '&', $this->enc_type);
 
         $this->commitSession();
         $this->redirect($auth_endpoint);
     }

Here is the call graph for this function:

◆ requestClientCredentialsToken()

Jumbojett\OpenIDConnectClient::requestClientCredentialsToken ( )

Requests a client credentials token.

Exceptions

OpenIDConnectClientException

Definition at line 689 of file OpenIDConnectClient.php.

                                                     {
         $token_endpoint = $this->getProviderConfigValue('token_endpoint');
 
         $headers = [];
 
         $grant_type = 'client_credentials';
 
         $post_data = array(
             'grant_type'    => $grant_type,
             'client_id'     => $this->clientID,
             'client_secret' => $this->clientSecret,
             'scope'         => implode(' ', $this->scopes)
         );
 
         // Convert token params to string format
         $post_params = http_build_query($post_data, null, '&', $this->enc_type);
 
         return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
     }

◆ requestResourceOwnerToken()

Jumbojett\OpenIDConnectClient::requestResourceOwnerToken ( $bClientAuth = FALSE )

Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4.3)

Parameters

boolean $bClientAuth Indicates that the Client ID and Secret be used for client authentication

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 718 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientSecret.

                                                                      {
         $token_endpoint = $this->getProviderConfigValue('token_endpoint');
 
         $headers = [];
 
         $grant_type = 'password';
 
         $post_data = array(
             'grant_type'    => $grant_type,
             'username'      => $this->authParams['username'],
             'password'      => $this->authParams['password'],
             'scope'         => implode(' ', $this->scopes)
         );
 
         //For client authentication include the client values
         if($bClientAuth) {
             $post_data['client_id']     = $this->clientID;
             $post_data['client_secret'] = $this->clientSecret;
         }
 
         // Convert token params to string format
         $post_params = http_build_query($post_data, null, '&', $this->enc_type);
 
         return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
     }

◆ requestTokens()

Jumbojett\OpenIDConnectClient::requestTokens ( $code )

protected

Requests ID and Access tokens.

Parameters

string $code

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 752 of file OpenIDConnectClient.php.

References $code.

                                             {
         $token_endpoint = $this->getProviderConfigValue('token_endpoint');
         $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
 
         $headers = [];
 
         $grant_type = 'authorization_code';
 
         $token_params = array(
             'grant_type' => $grant_type,
             'code' => $code,
             'redirect_uri' => $this->getRedirectURL(),
             'client_id' => $this->clientID,
             'client_secret' => $this->clientSecret
         );
 
         # Consider Basic authentication if provider config is set this way
         if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
             $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
             unset($token_params['client_secret']);
                 unset($token_params['client_id']);
         }
 
         if (!empty($this->getCodeChallengeMethod()) && !empty($this->getCodeVerifier())) {
             $headers = [];
             unset($token_params['client_secret']);
             $token_params = array_merge($token_params, array(
                 'client_id' => $this->clientID,
                 'code_verifier' => $this->getCodeVerifier()
             ));
         }
 
         // Convert token params to string format
         $token_params = http_build_query($token_params, null, '&', $this->enc_type);
 
         $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers));
 
         return $this->tokenResponse;
     }

◆ requestUserInfo()

Jumbojett\OpenIDConnectClient::requestUserInfo ( $attribute = null )

Parameters

string | null $attribute optional

Attribute Type Description user_id string REQUIRED Identifier for the End-User at the Issuer. name string End-User's full name in displayable form including all name parts, ordered according to End-User's locale and preferences. given_name string Given name or first name of the End-User. family_name string Surname or last name of the End-User. middle_name string Middle name of the End-User. nickname string Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. profile string URL of End-User's profile page. picture string URL of the End-User's profile picture. website string URL of End-User's web page or blog. email string The End-User's preferred e-mail address. verified boolean True if the End-User's e-mail address has been verified; otherwise false. gender string The End-User's gender: Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. birthday string The End-User's birthday, represented as a date string in MM/DD/YYYY format. The year MAY be 0000, indicating that it is omitted. zoneinfo string String from zoneinfo [zoneinfo] time zone database. For example, Europe/Paris or America/Los_Angeles. locale string The End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Implementations MAY choose to accept this locale syntax as well. phone_number string The End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim. For example, +1 (425) 555-1212 or +56 (2) 687 2400. address JSON object The End-User's preferred address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 2.4.2.1. updated_time string Time the End-User's information was last updated, represented as a RFC 3339 [RFC3339] datetime. For example, 2011-01-03T23:58:42+0000.

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 1061 of file OpenIDConnectClient.php.

                                                        {
 
         $user_info_endpoint = $this->getProviderConfigValue('userinfo_endpoint');
         $schema = 'openid';
 
         $user_info_endpoint .= '?schema=' . $schema;
 
         //The accessToken has to be sent in the Authorization header.
         // Accept json to indicate response type
         $headers = ["Authorization: Bearer {$this->accessToken}",
             'Accept: application/json'];
 
         $user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));
         if ($this->getResponseCode() <> 200) {
             throw new OpenIDConnectClientException('The communication to retrieve user data has failed with status code '.$this->getResponseCode());
         }
         $this->userInfo = $user_json;
 
         if($attribute === null) {
             return $this->userInfo;
         }
 
         if (property_exists($this->userInfo, $attribute)) {
             return $this->userInfo->$attribute;
         }
 
         return null;
     }

◆ revokeToken()

Jumbojett\OpenIDConnectClient::revokeToken	(	$token,
		$token_type_hint = `''`,
		$clientId = `null`,
		$clientSecret = `null`
	)

Revoke a given token - either access token or refresh token.

See also: https://tools.ietf.org/html/rfc7009

Parameters

string	$token
string	$token_type_hint
string \| null	$clientId
string \| null	$clientSecret

Returns: mixed

Exceptions

OpenIDConnectClientException

Definition at line 1445 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientId, PHPMailer\PHPMailer\$clientSecret, and PHPMailer\PHPMailer\$token.

                                                                                                        {
         $revocation_endpoint = $this->getProviderConfigValue('revocation_endpoint');
 
         $post_data = array(
             'token'    => $token,
         );
         if ($token_type_hint) {
             $post_data['token_type_hint'] = $token_type_hint;
         }
         $clientId = $clientId !== null ? $clientId : $this->clientID;
         $clientSecret = $clientSecret !== null ? $clientSecret : $this->clientSecret;
 
         // Convert token params to string format
         $post_params = http_build_query($post_data, null, '&');
         $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
             'Accept: application/json'];
 
         return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers));
     }

◆ safeLength()

static Jumbojett\OpenIDConnectClient::safeLength ( $str )

staticprivate

Safely calculate length of binary string.

Parameters

string $str

Returns: int

Definition at line 1688 of file OpenIDConnectClient.php.

     {
         if (function_exists('mb_strlen')) {
             return mb_strlen($str, '8bit');
         }
         return strlen($str);
     }

◆ setAccessToken()

Jumbojett\OpenIDConnectClient::setAccessToken ( $accessToken )

Set the access token.

May be required for subclasses of this Client.

Parameters

string $accessToken

Returns: void

Definition at line 1508 of file OpenIDConnectClient.php.

                                                  {
         $this->accessToken = $accessToken;
     }

◆ setAllowImplicitFlow()

Jumbojett\OpenIDConnectClient::setAllowImplicitFlow ( $allowImplicitFlow )

Parameters

bool $allowImplicitFlow

Definition at line 1325 of file OpenIDConnectClient.php.

                                                              {
         $this->allowImplicitFlow = $allowImplicitFlow;
     }

◆ setCertPath()

Jumbojett\OpenIDConnectClient::setCertPath ( $certPath )

Parameters

string $certPath

Definition at line 1269 of file OpenIDConnectClient.php.

                                            {
         $this->certPath = $certPath;
     }

◆ setClientID()

Jumbojett\OpenIDConnectClient::setClientID ( $clientID )

Parameters

string $clientID

Definition at line 1358 of file OpenIDConnectClient.php.

                                            {
         $this->clientID = $clientID;
     }

◆ setClientName()

Jumbojett\OpenIDConnectClient::setClientName ( $clientName )

Parameters

string $clientName

Definition at line 1475 of file OpenIDConnectClient.php.

                                                {
         $this->clientName = $clientName;
     }

◆ setClientSecret()

Jumbojett\OpenIDConnectClient::setClientSecret ( $clientSecret )

Parameters

string $clientSecret

Definition at line 1351 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientSecret.

                                                    {
         $this->clientSecret = $clientSecret;
     }

◆ setCodeChallengeMethod()

Jumbojett\OpenIDConnectClient::setCodeChallengeMethod ( $codeChallengeMethod )

Parameters

string $codeChallengeMethod

Definition at line 1819 of file OpenIDConnectClient.php.

                                                                  {
         $this->codeChallengeMethod = $codeChallengeMethod;
     }

◆ setCodeVerifier()

Jumbojett\OpenIDConnectClient::setCodeVerifier ( $codeVerifier )

protected

Stores $codeVerifier.

Parameters

string $codeVerifier

Returns: string

Definition at line 1632 of file OpenIDConnectClient.php.

                                                       {
         $this->setSessionKey('openid_connect_code_verifier', $codeVerifier);
         return $codeVerifier;
     }

◆ setHttpProxy()

Jumbojett\OpenIDConnectClient::setHttpProxy ( $httpProxy )

Parameters

string $httpProxy

Definition at line 1262 of file OpenIDConnectClient.php.

                                              {
         $this->httpProxy = $httpProxy;
     }

◆ setIssuer()

Jumbojett\OpenIDConnectClient::setIssuer ( $issuer )

Parameters

$issuer

Definition at line 273 of file OpenIDConnectClient.php.

References $issuer.

                                        {
         $this->providerConfig['issuer'] = $issuer;
     }

◆ setIssuerValidator()

Jumbojett\OpenIDConnectClient::setIssuerValidator ( $issuerValidator )

Use this for custom issuer validation The given function should accept the issuer string from the JWT claim as the only argument and return true if the issuer is valid, otherwise return false.

Parameters

callable $issuerValidator

Definition at line 1318 of file OpenIDConnectClient.php.

                                                         {
         $this->issuerValidator = $issuerValidator;
     }

◆ setNonce()

Jumbojett\OpenIDConnectClient::setNonce ( $nonce )

protected

Stores nonce.

Parameters

string $nonce

Returns: string

Definition at line 1574 of file OpenIDConnectClient.php.

                                         {
         $this->setSessionKey('openid_connect_nonce', $nonce);
         return $nonce;
     }

◆ setProviderURL()

Jumbojett\OpenIDConnectClient::setProviderURL ( $provider_url )

Parameters

$provider_url

Definition at line 266 of file OpenIDConnectClient.php.

                                                   {
         $this->providerConfig['providerUrl'] = $provider_url;
     }

◆ setRedirectURL()

Jumbojett\OpenIDConnectClient::setRedirectURL ( $url )

Parameters

string $url Sets redirect URL for auth flow

Definition at line 557 of file OpenIDConnectClient.php.

References $url.

                                           {
         if (parse_url($url,PHP_URL_HOST) !== false) {
             $this->redirectURL = $url;
         }
     }

◆ setResponseTypes()

Jumbojett\OpenIDConnectClient::setResponseTypes ( $response_types )

Parameters

$response_types

Definition at line 280 of file OpenIDConnectClient.php.

                                                       {
         $this->responseTypes = array_merge($this->responseTypes, (array)$response_types);
     }

◆ setSessionKey()

Jumbojett\OpenIDConnectClient::setSessionKey	(	$key,
		$value
	)

protected

Definition at line 1739 of file OpenIDConnectClient.php.

References $_SESSION, and $key.

                                                    {
         $this->startSession();
 
         $_SESSION[$key] = $value;
     }

◆ setState()

Jumbojett\OpenIDConnectClient::setState ( $state )

protected

Stores $state.

Parameters

string $state

Returns: string

Definition at line 1603 of file OpenIDConnectClient.php.

References $state.

                                         {
         $this->setSessionKey('openid_connect_state', $state);
         return $state;
     }

◆ setTimeout()

Jumbojett\OpenIDConnectClient::setTimeout ( $timeout )

Set timeout (seconds)

Parameters

int $timeout

Definition at line 1670 of file OpenIDConnectClient.php.

     {
         $this->timeOut = $timeout;
     }

◆ setUrlEncoding()

Jumbojett\OpenIDConnectClient::setUrlEncoding ( $curEncoding )

Definition at line 1751 of file OpenIDConnectClient.php.

     {
         switch ($curEncoding)
         {
             case PHP_QUERY_RFC1738:
                 $this->enc_type = PHP_QUERY_RFC1738;
                 break;
 
             case PHP_QUERY_RFC3986:
                 $this->enc_type = PHP_QUERY_RFC3986;
                 break;
 
                 default:
                 break;
         }
 
     }

◆ setVerifyHost()

Jumbojett\OpenIDConnectClient::setVerifyHost ( $verifyHost )

Parameters

bool $verifyHost

Definition at line 1291 of file OpenIDConnectClient.php.

                                                {
         $this->verifyHost = $verifyHost;
     }

◆ setVerifyPeer()

Jumbojett\OpenIDConnectClient::setVerifyPeer ( $verifyPeer )

Parameters

bool $verifyPeer

Definition at line 1284 of file OpenIDConnectClient.php.

                                                {
         $this->verifyPeer = $verifyPeer;
     }

◆ setWellKnownConfigParameters()

Jumbojett\OpenIDConnectClient::setWellKnownConfigParameters ( array $params = [] )

Set optionnal parameters for .well-known/openid-configuration.

Parameters

string $param

Definition at line 549 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$params.

                                                                     {
         $this->wellKnownConfigParameters=$params;
     }

◆ signOut()

Jumbojett\OpenIDConnectClient::signOut	(	$accessToken,
		$redirect
	)

It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application).

Parameters

string	$accessToken	ID token (obtained at login)
string \| null	$redirect	URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP. Value can be null.

Exceptions

OpenIDConnectClientException

Definition at line 440 of file OpenIDConnectClient.php.

                                                      {
         $signout_endpoint = $this->getProviderConfigValue('end_session_endpoint');
 
         $signout_params = null;
         if($redirect === null){
             $signout_params = array('id_token_hint' => $accessToken);
         }
         else {
             $signout_params = array(
                 'id_token_hint' => $accessToken,
                 'post_logout_redirect_uri' => $redirect);
         }
 
         $signout_endpoint  .= (strpos($signout_endpoint, '?') === false ? '?' : '&') . http_build_query( $signout_params, null, '&', $this->enc_type);
         $this->redirect($signout_endpoint);
     }

◆ startSession()

Jumbojett\OpenIDConnectClient::startSession ( )

protected

Use session to manage a nonce.

Definition at line 1721 of file OpenIDConnectClient.php.

References $_SESSION.

                                       {
         if (!isset($_SESSION)) {
             @session_start();
         }
     }

◆ unsetCodeVerifier()

Jumbojett\OpenIDConnectClient::unsetCodeVerifier ( )

protected

Cleanup state.

Returns: void

Definition at line 1651 of file OpenIDConnectClient.php.

                                            {
         $this->unsetSessionKey('openid_connect_code_verifier');
     }

◆ unsetNonce()

Jumbojett\OpenIDConnectClient::unsetNonce ( )

protected

Cleanup nonce.

Returns: void

Definition at line 1593 of file OpenIDConnectClient.php.

                                     {
         $this->unsetSessionKey('openid_connect_nonce');
     }

◆ unsetSessionKey()

Jumbojett\OpenIDConnectClient::unsetSessionKey ( $key )

protected

Definition at line 1745 of file OpenIDConnectClient.php.

References $_SESSION, and $key.

                                              {
         $this->startSession();
 
         unset($_SESSION[$key]);
     }

◆ unsetState()

Jumbojett\OpenIDConnectClient::unsetState ( )

protected

Cleanup state.

Returns: void

Definition at line 1622 of file OpenIDConnectClient.php.

                                     {
         $this->unsetSessionKey('openid_connect_state');
     }

◆ urlEncode()

Jumbojett\OpenIDConnectClient::urlEncode ( $str )

protected

Parameters

string $str

Returns: string

Definition at line 1015 of file OpenIDConnectClient.php.

                                        {
         $enc = base64_encode($str);
         $enc = rtrim($enc, '=');
         $enc = strtr($enc, '+/', '-_');
         return $enc;
     }

◆ verifyHMACJWTsignature()

Jumbojett\OpenIDConnectClient::verifyHMACJWTsignature	(	$hashtype,
		$key,
		$payload,
		$signature
	)

private

Parameters

string	$hashtype
object	$key
	$payload
	$signature

Returns: bool

Exceptions

OpenIDConnectClientException

Definition at line 918 of file OpenIDConnectClient.php.

References $key.

     {
         if (!function_exists('hash_hmac')) {
             throw new OpenIDConnectClientException('hash_hmac support unavailable.');
         }
 
         $expected=hash_hmac($hashtype, $payload, $key, true);
 
         if (function_exists('hash_equals')) {
             return hash_equals($signature, $expected);
         }
 
         return self::hashEquals($signature, $expected);
     }

◆ verifyJWTclaims()

Jumbojett\OpenIDConnectClient::verifyJWTclaims	(	$claims,
		$accessToken = `null`
	)

protected

Parameters

object	$claims
string \| null	$accessToken

Returns: bool

Definition at line 991 of file OpenIDConnectClient.php.

References GuzzleHttp\Psr7\hash().

                                                                      {
         if(isset($claims->at_hash) && isset($accessToken)){
             if(isset($this->getIdTokenHeader()->alg) && $this->getIdTokenHeader()->alg !== 'none'){
                 $bit = substr($this->getIdTokenHeader()->alg, 2, 3);
             }else{
                 // TODO: Error case. throw exception???
                 $bit = '256';
             }
             $len = ((int)$bit)/16;
             $expected_at_hash = $this->urlEncode(substr(hash('sha'.$bit, $accessToken, true), 0, $len));
         }
         return (($this->issuerValidator->__invoke($claims->iss))
             && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
             && ($claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((gettype($claims->exp) === 'integer') && ($claims->exp >= time() - $this->leeway)))
             && ( !isset($claims->nbf) || ((gettype($claims->nbf) === 'integer') && ($claims->nbf <= time() + $this->leeway)))
             && ( !isset($claims->at_hash) || $claims->at_hash === $expected_at_hash )
         );
     }

Here is the call graph for this function:

◆ verifyJWTsignature()

Jumbojett\OpenIDConnectClient::verifyJWTsignature ( $jwt )

Parameters

string $jwt encoded JWT

Exceptions

OpenIDConnectClientException

Returns: bool

Definition at line 938 of file OpenIDConnectClient.php.

References $header, and Jumbojett\base64url_decode().

                                              {
         if (!\is_string($jwt)) {
             throw new OpenIDConnectClientException('Error token is not a string');
         }
         $parts = explode('.', $jwt);
         if (!isset($parts[0])) {
             throw new OpenIDConnectClientException('Error missing part 0 in token');
         }
         $signature = base64url_decode(array_pop($parts));
         if (false === $signature || '' === $signature) {
             throw new OpenIDConnectClientException('Error decoding signature from token');
         }
         $header = json_decode(base64url_decode($parts[0]));
         if (null === $header || !\is_object($header)) {
             throw new OpenIDConnectClientException('Error decoding JSON from token header');
         }
         $payload = implode('.', $parts);
         $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
         if ($jwks === NULL) {
             throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
         }
         if (!isset($header->alg)) {
             throw new OpenIDConnectClientException('Error missing signature type in token header');
         }
         switch ($header->alg) {
             case 'RS256':
             case 'PS256':
             case 'RS384':
             case 'RS512':
                 $hashtype = 'sha' . substr($header->alg, 2);
                 $signatureType = $header->alg === 'PS256' ? 'PSS' : '';
 
                 $verified = $this->verifyRSAJWTsignature($hashtype,
                     $this->get_key_for_header($jwks->keys, $header),
                     $payload, $signature, $signatureType);
                 break;
             case 'HS256':
             case 'HS512':
             case 'HS384':
                 $hashtype = 'SHA' . substr($header->alg, 2);
                 $verified = $this->verifyHMACJWTsignature($hashtype, $this->getClientSecret(), $payload, $signature);
                 break;
             default:
                 throw new OpenIDConnectClientException('No support for signature type: ' . $header->alg);
         }
         return $verified;
     }

Here is the call graph for this function:

◆ verifyRSAJWTsignature()

Jumbojett\OpenIDConnectClient::verifyRSAJWTsignature	(	$hashtype,
		$key,
		$payload,
		$signature,
		$signatureType
	)

private

Parameters

string	$hashtype
object	$key
	$payload
	$signature
	$signatureType

Returns: bool

Exceptions

OpenIDConnectClientException

Definition at line 875 of file OpenIDConnectClient.php.

References $key, Jumbojett\b64url2b64(), phpseclib\Crypt\RSA\SIGNATURE_PKCS1, and phpseclib\Crypt\RSA\SIGNATURE_PSS.

                                                                                                   {
         if (!class_exists('\phpseclib\Crypt\RSA') && !class_exists('Crypt_RSA')) {
             throw new OpenIDConnectClientException('Crypt_RSA support unavailable.');
         }
         if (!(property_exists($key, 'n') && property_exists($key, 'e'))) {
             throw new OpenIDConnectClientException('Malformed key object');
         }
 
         /* We already have base64url-encoded data, so re-encode it as
            regular base64 and use the XML key format for simplicity.
         */
         $public_key_xml = "<RSAKeyValue>\r\n".
             '  <Modulus>' . b64url2b64($key->n) . "</Modulus>\r\n" .
             '  <Exponent>' . b64url2b64($key->e) . "</Exponent>\r\n" .
             '</RSAKeyValue>';
         if(class_exists('Crypt_RSA', false)) {
             $rsa = new Crypt_RSA();
             $rsa->setHash($hashtype);
             if ($signatureType === 'PSS') {
                 $rsa->setMGFHash($hashtype);
             }
             $rsa->loadKey($public_key_xml, Crypt_RSA::PUBLIC_FORMAT_XML);
             $rsa->signatureMode = $signatureType === 'PSS' ? Crypt_RSA::SIGNATURE_PSS : Crypt_RSA::SIGNATURE_PKCS1;
         } else {
             $rsa = new \phpseclib\Crypt\RSA();
             $rsa->setHash($hashtype);
             if ($signatureType === 'PSS') {
                 $rsa->setMGFHash($hashtype);
             }
             $rsa->loadKey($public_key_xml, \phpseclib\Crypt\RSA::PUBLIC_FORMAT_XML);
             $rsa->signatureMode = $signatureType === 'PSS' ? \phpseclib\Crypt\RSA::SIGNATURE_PSS : \phpseclib\Crypt\RSA::SIGNATURE_PKCS1;
         }
         return $rsa->verify($payload, $signature);
     }

Here is the call graph for this function:

Field Documentation

◆ $accessToken

Jumbojett\OpenIDConnectClient::$accessToken

protected

Definition at line 135 of file OpenIDConnectClient.php.

◆ $additionalJwks

Jumbojett\OpenIDConnectClient::$additionalJwks = array()

private

Definition at line 206 of file OpenIDConnectClient.php.

◆ $allowImplicitFlow

Jumbojett\OpenIDConnectClient::$allowImplicitFlow = false

private

Definition at line 221 of file OpenIDConnectClient.php.

◆ $authParams

Jumbojett\OpenIDConnectClient::$authParams = array()

private

Definition at line 175 of file OpenIDConnectClient.php.

◆ $certPath

Jumbojett\OpenIDConnectClient::$certPath

private

Definition at line 120 of file OpenIDConnectClient.php.

◆ $clientID

Jumbojett\OpenIDConnectClient::$clientID

private

Definition at line 95 of file OpenIDConnectClient.php.

◆ $clientName

Jumbojett\OpenIDConnectClient::$clientName

private

Definition at line 100 of file OpenIDConnectClient.php.

◆ $clientSecret

Jumbojett\OpenIDConnectClient::$clientSecret

private

Definition at line 105 of file OpenIDConnectClient.php.

◆ $codeChallengeMethod

Jumbojett\OpenIDConnectClient::$codeChallengeMethod = false

private

Definition at line 233 of file OpenIDConnectClient.php.

◆ $enc_type

Jumbojett\OpenIDConnectClient::$enc_type = PHP_QUERY_RFC1738

protected

Definition at line 227 of file OpenIDConnectClient.php.

◆ $httpProxy

Jumbojett\OpenIDConnectClient::$httpProxy

private

Definition at line 115 of file OpenIDConnectClient.php.

◆ $idToken

Jumbojett\OpenIDConnectClient::$idToken

protected

Definition at line 145 of file OpenIDConnectClient.php.

◆ $issuerValidator

Jumbojett\OpenIDConnectClient::$issuerValidator

private

Definition at line 216 of file OpenIDConnectClient.php.

◆ $leeway

Jumbojett\OpenIDConnectClient::$leeway = 300

private

Definition at line 201 of file OpenIDConnectClient.php.

◆ $pkceAlgs

Jumbojett\OpenIDConnectClient::$pkceAlgs = array('S256' => 'sha256', 'plain' => false)

private

Definition at line 238 of file OpenIDConnectClient.php.

◆ $providerConfig

Jumbojett\OpenIDConnectClient::$providerConfig = array()

private

Definition at line 110 of file OpenIDConnectClient.php.

◆ $redirectURL

Jumbojett\OpenIDConnectClient::$redirectURL

private

Definition at line 225 of file OpenIDConnectClient.php.

◆ $refreshToken

Jumbojett\OpenIDConnectClient::$refreshToken

private

Definition at line 140 of file OpenIDConnectClient.php.

◆ $registrationParams

Jumbojett\OpenIDConnectClient::$registrationParams = array()

private

Definition at line 180 of file OpenIDConnectClient.php.

◆ $responseCode

Jumbojett\OpenIDConnectClient::$responseCode

private

Definition at line 160 of file OpenIDConnectClient.php.

◆ $responseTypes

Jumbojett\OpenIDConnectClient::$responseTypes = array()

private

Definition at line 165 of file OpenIDConnectClient.php.

◆ $scopes

Jumbojett\OpenIDConnectClient::$scopes = array()

private

Definition at line 155 of file OpenIDConnectClient.php.

◆ $timeOut

Jumbojett\OpenIDConnectClient::$timeOut = 60

protected

Definition at line 196 of file OpenIDConnectClient.php.

◆ $tokenResponse

Jumbojett\OpenIDConnectClient::$tokenResponse

private

Definition at line 150 of file OpenIDConnectClient.php.

◆ $userInfo

Jumbojett\OpenIDConnectClient::$userInfo = array()

private

Definition at line 170 of file OpenIDConnectClient.php.

◆ $verifiedClaims

Jumbojett\OpenIDConnectClient::$verifiedClaims = array()

protected

Definition at line 211 of file OpenIDConnectClient.php.

◆ $verifyHost

Jumbojett\OpenIDConnectClient::$verifyHost = true

private

Definition at line 130 of file OpenIDConnectClient.php.

◆ $verifyPeer

Jumbojett\OpenIDConnectClient::$verifyPeer = true

private

Definition at line 125 of file OpenIDConnectClient.php.

◆ $wellKnown

Jumbojett\OpenIDConnectClient::$wellKnown = false

private

Definition at line 185 of file OpenIDConnectClient.php.

◆ $wellKnownConfigParameters

Jumbojett\OpenIDConnectClient::$wellKnownConfigParameters = array()

private

Definition at line 191 of file OpenIDConnectClient.php.

The documentation for this class was generated from the following file:

libs/composer/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php

Public Member Functions

Protected Member Functions

Protected Attributes

Private Member Functions

Static Private Member Functions

Private Attributes

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ addAdditionalJwk()

◆ addAuthParam()

◆ addRegistrationParam()

◆ addScope()

◆ authenticate()

◆ canVerifySignatures()

◆ commitSession()

◆ decodeJWT()

◆ fetchURL()

◆ generateRandString()

◆ get_key_for_header()

◆ getAccessToken()

◆ getAccessTokenHeader()

◆ getAccessTokenPayload()

◆ getAllowImplicitFlow()

◆ getAuthParams()

◆ getCertPath()

◆ getClientID()

◆ getClientName()

◆ getClientSecret()

◆ getCodeChallengeMethod()

◆ getCodeVerifier()

◆ getIdToken()

◆ getIdTokenHeader()

◆ getIdTokenPayload()

◆ getIssuer()

◆ getIssuerValidator()

◆ getLeeway()

◆ getNonce()

◆ getProviderConfigValue()

◆ getProviderURL()

◆ getRedirectURL()

◆ getRefreshToken()

◆ getResponseCode()

◆ getResponseTypes()

◆ getScopes()

◆ getSessionKey()

◆ getState()

◆ getTimeout()

◆ getTokenResponse()

◆ getVerifiedClaims()

◆ getVerifyHost()

◆ getVerifyPeer()

◆ getWellKnownConfigValue()

◆ getWellKnownIssuer()

◆ hashEquals()

◆ introspectToken()

◆ providerConfigParam()

◆ redirect()

◆ refreshToken()

◆ register()

◆ requestAuthorization()

◆ requestClientCredentialsToken()

◆ requestResourceOwnerToken()

◆ requestTokens()

◆ requestUserInfo()

◆ revokeToken()

◆ safeLength()

◆ setAccessToken()

◆ setAllowImplicitFlow()

◆ setCertPath()

◆ setClientID()

◆ setClientName()

◆ setClientSecret()

◆ setCodeChallengeMethod()

◆ setCodeVerifier()

◆ setHttpProxy()

◆ setIssuer()

◆ setIssuerValidator()

◆ setNonce()