ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Jumbojett\OpenIDConnectClient Class Reference

Require the CURL and JSON PHP extensions to be installed. More...

+ Collaboration diagram for Jumbojett\OpenIDConnectClient:

Public Member Functions

 __construct ($provider_url=null, $client_id=null, $client_secret=null, $issuer=null)
 
 setProviderURL ($provider_url)
 
 setIssuer ($issuer)
 
 setResponseTypes ($response_types)
 
 authenticate ()
 
 signOut ($accessToken, $redirect)
 It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application). More...
 
 addScope ($scope)
 
 addAuthParam ($param)
 
 addRegistrationParam ($param)
 
 setWellKnownConfigParameters (array $params=[])
 Set optionnal parameters for .well-known/openid-configuration. More...
 
 setRedirectURL ($url)
 
 getRedirectURL ()
 Gets the URL of the current page we are on, encodes, and returns it. More...
 
 requestClientCredentialsToken ()
 Requests a client credentials token. More...
 
 requestResourceOwnerToken ($bClientAuth=FALSE)
 Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4.3) More...
 
 refreshToken ($refresh_token)
 Requests Access token with refresh token. More...
 
 verifyJWTsignature ($jwt)
 
 requestUserInfo ($attribute=null)
 
 getVerifiedClaims ($attribute=null)
 
 getWellKnownIssuer ($appendSlash=false)
 
 getIssuer ()
 
 getProviderURL ()
 
 redirect ($url)
 
 setHttpProxy ($httpProxy)
 
 setCertPath ($certPath)
 
 getCertPath ()
 
 setVerifyPeer ($verifyPeer)
 
 setVerifyHost ($verifyHost)
 
 getVerifyHost ()
 
 getVerifyPeer ()
 
 setIssuerValidator ($issuerValidator)
 Use this for custom issuer validation The given function should accept the issuer string from the JWT claim as the only argument and return true if the issuer is valid, otherwise return false. More...
 
 setAllowImplicitFlow ($allowImplicitFlow)
 
 getAllowImplicitFlow ()
 
 providerConfigParam ($array)
 Use this to alter a provider's endpoints and other attributes. More...
 
 setClientSecret ($clientSecret)
 
 setClientID ($clientID)
 
 register ()
 Dynamic registration. More...
 
 introspectToken ($token, $token_type_hint='', $clientId=null, $clientSecret=null)
 Introspect a given token - either access token or refresh token. More...
 
 revokeToken ($token, $token_type_hint='', $clientId=null, $clientSecret=null)
 Revoke a given token - either access token or refresh token. More...
 
 getClientName ()
 
 setClientName ($clientName)
 
 getClientID ()
 
 getClientSecret ()
 
 canVerifySignatures ()
 
 setAccessToken ($accessToken)
 Set the access token. More...
 
 getAccessToken ()
 
 getRefreshToken ()
 
 getIdToken ()
 
 getAccessTokenHeader ()
 
 getAccessTokenPayload ()
 
 getIdTokenHeader ()
 
 getIdTokenPayload ()
 
 getTokenResponse ()
 
 getResponseCode ()
 Get the response code from last action/curl request. More...
 
 setTimeout ($timeout)
 Set timeout (seconds) More...
 
 getTimeout ()
 
 setUrlEncoding ($curEncoding)
 
 getScopes ()
 
 getResponseTypes ()
 
 getAuthParams ()
 
 getIssuerValidator ()
 
 getLeeway ()
 
 getCodeChallengeMethod ()
 
 setCodeChallengeMethod ($codeChallengeMethod)
 

Protected Member Functions

 addAdditionalJwk ($jwk)
 
 getProviderConfigValue ($param, $default=null)
 Get's anything that we need configuration wise including endpoints, and other values. More...
 
 generateRandString ()
 Used for arbitrary value generation for nonces and state. More...
 
 requestTokens ($code)
 Requests ID and Access tokens. More...
 
 verifyJWTclaims ($claims, $accessToken=null)
 
 urlEncode ($str)
 
 decodeJWT ($jwt, $section=0)
 
 fetchURL ($url, $post_body=null, $headers=array())
 
 setNonce ($nonce)
 Stores nonce. More...
 
 getNonce ()
 Get stored nonce. More...
 
 unsetNonce ()
 Cleanup nonce. More...
 
 setState ($state)
 Stores $state. More...
 
 getState ()
 Get stored state. More...
 
 unsetState ()
 Cleanup state. More...
 
 setCodeVerifier ($codeVerifier)
 Stores $codeVerifier. More...
 
 getCodeVerifier ()
 Get stored codeVerifier. More...
 
 unsetCodeVerifier ()
 Cleanup state. More...
 
 startSession ()
 Use session to manage a nonce. More...
 
 commitSession ()
 
 getSessionKey ($key)
 
 setSessionKey ($key, $value)
 
 unsetSessionKey ($key)
 

Protected Attributes

 $accessToken
 
 $idToken
 
 $timeOut = 60
 
 $verifiedClaims = array()
 
 $enc_type = PHP_QUERY_RFC1738
 

Private Member Functions

 getWellKnownConfigValue ($param, $default=null)
 Get's anything that we need configuration wise including endpoints, and other values. More...
 
 requestAuthorization ()
 Start Here. More...
 
 get_key_for_header ($keys, $header)
 
 verifyRSAJWTsignature ($hashtype, $key, $payload, $signature, $signatureType)
 
 verifyHMACJWTsignature ($hashtype, $key, $payload, $signature)
 

Static Private Member Functions

static safeLength ($str)
 Safely calculate length of binary string. More...
 
static hashEquals ($str1, $str2)
 Where has_equals is not available, this provides a timing-attack safe string comparison. More...
 

Private Attributes

 $clientID
 
 $clientName
 
 $clientSecret
 
 $providerConfig = array()
 
 $httpProxy
 
 $certPath
 
 $verifyPeer = true
 
 $verifyHost = true
 
 $refreshToken
 
 $tokenResponse
 
 $scopes = array()
 
 $responseCode
 
 $responseTypes = array()
 
 $userInfo = array()
 
 $authParams = array()
 
 $registrationParams = array()
 
 $wellKnown = false
 
 $wellKnownConfigParameters = array()
 
 $leeway = 300
 
 $additionalJwks = array()
 
 $issuerValidator
 
 $allowImplicitFlow = false
 
 $redirectURL
 
 $codeChallengeMethod = false
 
 $pkceAlgs = array('S256' => 'sha256', 'plain' => false)
 

Detailed Description

Require the CURL and JSON PHP extensions to be installed.

Please note this class stores nonces by default in $_SESSION['openid_connect_nonce']

Definition at line 89 of file OpenIDConnectClient.php.

Constructor & Destructor Documentation

◆ __construct()

Jumbojett\OpenIDConnectClient::__construct (   $provider_url = null,
  $client_id = null,
  $client_secret = null,
  $issuer = null 
)
Parameters
$provider_urlstring optional
$client_idstring optional
$client_secretstring optional
null$issuer

Definition at line 247 of file OpenIDConnectClient.php.

247 {
248 $this->setProviderURL($provider_url);
249 if ($issuer === null) {
250 $this->setIssuer($provider_url);
251 } else {
252 $this->setIssuer($issuer);
253 }
254
255 $this->clientID = $client_id;
256 $this->clientSecret = $client_secret;
257
258 $this->issuerValidator = function($iss){
259 return ($iss === $this->getIssuer() || $iss === $this->getWellKnownIssuer() || $iss === $this->getWellKnownIssuer(true));
260 };
261 }
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
$client_id

References $client_id, and $issuer.

Member Function Documentation

◆ addAdditionalJwk()

Jumbojett\OpenIDConnectClient::addAdditionalJwk (   $jwk)
protected
Parameters
$jwkobject - example: (object) array('kid' => ..., 'nbf' => ..., 'use' => 'sig', 'kty' => "RSA", 'e' => "", 'n' => "")

Definition at line 481 of file OpenIDConnectClient.php.

481 {
482 $this->additionalJwks[] = $jwk;
483 }

◆ addAuthParam()

Jumbojett\OpenIDConnectClient::addAuthParam (   $param)
Parameters
array$param- example: prompt=login

Definition at line 467 of file OpenIDConnectClient.php.

467 {
468 $this->authParams = array_merge($this->authParams, (array)$param);
469 }

◆ addRegistrationParam()

Jumbojett\OpenIDConnectClient::addRegistrationParam (   $param)
Parameters
array$param- example: post_logout_redirect_uris=[http://example.com/successful-logout]

Definition at line 474 of file OpenIDConnectClient.php.

474 {
475 $this->registrationParams = array_merge($this->registrationParams, (array)$param);
476 }

◆ addScope()

Jumbojett\OpenIDConnectClient::addScope (   $scope)
Parameters
array$scope- example: openid, given_name, etc...

Definition at line 460 of file OpenIDConnectClient.php.

460 {
461 $this->scopes = array_merge($this->scopes, (array)$scope);
462 }

◆ authenticate()

Jumbojett\OpenIDConnectClient::authenticate ( )
Returns
bool
Exceptions
OpenIDConnectClientException

Definition at line 288 of file OpenIDConnectClient.php.

288 {
289
290 // Do a preemptive check to see if the provider has thrown an error from a previous redirect
291 if (isset($_REQUEST['error'])) {
292 $desc = isset($_REQUEST['error_description']) ? ' Description: ' . $_REQUEST['error_description'] : '';
293 throw new OpenIDConnectClientException('Error: ' . $_REQUEST['error'] .$desc);
294 }
295
296 // If we have an authorization code then proceed to request a token
297 if (isset($_REQUEST['code'])) {
298
299 $code = $_REQUEST['code'];
300 $token_json = $this->requestTokens($code);
301
302 // Throw an error if the server returns one
303 if (isset($token_json->error)) {
304 if (isset($token_json->error_description)) {
305 throw new OpenIDConnectClientException($token_json->error_description);
306 }
307 throw new OpenIDConnectClientException('Got response: ' . $token_json->error);
308 }
309
310 // Do an OpenID Connect session check
311 if ($_REQUEST['state'] !== $this->getState()) {
312 throw new OpenIDConnectClientException('Unable to determine state');
313 }
314
315 // Cleanup state
316 $this->unsetState();
317
318 if (!property_exists($token_json, 'id_token')) {
319 throw new OpenIDConnectClientException('User did not authorize openid scope.');
320 }
321
322 $claims = $this->decodeJWT($token_json->id_token, 1);
323
324 // Verify the signature
325 if ($this->canVerifySignatures()) {
326 if (!$this->getProviderConfigValue('jwks_uri')) {
327 throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
328 }
329 if (!$this->verifyJWTsignature($token_json->id_token)) {
330 throw new OpenIDConnectClientException ('Unable to verify signature');
331 }
332 } else {
333 user_error('Warning: JWT signature verification unavailable.');
334 }
335
336 // Save the id token
337 $this->idToken = $token_json->id_token;
338
339 // Save the access token
340 $this->accessToken = $token_json->access_token;
341
342 // If this is a valid claim
343 if ($this->verifyJWTclaims($claims, $token_json->access_token)) {
344
345 // Clean up the session a little
346 $this->unsetNonce();
347
348 // Save the full response
349 $this->tokenResponse = $token_json;
350
351 // Save the verified claims
352 $this->verifiedClaims = $claims;
353
354 // Save the refresh token, if we got one
355 if (isset($token_json->refresh_token)) {
356 $this->refreshToken = $token_json->refresh_token;
357 }
358
359 // Success!
360 return true;
361
362 }
363
364 throw new OpenIDConnectClientException ('Unable to verify JWT claims');
365 }
366
367 if ($this->allowImplicitFlow && isset($_REQUEST['id_token'])) {
368 // if we have no code but an id_token use that
369 $id_token = $_REQUEST['id_token'];
370
371 $accessToken = null;
372 if (isset($_REQUEST['access_token'])) {
373 $accessToken = $_REQUEST['access_token'];
374 }
375
376 // Do an OpenID Connect session check
377 if ($_REQUEST['state'] !== $this->getState()) {
378 throw new OpenIDConnectClientException('Unable to determine state');
379 }
380
381 // Cleanup state
382 $this->unsetState();
383
384 $claims = $this->decodeJWT($id_token, 1);
385
386 // Verify the signature
387 if ($this->canVerifySignatures()) {
388 if (!$this->getProviderConfigValue('jwks_uri')) {
389 throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
390 }
391 if (!$this->verifyJWTsignature($id_token)) {
392 throw new OpenIDConnectClientException ('Unable to verify signature');
393 }
394 } else {
395 user_error('Warning: JWT signature verification unavailable.');
396 }
397
398 // Save the id token
399 $this->idToken = $id_token;
400
401 // If this is a valid claim
402 if ($this->verifyJWTclaims($claims, $accessToken)) {
403
404 // Clean up the session a little
405 $this->unsetNonce();
406
407 // Save the verified claims
408 $this->verifiedClaims = $claims;
409
410 // Save the access token
411 if ($accessToken) {
412 $this->accessToken = $accessToken;
413 }
414
415 // Success!
416 return true;
417
418 }
419
420 throw new OpenIDConnectClientException ('Unable to verify JWT claims');
421 }
422
423 $this->requestAuthorization();
424 return false;
425
426 }
requestTokens($code)
Requests ID and Access tokens.
getProviderConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.
refreshToken($refresh_token)
Requests Access token with refresh token.
verifyJWTclaims($claims, $accessToken=null)
$code
Definition: example_050.php:99

References $code.

◆ canVerifySignatures()

Jumbojett\OpenIDConnectClient::canVerifySignatures ( )
Returns
bool

Definition at line 1496 of file OpenIDConnectClient.php.

1496 {
1497 return class_exists('\phpseclib\Crypt\RSA') || class_exists('Crypt_RSA');
1498 }

◆ commitSession()

Jumbojett\OpenIDConnectClient::commitSession ( )
protected

Definition at line 1727 of file OpenIDConnectClient.php.

1727 {
1728 $this->startSession();
1729
1730 session_write_close();
1731 }
startSession()
Use session to manage a nonce.

◆ decodeJWT()

Jumbojett\OpenIDConnectClient::decodeJWT (   $jwt,
  $section = 0 
)
protected
Parameters
string$jwtencoded JWT
int$sectionthe section we would like to decode
Returns
object

Definition at line 1027 of file OpenIDConnectClient.php.

1027 {
1028
1029 $parts = explode('.', $jwt);
1030 return json_decode(base64url_decode($parts[$section]));
1031 }
$section
Definition: Utf8Test.php:83
if(!class_exists('\phpseclib\Crypt\RSA') &&!class_exists( 'Crypt_RSA')) base64url_decode($base64url)
JWT signature verification support by Jonathan Reed jdreed@mit.edu Licensed under the same license as...

References $section, and Jumbojett\base64url_decode().

+ Here is the call graph for this function:

◆ fetchURL()

Jumbojett\OpenIDConnectClient::fetchURL (   $url,
  $post_body = null,
  $headers = array() 
)
protected
Parameters
string$url
string  |  null$post_bodystring If this is set the post type will be POST
array$headersExtra headers to be send with the request. Format as 'NameHeader: ValueHeader'
Exceptions
OpenIDConnectClientException
Returns
mixed

Set cert Otherwise ignore SSL peer verification

Definition at line 1129 of file OpenIDConnectClient.php.

1129 {
1130
1131
1132 // OK cool - then let's create a new cURL resource handle
1133 $ch = curl_init();
1134
1135 // Determine whether this is a GET or POST
1136 if ($post_body !== null) {
1137 // curl_setopt($ch, CURLOPT_POST, 1);
1138 // Alows to keep the POST method even after redirect
1139 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
1140 curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body);
1141
1142 // Default content type is form encoded
1143 $content_type = 'application/x-www-form-urlencoded';
1144
1145 // Determine if this is a JSON payload and add the appropriate content type
1146 if (is_object(json_decode($post_body))) {
1147 $content_type = 'application/json';
1148 }
1149
1150 // Add POST-specific headers
1151 $headers[] = "Content-Type: {$content_type}";
1152
1153 }
1154
1155 // If we set some headers include them
1156 if(count($headers) > 0) {
1157 curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
1158 }
1159
1160 // Set URL to download
1161 curl_setopt($ch, CURLOPT_URL, $url);
1162
1163 if (isset($this->httpProxy)) {
1164 curl_setopt($ch, CURLOPT_PROXY, $this->httpProxy);
1165 }
1166
1167 // Include header in result? (0 = yes, 1 = no)
1168 curl_setopt($ch, CURLOPT_HEADER, 0);
1169
1170 // Allows to follow redirect
1171 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
1172
1177 if (isset($this->certPath)) {
1178 curl_setopt($ch, CURLOPT_CAINFO, $this->certPath);
1179 }
1180
1181 if($this->verifyHost) {
1182 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
1183 } else {
1184 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
1185 }
1186
1187 if($this->verifyPeer) {
1188 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
1189 } else {
1190 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
1191 }
1192
1193 // Should cURL return or print out the data? (true = return, false = print)
1194 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
1195
1196 // Timeout in seconds
1197 curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeOut);
1198
1199 // Download the given URL, and return output
1200 $output = curl_exec($ch);
1201
1202 // HTTP Response code from server may be required from subclass
1203 $info = curl_getinfo($ch);
1204 $this->responseCode = $info['http_code'];
1205
1206 if ($output === false) {
1207 throw new OpenIDConnectClientException('Curl error: (' . curl_errno($ch) . ') ' . curl_error($ch));
1208 }
1209
1210 // Close the cURL resource, and free system resources
1211 curl_close($ch);
1212
1213 return $output;
1214 }
$info
Definition: index.php:5
$url

References $info, Sabre\VObject\$output, and $url.

◆ generateRandString()

Jumbojett\OpenIDConnectClient::generateRandString ( )
protected

Used for arbitrary value generation for nonces and state.

Returns
string
Exceptions
OpenIDConnectClientException

Definition at line 615 of file OpenIDConnectClient.php.

615 {
616 // Error and Exception need to be catched in this order, see https://github.com/paragonie/random_compat/blob/master/README.md
617 // random_compat polyfill library should be removed if support for PHP versions < 7 is dropped
618 try {
619 return \bin2hex(\random_bytes(16));
620 } catch (Error $e) {
621 throw new OpenIDConnectClientException('Random token generation failed.');
622 } catch (Exception $e) {
623 throw new OpenIDConnectClientException('Random token generation failed.');
624 };
625 }

◆ get_key_for_header()

Jumbojett\OpenIDConnectClient::get_key_for_header (   $keys,
  $header 
)
private
Parameters
array$keys
array$header
Exceptions
OpenIDConnectClientException
Returns
object

Definition at line 833 of file OpenIDConnectClient.php.

833 {
834 foreach ($keys as $key) {
835 if ($key->kty === 'RSA') {
836 if (!isset($header->kid) || $key->kid === $header->kid) {
837 return $key;
838 }
839 } else {
840 if (isset($key->alg) && $key->alg === $header->alg && $key->kid === $header->kid) {
841 return $key;
842 }
843 }
844 }
845 if ($this->additionalJwks) {
846 foreach ($this->additionalJwks as $key) {
847 if ($key->kty === 'RSA') {
848 if (!isset($header->kid) || $key->kid === $header->kid) {
849 return $key;
850 }
851 } else {
852 if (isset($key->alg) && $key->alg === $header->alg && $key->kid === $header->kid) {
853 return $key;
854 }
855 }
856 }
857 }
858 if (isset($header->kid)) {
859 throw new OpenIDConnectClientException('Unable to find a key for (algorithm, kid):' . $header->alg . ', ' . $header->kid . ')');
860 }
861
862 throw new OpenIDConnectClientException('Unable to find a key for RSA');
863 }
$key
Definition: croninfo.php:18
$keys

References $header, $key, and $keys.

◆ getAccessToken()

Jumbojett\OpenIDConnectClient::getAccessToken ( )
Returns
string

Definition at line 1515 of file OpenIDConnectClient.php.

1515 {
1516 return $this->accessToken;
1517 }

◆ getAccessTokenHeader()

Jumbojett\OpenIDConnectClient::getAccessTokenHeader ( )
Returns
object

Definition at line 1536 of file OpenIDConnectClient.php.

1536 {
1537 return $this->decodeJWT($this->accessToken);
1538 }

◆ getAccessTokenPayload()

Jumbojett\OpenIDConnectClient::getAccessTokenPayload ( )
Returns
object

Definition at line 1543 of file OpenIDConnectClient.php.

1543 {
1544 return $this->decodeJWT($this->accessToken, 1);
1545 }

◆ getAllowImplicitFlow()

Jumbojett\OpenIDConnectClient::getAllowImplicitFlow ( )
Returns
bool

Definition at line 1332 of file OpenIDConnectClient.php.

◆ getAuthParams()

Jumbojett\OpenIDConnectClient::getAuthParams ( )
Returns
array

Definition at line 1788 of file OpenIDConnectClient.php.

◆ getCertPath()

Jumbojett\OpenIDConnectClient::getCertPath ( )
Returns
string|null

Definition at line 1276 of file OpenIDConnectClient.php.

◆ getClientID()

Jumbojett\OpenIDConnectClient::getClientID ( )
Returns
string

Definition at line 1482 of file OpenIDConnectClient.php.

◆ getClientName()

Jumbojett\OpenIDConnectClient::getClientName ( )
Returns
string

Definition at line 1468 of file OpenIDConnectClient.php.

◆ getClientSecret()

Jumbojett\OpenIDConnectClient::getClientSecret ( )
Returns
string

Definition at line 1489 of file OpenIDConnectClient.php.

References PHPMailer\PHPMailer\$clientSecret.

◆ getCodeChallengeMethod()

Jumbojett\OpenIDConnectClient::getCodeChallengeMethod ( )
Returns
string

Definition at line 1812 of file OpenIDConnectClient.php.

◆ getCodeVerifier()

Jumbojett\OpenIDConnectClient::getCodeVerifier ( )
protected

Get stored codeVerifier.

Returns
string

Definition at line 1642 of file OpenIDConnectClient.php.

1642 {
1643 return $this->getSessionKey('openid_connect_code_verifier');
1644 }

◆ getIdToken()

Jumbojett\OpenIDConnectClient::getIdToken ( )
Returns
string

Definition at line 1529 of file OpenIDConnectClient.php.

◆ getIdTokenHeader()

Jumbojett\OpenIDConnectClient::getIdTokenHeader ( )
Returns
object

Definition at line 1550 of file OpenIDConnectClient.php.

1550 {
1551 return $this->decodeJWT($this->idToken);
1552 }

◆ getIdTokenPayload()

Jumbojett\OpenIDConnectClient::getIdTokenPayload ( )
Returns
object

Definition at line 1557 of file OpenIDConnectClient.php.

1557 {
1558 return $this->decodeJWT($this->idToken, 1);
1559 }

◆ getIssuer()

Jumbojett\OpenIDConnectClient::getIssuer ( )
Returns
string
Exceptions
OpenIDConnectClientException

Definition at line 1230 of file OpenIDConnectClient.php.

1230 {
1231
1232 if (!isset($this->providerConfig['issuer'])) {
1233 throw new OpenIDConnectClientException('The issuer has not been set');
1234 }
1235
1236 return $this->providerConfig['issuer'];
1237 }

◆ getIssuerValidator()

Jumbojett\OpenIDConnectClient::getIssuerValidator ( )
Returns
callable

Definition at line 1796 of file OpenIDConnectClient.php.

◆ getLeeway()

Jumbojett\OpenIDConnectClient::getLeeway ( )
Returns
int

Definition at line 1804 of file OpenIDConnectClient.php.

◆ getNonce()

Jumbojett\OpenIDConnectClient::getNonce ( )
protected

Get stored nonce.

Returns
string

Definition at line 1584 of file OpenIDConnectClient.php.

1584 {
1585 return $this->getSessionKey('openid_connect_nonce');
1586 }

◆ getProviderConfigValue()

Jumbojett\OpenIDConnectClient::getProviderConfigValue (   $param,
  $default = null 
)
protected

Get's anything that we need configuration wise including endpoints, and other values.

Parameters
string$param
string$defaultoptional
Exceptions
OpenIDConnectClientException
Returns
string

Definition at line 494 of file OpenIDConnectClient.php.

494 {
495
496 // If the configuration value is not available, attempt to fetch it from a well known config endpoint
497 // This is also known as auto "discovery"
498 if (!isset($this->providerConfig[$param])) {
499 $this->providerConfig[$param] = $this->getWellKnownConfigValue($param, $default);
500 }
501
502 return $this->providerConfig[$param];
503 }
$default
Definition: build.php:20
getWellKnownConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.

References $default.

◆ getProviderURL()

Jumbojett\OpenIDConnectClient::getProviderURL ( )
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 1243 of file OpenIDConnectClient.php.

1243 {
1244 if (!isset($this->providerConfig['providerUrl'])) {
1245 throw new OpenIDConnectClientException('The provider URL has not been set');
1246 }
1247
1248 return $this->providerConfig['providerUrl'];
1249 }

◆ getRedirectURL()

Jumbojett\OpenIDConnectClient::getRedirectURL ( )

Gets the URL of the current page we are on, encodes, and returns it.

Returns
string

Thank you http://stackoverflow.com/questions/189113/how-do-i-get-current-page-full-url-in-php-on-a-windows-iis-server

Definition at line 568 of file OpenIDConnectClient.php.

568 {
569
570 // If the redirect URL has been set then return it.
571 if (property_exists($this, 'redirectURL') && $this->redirectURL) {
572 return $this->redirectURL;
573 }
574
575 // Other-wise return the URL of the current page
576
582 /*
583 * Compatibility with multiple host headers.
584 * The problem with SSL over port 80 is resolved and non-SSL over port 443.
585 * Support of 'ProxyReverse' configurations.
586 */
587
588 if (isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) {
589 $protocol = 'https';
590 } else {
591 $protocol = @$_SERVER['HTTP_X_FORWARDED_PROTO']
592 ?: @$_SERVER['REQUEST_SCHEME']
593 ?: ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https' : 'http');
594 }
595
596 $port = @intval($_SERVER['HTTP_X_FORWARDED_PORT'])
597 ?: @intval($_SERVER['SERVER_PORT'])
598 ?: (($protocol === 'https') ? 443 : 80);
599
600 $host = @explode(':', $_SERVER['HTTP_HOST'])[0]
601 ?: @$_SERVER['SERVER_NAME']
602 ?: @$_SERVER['SERVER_ADDR'];
603
604 $port = (443 === $port) || (80 === $port) ? '' : ':' . $port;
605
606 return sprintf('%s://%s%s/%s', $protocol, $host, $port, @trim(reset(explode('?', $_SERVER['REQUEST_URI'])), '/'));
607 }
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']

References $_SERVER, and GuzzleHttp\Psr7\$protocol.

◆ getRefreshToken()

Jumbojett\OpenIDConnectClient::getRefreshToken ( )
Returns
string

Definition at line 1522 of file OpenIDConnectClient.php.

◆ getResponseCode()

Jumbojett\OpenIDConnectClient::getResponseCode ( )

Get the response code from last action/curl request.

Returns
int

Definition at line 1660 of file OpenIDConnectClient.php.

◆ getResponseTypes()

Jumbojett\OpenIDConnectClient::getResponseTypes ( )
Returns
array

Definition at line 1780 of file OpenIDConnectClient.php.

◆ getScopes()

Jumbojett\OpenIDConnectClient::getScopes ( )
Returns
array

Definition at line 1772 of file OpenIDConnectClient.php.

◆ getSessionKey()

Jumbojett\OpenIDConnectClient::getSessionKey (   $key)
protected

Definition at line 1733 of file OpenIDConnectClient.php.

1733 {
1734 $this->startSession();
1735
1736 return $_SESSION[$key];
1737 }
$_SESSION["AccountId"]

References $_SESSION, and $key.

◆ getState()

Jumbojett\OpenIDConnectClient::getState ( )
protected

Get stored state.

Returns
string

Definition at line 1613 of file OpenIDConnectClient.php.

1613 {
1614 return $this->getSessionKey('openid_connect_state');
1615 }

◆ getTimeout()

Jumbojett\OpenIDConnectClient::getTimeout ( )
Returns
int

Definition at line 1678 of file OpenIDConnectClient.php.

◆ getTokenResponse()

Jumbojett\OpenIDConnectClient::getTokenResponse ( )
Returns
string

Definition at line 1564 of file OpenIDConnectClient.php.

◆ getVerifiedClaims()

Jumbojett\OpenIDConnectClient::getVerifiedClaims (   $attribute = null)
Parameters
string | null$attributeoptional

Attribute Type Description exp int Expires at nbf int Not before ver string Version iss string Issuer sub string Subject aud string Audience nonce string nonce iat int Issued At auth_time int Authenatication time oid string Object id

Returns
mixed

Definition at line 1109 of file OpenIDConnectClient.php.

1109 {
1110
1111 if($attribute === null) {
1112 return $this->verifiedClaims;
1113 }
1114
1115 if (property_exists($this->verifiedClaims, $attribute)) {
1116 return $this->verifiedClaims->$attribute;
1117 }
1118
1119 return null;
1120 }

◆ getVerifyHost()

Jumbojett\OpenIDConnectClient::getVerifyHost ( )
Returns
bool

Definition at line 1298 of file OpenIDConnectClient.php.

◆ getVerifyPeer()

Jumbojett\OpenIDConnectClient::getVerifyPeer ( )
Returns
bool

Definition at line 1306 of file OpenIDConnectClient.php.

◆ getWellKnownConfigValue()

Jumbojett\OpenIDConnectClient::getWellKnownConfigValue (   $param,
  $default = null 
)
private

Get's anything that we need configuration wise including endpoints, and other values.

Parameters
string$param
string$defaultoptional
Exceptions
OpenIDConnectClientException
Returns
string

Definition at line 514 of file OpenIDConnectClient.php.

514 {
515
516 // If the configuration value is not available, attempt to fetch it from a well known config endpoint
517 // This is also known as auto "discovery"
518 if(!$this->wellKnown) {
519 $well_known_config_url = rtrim($this->getProviderURL(), '/') . '/.well-known/openid-configuration';
520 if (count($this->wellKnownConfigParameters) > 0){
521 $well_known_config_url .= '?' . http_build_query($this->wellKnownConfigParameters) ;
522 }
523 $this->wellKnown = json_decode($this->fetchURL($well_known_config_url));
524 }
525
526 $value = false;
527 if(isset($this->wellKnown->{$param})){
528 $value = $this->wellKnown->{$param};
529 }
530
531 if ($value) {
532 return $value;
533 }
534
535 if (isset($default)) {
536 // Uses default value if provided
537 return $default;
538 }
539
540 throw new OpenIDConnectClientException("The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.");
541 }
fetchURL($url, $post_body=null, $headers=array())

◆ getWellKnownIssuer()

Jumbojett\OpenIDConnectClient::getWellKnownIssuer (   $appendSlash = false)
Parameters
bool$appendSlash
Returns
string
Exceptions
OpenIDConnectClientException

Definition at line 1221 of file OpenIDConnectClient.php.

1221 {
1222
1223 return $this->getWellKnownConfigValue('issuer') . ($appendSlash ? '/' : '');
1224 }

◆ hashEquals()

static Jumbojett\OpenIDConnectClient::hashEquals (   $str1,
  $str2 
)
staticprivate

Where has_equals is not available, this provides a timing-attack safe string comparison.

Parameters
string$str1
string$str2
Returns
bool

Definition at line 1702 of file OpenIDConnectClient.php.

1703 {
1704 $len1=static::safeLength($str1);
1705 $len2=static::safeLength($str2);
1706
1707 //compare strings without any early abort...
1708 $len = min($len1, $len2);
1709 $status = 0;
1710 for ($i = 0; $i < $len; $i++) {
1711 $status |= (ord($str1[$i]) ^ ord($str2[$i]));
1712 }
1713 //if strings were different lengths, we fail
1714 $status |= ($len1 ^ $len2);
1715 return ($status === 0);
1716 }
$i
Definition: disco.tpl.php:19

References $i.

◆ introspectToken()

Jumbojett\OpenIDConnectClient::introspectToken (   $token,
  $token_type_hint = '',
  $clientId = null,
  $clientSecret = null 
)

Introspect a given token - either access token or refresh token.

See also
https://tools.ietf.org/html/rfc7662
Parameters
string$token
string$token_type_hint
string | null$clientId
string | null$clientSecret
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 1414 of file OpenIDConnectClient.php.

1414 {
1415 $introspection_endpoint = $this->getProviderConfigValue('introspection_endpoint');
1416
1417 $post_data = array(
1418 'token' => $token,
1419 );
1420 if ($token_type_hint) {
1421 $post_data['token_type_hint'] = $token_type_hint;
1422 }
1425
1426 // Convert token params to string format
1427 $post_params = http_build_query($post_data, null, '&');
1428 $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
1429 'Accept: application/json'];
1430
1431 return json_decode($this->fetchURL($introspection_endpoint, $post_params, $headers));
1432 }
if(array_key_exists('provider', $_GET)) elseif(array_key_exists( 'provider', $_SESSION)) if(!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) $clientId

References PHPMailer\PHPMailer\$clientId, PHPMailer\PHPMailer\$clientSecret, and PHPMailer\PHPMailer\$token.

◆ providerConfigParam()

Jumbojett\OpenIDConnectClient::providerConfigParam (   $array)

Use this to alter a provider's endpoints and other attributes.

Parameters
array$arraysimple key => value

Definition at line 1344 of file OpenIDConnectClient.php.

1344 {
1345 $this->providerConfig = array_merge($this->providerConfig, $array);
1346 }

◆ redirect()

Jumbojett\OpenIDConnectClient::redirect (   $url)
Parameters
string$url

Definition at line 1254 of file OpenIDConnectClient.php.

1254 {
1255 header('Location: ' . $url);
1256 exit;
1257 }
exit
Definition: backend.php:16

References $url, and exit.

◆ refreshToken()

Jumbojett\OpenIDConnectClient::refreshToken (   $refresh_token)

Requests Access token with refresh token.

Parameters
string$refresh_token
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 799 of file OpenIDConnectClient.php.

799 {
800 $token_endpoint = $this->getProviderConfigValue('token_endpoint');
801
802 $grant_type = 'refresh_token';
803
804 $token_params = array(
805 'grant_type' => $grant_type,
806 'refresh_token' => $refresh_token,
807 'client_id' => $this->clientID,
808 'client_secret' => $this->clientSecret,
809 );
810
811 // Convert token params to string format
812 $token_params = http_build_query($token_params, null, '&', $this->enc_type);
813
814 $json = json_decode($this->fetchURL($token_endpoint, $token_params));
815
816 if (isset($json->access_token)) {
817 $this->accessToken = $json->access_token;
818 }
819
820 if (isset($json->refresh_token)) {
821 $this->refreshToken = $json->refresh_token;
822 }
823
824 return $json;
825 }

◆ register()

Jumbojett\OpenIDConnectClient::register ( )

Dynamic registration.

Exceptions
OpenIDConnectClientException

Definition at line 1368 of file OpenIDConnectClient.php.

1368 {
1369
1370 $registration_endpoint = $this->getProviderConfigValue('registration_endpoint');
1371
1372 $send_object = (object ) array_merge($this->registrationParams, array(
1373 'redirect_uris' => array($this->getRedirectURL()),
1374 'client_name' => $this->getClientName()
1375 ));
1376
1377 $response = $this->fetchURL($registration_endpoint, json_encode($send_object));
1378
1379 $json_response = json_decode($response);
1380
1381 // Throw some errors if we encounter them
1382 if ($json_response === false) {
1383 throw new OpenIDConnectClientException('Error registering: JSON response received from the server was invalid.');
1384 }
1385
1386 if (isset($json_response->{'error_description'})) {
1387 throw new OpenIDConnectClientException($json_response->{'error_description'});
1388 }
1389
1390 $this->setClientID($json_response->{'client_id'});
1391
1392 // The OpenID Connect Dynamic registration protocol makes the client secret optional
1393 // and provides a registration access token and URI endpoint if it is not present
1394 if (isset($json_response->{'client_secret'})) {
1395 $this->setClientSecret($json_response->{'client_secret'});
1396 } else {
1397 throw new OpenIDConnectClientException('Error registering:
1398 Please contact the OpenID Connect provider and obtain a Client ID and Secret directly from them');
1399 }
1400
1401 }
getRedirectURL()
Gets the URL of the current page we are on, encodes, and returns it.
$response

References $response.

◆ requestAuthorization()

Jumbojett\OpenIDConnectClient::requestAuthorization ( )
private

Start Here.

Returns
void
Exceptions
OpenIDConnectClientException

Definition at line 632 of file OpenIDConnectClient.php.

632 {
633
634 $auth_endpoint = $this->getProviderConfigValue('authorization_endpoint');
635 $response_type = 'code';
636
637 // Generate and store a nonce in the session
638 // The nonce is an arbitrary value
639 $nonce = $this->setNonce($this->generateRandString());
640
641 // State essentially acts as a session key for OIDC
642 $state = $this->setState($this->generateRandString());
643
644 $auth_params = array_merge($this->authParams, array(
645 'response_type' => $response_type,
646 'redirect_uri' => $this->getRedirectURL(),
647 'client_id' => $this->clientID,
648 'nonce' => $nonce,
649 'state' => $state,
650 'scope' => 'openid'
651 ));
652
653 // If the client has been registered with additional scopes
654 if (count($this->scopes) > 0) {
655 $auth_params = array_merge($auth_params, array('scope' => implode(' ', array_merge($this->scopes, array('openid')))));
656 }
657
658 // If the client has been registered with additional response types
659 if (count($this->responseTypes) > 0) {
660 $auth_params = array_merge($auth_params, array('response_type' => implode(' ', $this->responseTypes)));
661 }
662
663 // If the client supports Proof Key for Code Exchange (PKCE)
664 if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue('code_challenge_methods_supported'))) {
665 $codeVerifier = bin2hex(random_bytes(64));
666 $this->setCodeVerifier($codeVerifier);
667 if (!empty($this->pkceAlgs[$this->getCodeChallengeMethod()])) {
668 $codeChallenge = rtrim(strtr(base64_encode(hash($this->pkceAlgs[$this->getCodeChallengeMethod()], $codeVerifier, true)), '+/', '-_'), '=');
669 } else {
670 $codeChallenge = $codeVerifier;
671 }
672 $auth_params = array_merge($auth_params, array(
673 'code_challenge' => $codeChallenge,
674 'code_challenge_method' => $this->getCodeChallengeMethod()
675 ));
676 }
677
678 $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, null, '&', $this->enc_type);
679
680 $this->commitSession();
681 $this->redirect($auth_endpoint);
682 }
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
generateRandString()
Used for arbitrary value generation for nonces and state.
setCodeVerifier($codeVerifier)
Stores $codeVerifier.
hash(StreamInterface $stream, $algo, $rawOutput=false)
Calculate a hash of a Stream.
Definition: functions.php:406

References $state, and GuzzleHttp\Psr7\hash().

+ Here is the call graph for this function:

◆ requestClientCredentialsToken()

Jumbojett\OpenIDConnectClient::requestClientCredentialsToken ( )

Requests a client credentials token.

Exceptions
OpenIDConnectClientException

Definition at line 689 of file OpenIDConnectClient.php.

689 {
690 $token_endpoint = $this->getProviderConfigValue('token_endpoint');
691
692 $headers = [];
693
694 $grant_type = 'client_credentials';
695
696 $post_data = array(
697 'grant_type' => $grant_type,
698 'client_id' => $this->clientID,
699 'client_secret' => $this->clientSecret,
700 'scope' => implode(' ', $this->scopes)
701 );
702
703 // Convert token params to string format
704 $post_params = http_build_query($post_data, null, '&', $this->enc_type);
705
706 return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
707 }

◆ requestResourceOwnerToken()

Jumbojett\OpenIDConnectClient::requestResourceOwnerToken (   $bClientAuth = FALSE)

Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4.3)

Parameters
boolean$bClientAuthIndicates that the Client ID and Secret be used for client authentication
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 718 of file OpenIDConnectClient.php.

718 {
719 $token_endpoint = $this->getProviderConfigValue('token_endpoint');
720
721 $headers = [];
722
723 $grant_type = 'password';
724
725 $post_data = array(
726 'grant_type' => $grant_type,
727 'username' => $this->authParams['username'],
728 'password' => $this->authParams['password'],
729 'scope' => implode(' ', $this->scopes)
730 );
731
732 //For client authentication include the client values
733 if($bClientAuth) {
734 $post_data['client_id'] = $this->clientID;
735 $post_data['client_secret'] = $this->clientSecret;
736 }
737
738 // Convert token params to string format
739 $post_params = http_build_query($post_data, null, '&', $this->enc_type);
740
741 return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
742 }

References PHPMailer\PHPMailer\$clientSecret.

◆ requestTokens()

Jumbojett\OpenIDConnectClient::requestTokens (   $code)
protected

Requests ID and Access tokens.

Parameters
string$code
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 752 of file OpenIDConnectClient.php.

752 {
753 $token_endpoint = $this->getProviderConfigValue('token_endpoint');
754 $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
755
756 $headers = [];
757
758 $grant_type = 'authorization_code';
759
760 $token_params = array(
761 'grant_type' => $grant_type,
762 'code' => $code,
763 'redirect_uri' => $this->getRedirectURL(),
764 'client_id' => $this->clientID,
765 'client_secret' => $this->clientSecret
766 );
767
768 # Consider Basic authentication if provider config is set this way
769 if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
770 $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
771 unset($token_params['client_secret']);
772 unset($token_params['client_id']);
773 }
774
775 if (!empty($this->getCodeChallengeMethod()) && !empty($this->getCodeVerifier())) {
776 $headers = [];
777 unset($token_params['client_secret']);
778 $token_params = array_merge($token_params, array(
779 'client_id' => $this->clientID,
780 'code_verifier' => $this->getCodeVerifier()
781 ));
782 }
783
784 // Convert token params to string format
785 $token_params = http_build_query($token_params, null, '&', $this->enc_type);
786
787 $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers));
788
790 }
getCodeVerifier()
Get stored codeVerifier.

References $code.

◆ requestUserInfo()

Jumbojett\OpenIDConnectClient::requestUserInfo (   $attribute = null)
Parameters
string | null$attributeoptional

Attribute Type Description user_id string REQUIRED Identifier for the End-User at the Issuer. name string End-User's full name in displayable form including all name parts, ordered according to End-User's locale and preferences. given_name string Given name or first name of the End-User. family_name string Surname or last name of the End-User. middle_name string Middle name of the End-User. nickname string Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. profile string URL of End-User's profile page. picture string URL of the End-User's profile picture. website string URL of End-User's web page or blog. email string The End-User's preferred e-mail address. verified boolean True if the End-User's e-mail address has been verified; otherwise false. gender string The End-User's gender: Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. birthday string The End-User's birthday, represented as a date string in MM/DD/YYYY format. The year MAY be 0000, indicating that it is omitted. zoneinfo string String from zoneinfo [zoneinfo] time zone database. For example, Europe/Paris or America/Los_Angeles. locale string The End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Implementations MAY choose to accept this locale syntax as well. phone_number string The End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim. For example, +1 (425) 555-1212 or +56 (2) 687 2400. address JSON object The End-User's preferred address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 2.4.2.1. updated_time string Time the End-User's information was last updated, represented as a RFC 3339 [RFC3339] datetime. For example, 2011-01-03T23:58:42+0000.

Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 1061 of file OpenIDConnectClient.php.

1061 {
1062
1063 $user_info_endpoint = $this->getProviderConfigValue('userinfo_endpoint');
1064 $schema = 'openid';
1065
1066 $user_info_endpoint .= '?schema=' . $schema;
1067
1068 //The accessToken has to be sent in the Authorization header.
1069 // Accept json to indicate response type
1070 $headers = ["Authorization: Bearer {$this->accessToken}",
1071 'Accept: application/json'];
1072
1073 $user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));
1074 if ($this->getResponseCode() <> 200) {
1075 throw new OpenIDConnectClientException('The communication to retrieve user data has failed with status code '.$this->getResponseCode());
1076 }
1077 $this->userInfo = $user_json;
1078
1079 if($attribute === null) {
1080 return $this->userInfo;
1081 }
1082
1083 if (property_exists($this->userInfo, $attribute)) {
1084 return $this->userInfo->$attribute;
1085 }
1086
1087 return null;
1088 }
getResponseCode()
Get the response code from last action/curl request.

◆ revokeToken()

Jumbojett\OpenIDConnectClient::revokeToken (   $token,
  $token_type_hint = '',
  $clientId = null,
  $clientSecret = null 
)

Revoke a given token - either access token or refresh token.

See also
https://tools.ietf.org/html/rfc7009
Parameters
string$token
string$token_type_hint
string | null$clientId
string | null$clientSecret
Returns
mixed
Exceptions
OpenIDConnectClientException

Definition at line 1445 of file OpenIDConnectClient.php.

1445 {
1446 $revocation_endpoint = $this->getProviderConfigValue('revocation_endpoint');
1447
1448 $post_data = array(
1449 'token' => $token,
1450 );
1451 if ($token_type_hint) {
1452 $post_data['token_type_hint'] = $token_type_hint;
1453 }
1456
1457 // Convert token params to string format
1458 $post_params = http_build_query($post_data, null, '&');
1459 $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
1460 'Accept: application/json'];
1461
1462 return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers));
1463 }

References PHPMailer\PHPMailer\$clientId, PHPMailer\PHPMailer\$clientSecret, and PHPMailer\PHPMailer\$token.

◆ safeLength()

static Jumbojett\OpenIDConnectClient::safeLength (   $str)
staticprivate

Safely calculate length of binary string.

Parameters
string$str
Returns
int

Definition at line 1688 of file OpenIDConnectClient.php.

1689 {
1690 if (function_exists('mb_strlen')) {
1691 return mb_strlen($str, '8bit');
1692 }
1693 return strlen($str);
1694 }

◆ setAccessToken()

Jumbojett\OpenIDConnectClient::setAccessToken (   $accessToken)

Set the access token.

May be required for subclasses of this Client.

Parameters
string$accessToken
Returns
void

Definition at line 1508 of file OpenIDConnectClient.php.

1508 {
1509 $this->accessToken = $accessToken;
1510 }

◆ setAllowImplicitFlow()

Jumbojett\OpenIDConnectClient::setAllowImplicitFlow (   $allowImplicitFlow)
Parameters
bool$allowImplicitFlow

Definition at line 1325 of file OpenIDConnectClient.php.

1325 {
1326 $this->allowImplicitFlow = $allowImplicitFlow;
1327 }

◆ setCertPath()

Jumbojett\OpenIDConnectClient::setCertPath (   $certPath)
Parameters
string$certPath

Definition at line 1269 of file OpenIDConnectClient.php.

1269 {
1270 $this->certPath = $certPath;
1271 }

◆ setClientID()

Jumbojett\OpenIDConnectClient::setClientID (   $clientID)
Parameters
string$clientID

Definition at line 1358 of file OpenIDConnectClient.php.

1358 {
1359 $this->clientID = $clientID;
1360 }

◆ setClientName()

Jumbojett\OpenIDConnectClient::setClientName (   $clientName)
Parameters
string$clientName

Definition at line 1475 of file OpenIDConnectClient.php.

1475 {
1476 $this->clientName = $clientName;
1477 }

◆ setClientSecret()

Jumbojett\OpenIDConnectClient::setClientSecret (   $clientSecret)
Parameters
string$clientSecret

Definition at line 1351 of file OpenIDConnectClient.php.

1351 {
1352 $this->clientSecret = $clientSecret;
1353 }

References PHPMailer\PHPMailer\$clientSecret.

◆ setCodeChallengeMethod()

Jumbojett\OpenIDConnectClient::setCodeChallengeMethod (   $codeChallengeMethod)
Parameters
string$codeChallengeMethod

Definition at line 1819 of file OpenIDConnectClient.php.

1819 {
1820 $this->codeChallengeMethod = $codeChallengeMethod;
1821 }

◆ setCodeVerifier()

Jumbojett\OpenIDConnectClient::setCodeVerifier (   $codeVerifier)
protected

Stores $codeVerifier.

Parameters
string$codeVerifier
Returns
string

Definition at line 1632 of file OpenIDConnectClient.php.

1632 {
1633 $this->setSessionKey('openid_connect_code_verifier', $codeVerifier);
1634 return $codeVerifier;
1635 }

◆ setHttpProxy()

Jumbojett\OpenIDConnectClient::setHttpProxy (   $httpProxy)
Parameters
string$httpProxy

Definition at line 1262 of file OpenIDConnectClient.php.

1262 {
1263 $this->httpProxy = $httpProxy;
1264 }

◆ setIssuer()

Jumbojett\OpenIDConnectClient::setIssuer (   $issuer)
Parameters
$issuer

Definition at line 273 of file OpenIDConnectClient.php.

273 {
274 $this->providerConfig['issuer'] = $issuer;
275 }

References $issuer.

◆ setIssuerValidator()

Jumbojett\OpenIDConnectClient::setIssuerValidator (   $issuerValidator)

Use this for custom issuer validation The given function should accept the issuer string from the JWT claim as the only argument and return true if the issuer is valid, otherwise return false.

Parameters
callable$issuerValidator

Definition at line 1318 of file OpenIDConnectClient.php.

1318 {
1319 $this->issuerValidator = $issuerValidator;
1320 }

◆ setNonce()

Jumbojett\OpenIDConnectClient::setNonce (   $nonce)
protected

Stores nonce.

Parameters
string$nonce
Returns
string

Definition at line 1574 of file OpenIDConnectClient.php.

1574 {
1575 $this->setSessionKey('openid_connect_nonce', $nonce);
1576 return $nonce;
1577 }

◆ setProviderURL()

Jumbojett\OpenIDConnectClient::setProviderURL (   $provider_url)
Parameters
$provider_url

Definition at line 266 of file OpenIDConnectClient.php.

266 {
267 $this->providerConfig['providerUrl'] = $provider_url;
268 }

◆ setRedirectURL()

Jumbojett\OpenIDConnectClient::setRedirectURL (   $url)
Parameters
string$urlSets redirect URL for auth flow

Definition at line 557 of file OpenIDConnectClient.php.

557 {
558 if (parse_url($url,PHP_URL_HOST) !== false) {
559 $this->redirectURL = $url;
560 }
561 }

References $url.

◆ setResponseTypes()

Jumbojett\OpenIDConnectClient::setResponseTypes (   $response_types)
Parameters
$response_types

Definition at line 280 of file OpenIDConnectClient.php.

280 {
281 $this->responseTypes = array_merge($this->responseTypes, (array)$response_types);
282 }

◆ setSessionKey()

Jumbojett\OpenIDConnectClient::setSessionKey (   $key,
  $value 
)
protected

Definition at line 1739 of file OpenIDConnectClient.php.

1739 {
1740 $this->startSession();
1741
1742 $_SESSION[$key] = $value;
1743 }

References $_SESSION, and $key.

◆ setState()

Jumbojett\OpenIDConnectClient::setState (   $state)
protected

Stores $state.

Parameters
string$state
Returns
string

Definition at line 1603 of file OpenIDConnectClient.php.

1603 {
1604 $this->setSessionKey('openid_connect_state', $state);
1605 return $state;
1606 }

References $state.

◆ setTimeout()

Jumbojett\OpenIDConnectClient::setTimeout (   $timeout)

Set timeout (seconds)

Parameters
int$timeout

Definition at line 1670 of file OpenIDConnectClient.php.

1671 {
1672 $this->timeOut = $timeout;
1673 }

◆ setUrlEncoding()

Jumbojett\OpenIDConnectClient::setUrlEncoding (   $curEncoding)

Definition at line 1751 of file OpenIDConnectClient.php.

1752 {
1753 switch ($curEncoding)
1754 {
1755 case PHP_QUERY_RFC1738:
1756 $this->enc_type = PHP_QUERY_RFC1738;
1757 break;
1758
1759 case PHP_QUERY_RFC3986:
1760 $this->enc_type = PHP_QUERY_RFC3986;
1761 break;
1762
1763 default:
1764 break;
1765 }
1766
1767 }

◆ setVerifyHost()

Jumbojett\OpenIDConnectClient::setVerifyHost (   $verifyHost)
Parameters
bool$verifyHost

Definition at line 1291 of file OpenIDConnectClient.php.

1291 {
1292 $this->verifyHost = $verifyHost;
1293 }

◆ setVerifyPeer()

Jumbojett\OpenIDConnectClient::setVerifyPeer (   $verifyPeer)
Parameters
bool$verifyPeer

Definition at line 1284 of file OpenIDConnectClient.php.

1284 {
1285 $this->verifyPeer = $verifyPeer;
1286 }

◆ setWellKnownConfigParameters()

Jumbojett\OpenIDConnectClient::setWellKnownConfigParameters ( array  $params = [])

Set optionnal parameters for .well-known/openid-configuration.

Parameters
string$param

Definition at line 549 of file OpenIDConnectClient.php.

549 {
550 $this->wellKnownConfigParameters=$params;
551 }

References PHPMailer\PHPMailer\$params.

◆ signOut()

Jumbojett\OpenIDConnectClient::signOut (   $accessToken,
  $redirect 
)

It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application).

Parameters
string$accessTokenID token (obtained at login)
string | null$redirectURL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP. Value can be null.
Exceptions
OpenIDConnectClientException

Definition at line 440 of file OpenIDConnectClient.php.

440 {
441 $signout_endpoint = $this->getProviderConfigValue('end_session_endpoint');
442
443 $signout_params = null;
444 if($redirect === null){
445 $signout_params = array('id_token_hint' => $accessToken);
446 }
447 else {
448 $signout_params = array(
449 'id_token_hint' => $accessToken,
450 'post_logout_redirect_uri' => $redirect);
451 }
452
453 $signout_endpoint .= (strpos($signout_endpoint, '?') === false ? '?' : '&') . http_build_query( $signout_params, null, '&', $this->enc_type);
454 $this->redirect($signout_endpoint);
455 }

◆ startSession()

Jumbojett\OpenIDConnectClient::startSession ( )
protected

Use session to manage a nonce.

Definition at line 1721 of file OpenIDConnectClient.php.

1721 {
1722 if (!isset($_SESSION)) {
1723 @session_start();
1724 }
1725 }

References $_SESSION.

◆ unsetCodeVerifier()

Jumbojett\OpenIDConnectClient::unsetCodeVerifier ( )
protected

Cleanup state.

Returns
void

Definition at line 1651 of file OpenIDConnectClient.php.

1651 {
1652 $this->unsetSessionKey('openid_connect_code_verifier');
1653 }

◆ unsetNonce()

Jumbojett\OpenIDConnectClient::unsetNonce ( )
protected

Cleanup nonce.

Returns
void

Definition at line 1593 of file OpenIDConnectClient.php.

1593 {
1594 $this->unsetSessionKey('openid_connect_nonce');
1595 }

◆ unsetSessionKey()

Jumbojett\OpenIDConnectClient::unsetSessionKey (   $key)
protected

Definition at line 1745 of file OpenIDConnectClient.php.

1745 {
1746 $this->startSession();
1747
1748 unset($_SESSION[$key]);
1749 }

References $_SESSION, and $key.

◆ unsetState()

Jumbojett\OpenIDConnectClient::unsetState ( )
protected

Cleanup state.

Returns
void

Definition at line 1622 of file OpenIDConnectClient.php.

1622 {
1623 $this->unsetSessionKey('openid_connect_state');
1624 }

◆ urlEncode()

Jumbojett\OpenIDConnectClient::urlEncode (   $str)
protected
Parameters
string$str
Returns
string

Definition at line 1015 of file OpenIDConnectClient.php.

1015 {
1016 $enc = base64_encode($str);
1017 $enc = rtrim($enc, '=');
1018 $enc = strtr($enc, '+/', '-_');
1019 return $enc;
1020 }

◆ verifyHMACJWTsignature()

Jumbojett\OpenIDConnectClient::verifyHMACJWTsignature (   $hashtype,
  $key,
  $payload,
  $signature 
)
private
Parameters
string$hashtype
object$key
$payload
$signature
Returns
bool
Exceptions
OpenIDConnectClientException

Definition at line 918 of file OpenIDConnectClient.php.

919 {
920 if (!function_exists('hash_hmac')) {
921 throw new OpenIDConnectClientException('hash_hmac support unavailable.');
922 }
923
924 $expected=hash_hmac($hashtype, $payload, $key, true);
925
926 if (function_exists('hash_equals')) {
927 return hash_equals($signature, $expected);
928 }
929
930 return self::hashEquals($signature, $expected);
931 }
static hashEquals($str1, $str2)
Where has_equals is not available, this provides a timing-attack safe string comparison.

References $key.

◆ verifyJWTclaims()

Jumbojett\OpenIDConnectClient::verifyJWTclaims (   $claims,
  $accessToken = null 
)
protected
Parameters
object$claims
string | null$accessToken
Returns
bool

Definition at line 991 of file OpenIDConnectClient.php.

991 {
992 if(isset($claims->at_hash) && isset($accessToken)){
993 if(isset($this->getIdTokenHeader()->alg) && $this->getIdTokenHeader()->alg !== 'none'){
994 $bit = substr($this->getIdTokenHeader()->alg, 2, 3);
995 }else{
996 // TODO: Error case. throw exception???
997 $bit = '256';
998 }
999 $len = ((int)$bit)/16;
1000 $expected_at_hash = $this->urlEncode(substr(hash('sha'.$bit, $accessToken, true), 0, $len));
1001 }
1002 return (($this->issuerValidator->__invoke($claims->iss))
1003 && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
1004 && ($claims->nonce === $this->getNonce())
1005 && ( !isset($claims->exp) || ((gettype($claims->exp) === 'integer') && ($claims->exp >= time() - $this->leeway)))
1006 && ( !isset($claims->nbf) || ((gettype($claims->nbf) === 'integer') && ($claims->nbf <= time() + $this->leeway)))
1007 && ( !isset($claims->at_hash) || $claims->at_hash === $expected_at_hash )
1008 );
1009 }

References GuzzleHttp\Psr7\hash().

+ Here is the call graph for this function:

◆ verifyJWTsignature()

Jumbojett\OpenIDConnectClient::verifyJWTsignature (   $jwt)
Parameters
string$jwtencoded JWT
Exceptions
OpenIDConnectClientException
Returns
bool

Definition at line 938 of file OpenIDConnectClient.php.

938 {
939 if (!\is_string($jwt)) {
940 throw new OpenIDConnectClientException('Error token is not a string');
941 }
942 $parts = explode('.', $jwt);
943 if (!isset($parts[0])) {
944 throw new OpenIDConnectClientException('Error missing part 0 in token');
945 }
946 $signature = base64url_decode(array_pop($parts));
947 if (false === $signature || '' === $signature) {
948 throw new OpenIDConnectClientException('Error decoding signature from token');
949 }
950 $header = json_decode(base64url_decode($parts[0]));
951 if (null === $header || !\is_object($header)) {
952 throw new OpenIDConnectClientException('Error decoding JSON from token header');
953 }
954 $payload = implode('.', $parts);
955 $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
956 if ($jwks === NULL) {
957 throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
958 }
959 if (!isset($header->alg)) {
960 throw new OpenIDConnectClientException('Error missing signature type in token header');
961 }
962 switch ($header->alg) {
963 case 'RS256':
964 case 'PS256':
965 case 'RS384':
966 case 'RS512':
967 $hashtype = 'sha' . substr($header->alg, 2);
968 $signatureType = $header->alg === 'PS256' ? 'PSS' : '';
969
970 $verified = $this->verifyRSAJWTsignature($hashtype,
971 $this->get_key_for_header($jwks->keys, $header),
972 $payload, $signature, $signatureType);
973 break;
974 case 'HS256':
975 case 'HS512':
976 case 'HS384':
977 $hashtype = 'SHA' . substr($header->alg, 2);
978 $verified = $this->verifyHMACJWTsignature($hashtype, $this->getClientSecret(), $payload, $signature);
979 break;
980 default:
981 throw new OpenIDConnectClientException('No support for signature type: ' . $header->alg);
982 }
983 return $verified;
984 }
verifyHMACJWTsignature($hashtype, $key, $payload, $signature)
verifyRSAJWTsignature($hashtype, $key, $payload, $signature, $signatureType)

References $header, and Jumbojett\base64url_decode().

+ Here is the call graph for this function:

◆ verifyRSAJWTsignature()

Jumbojett\OpenIDConnectClient::verifyRSAJWTsignature (   $hashtype,
  $key,
  $payload,
  $signature,
  $signatureType 
)
private
Parameters
string$hashtype
object$key
$payload
$signature
$signatureType
Returns
bool
Exceptions
OpenIDConnectClientException

Definition at line 875 of file OpenIDConnectClient.php.

875 {
876 if (!class_exists('\phpseclib\Crypt\RSA') && !class_exists('Crypt_RSA')) {
877 throw new OpenIDConnectClientException('Crypt_RSA support unavailable.');
878 }
879 if (!(property_exists($key, 'n') && property_exists($key, 'e'))) {
880 throw new OpenIDConnectClientException('Malformed key object');
881 }
882
883 /* We already have base64url-encoded data, so re-encode it as
884 regular base64 and use the XML key format for simplicity.
885 */
886 $public_key_xml = "<RSAKeyValue>\r\n".
887 ' <Modulus>' . b64url2b64($key->n) . "</Modulus>\r\n" .
888 ' <Exponent>' . b64url2b64($key->e) . "</Exponent>\r\n" .
889 '</RSAKeyValue>';
890 if(class_exists('Crypt_RSA', false)) {
891 $rsa = new Crypt_RSA();
892 $rsa->setHash($hashtype);
893 if ($signatureType === 'PSS') {
894 $rsa->setMGFHash($hashtype);
895 }
896 $rsa->loadKey($public_key_xml, Crypt_RSA::PUBLIC_FORMAT_XML);
897 $rsa->signatureMode = $signatureType === 'PSS' ? Crypt_RSA::SIGNATURE_PSS : Crypt_RSA::SIGNATURE_PKCS1;
898 } else {
899 $rsa = new \phpseclib\Crypt\RSA();
900 $rsa->setHash($hashtype);
901 if ($signatureType === 'PSS') {
902 $rsa->setMGFHash($hashtype);
903 }
904 $rsa->loadKey($public_key_xml, \phpseclib\Crypt\RSA::PUBLIC_FORMAT_XML);
905 $rsa->signatureMode = $signatureType === 'PSS' ? \phpseclib\Crypt\RSA::SIGNATURE_PSS : \phpseclib\Crypt\RSA::SIGNATURE_PKCS1;
906 }
907 return $rsa->verify($payload, $signature);
908 }
const SIGNATURE_PSS
#-
Definition: RSA.php:117
const SIGNATURE_PKCS1
Use the PKCS#1 scheme by default.
Definition: RSA.php:124
b64url2b64($base64url)
Per RFC4648, "base64 encoding with URL-safe and filename-safe alphabet".

References $key, Jumbojett\b64url2b64(), phpseclib\Crypt\RSA\SIGNATURE_PKCS1, and phpseclib\Crypt\RSA\SIGNATURE_PSS.

+ Here is the call graph for this function:

Field Documentation

◆ $accessToken

Jumbojett\OpenIDConnectClient::$accessToken
protected

Definition at line 135 of file OpenIDConnectClient.php.

◆ $additionalJwks

Jumbojett\OpenIDConnectClient::$additionalJwks = array()
private

Definition at line 206 of file OpenIDConnectClient.php.

◆ $allowImplicitFlow

Jumbojett\OpenIDConnectClient::$allowImplicitFlow = false
private

Definition at line 221 of file OpenIDConnectClient.php.

◆ $authParams

Jumbojett\OpenIDConnectClient::$authParams = array()
private

Definition at line 175 of file OpenIDConnectClient.php.

◆ $certPath

Jumbojett\OpenIDConnectClient::$certPath
private

Definition at line 120 of file OpenIDConnectClient.php.

◆ $clientID

Jumbojett\OpenIDConnectClient::$clientID
private

Definition at line 95 of file OpenIDConnectClient.php.

◆ $clientName

Jumbojett\OpenIDConnectClient::$clientName
private

Definition at line 100 of file OpenIDConnectClient.php.

◆ $clientSecret

Jumbojett\OpenIDConnectClient::$clientSecret
private

Definition at line 105 of file OpenIDConnectClient.php.

◆ $codeChallengeMethod

Jumbojett\OpenIDConnectClient::$codeChallengeMethod = false
private

Definition at line 233 of file OpenIDConnectClient.php.

◆ $enc_type

Jumbojett\OpenIDConnectClient::$enc_type = PHP_QUERY_RFC1738
protected

Definition at line 227 of file OpenIDConnectClient.php.

◆ $httpProxy

Jumbojett\OpenIDConnectClient::$httpProxy
private

Definition at line 115 of file OpenIDConnectClient.php.

◆ $idToken

Jumbojett\OpenIDConnectClient::$idToken
protected

Definition at line 145 of file OpenIDConnectClient.php.

◆ $issuerValidator

Jumbojett\OpenIDConnectClient::$issuerValidator
private

Definition at line 216 of file OpenIDConnectClient.php.

◆ $leeway

Jumbojett\OpenIDConnectClient::$leeway = 300
private

Definition at line 201 of file OpenIDConnectClient.php.

◆ $pkceAlgs

Jumbojett\OpenIDConnectClient::$pkceAlgs = array('S256' => 'sha256', 'plain' => false)
private

Definition at line 238 of file OpenIDConnectClient.php.

◆ $providerConfig

Jumbojett\OpenIDConnectClient::$providerConfig = array()
private

Definition at line 110 of file OpenIDConnectClient.php.

◆ $redirectURL

Jumbojett\OpenIDConnectClient::$redirectURL
private

Definition at line 225 of file OpenIDConnectClient.php.

◆ $refreshToken

Jumbojett\OpenIDConnectClient::$refreshToken
private

Definition at line 140 of file OpenIDConnectClient.php.

◆ $registrationParams

Jumbojett\OpenIDConnectClient::$registrationParams = array()
private

Definition at line 180 of file OpenIDConnectClient.php.

◆ $responseCode

Jumbojett\OpenIDConnectClient::$responseCode
private

Definition at line 160 of file OpenIDConnectClient.php.

◆ $responseTypes

Jumbojett\OpenIDConnectClient::$responseTypes = array()
private

Definition at line 165 of file OpenIDConnectClient.php.

◆ $scopes

Jumbojett\OpenIDConnectClient::$scopes = array()
private

Definition at line 155 of file OpenIDConnectClient.php.

◆ $timeOut

Jumbojett\OpenIDConnectClient::$timeOut = 60
protected

Definition at line 196 of file OpenIDConnectClient.php.

◆ $tokenResponse

Jumbojett\OpenIDConnectClient::$tokenResponse
private

Definition at line 150 of file OpenIDConnectClient.php.

◆ $userInfo

Jumbojett\OpenIDConnectClient::$userInfo = array()
private

Definition at line 170 of file OpenIDConnectClient.php.

◆ $verifiedClaims

Jumbojett\OpenIDConnectClient::$verifiedClaims = array()
protected

Definition at line 211 of file OpenIDConnectClient.php.

◆ $verifyHost

Jumbojett\OpenIDConnectClient::$verifyHost = true
private

Definition at line 130 of file OpenIDConnectClient.php.

◆ $verifyPeer

Jumbojett\OpenIDConnectClient::$verifyPeer = true
private

Definition at line 125 of file OpenIDConnectClient.php.

◆ $wellKnown

Jumbojett\OpenIDConnectClient::$wellKnown = false
private

Definition at line 185 of file OpenIDConnectClient.php.

◆ $wellKnownConfigParameters

Jumbojett\OpenIDConnectClient::$wellKnownConfigParameters = array()
private

Definition at line 191 of file OpenIDConnectClient.php.


The documentation for this class was generated from the following file: