34if (!class_exists(
'\phpseclib\Crypt\RSA') && !class_exists(
'Crypt_RSA')) {
 
   35    user_error(
'Unable to find phpseclib Crypt/RSA.php.  Ensure phpseclib is installed and in include_path before you include this file');
 
   58    $padding = strlen($base64url) % 4;
 
   60        $base64url .= str_repeat(
'=', 4 - $padding);
 
   62    return strtr($base64url, 
'-_', 
'+/');
 
   77if (!function_exists(
'curl_init')) {
 
   80if (!function_exists(
'json_decode')) {
 
   81    throw new OpenIDConnectClientException(
'OpenIDConnect needs the JSON PHP extension.');
 
  110    private $providerConfig = array();
 
  125    private $verifyPeer = 
true;
 
  130    private $verifyHost = 
true;
 
  155    private $scopes = array();
 
  165    private $responseTypes = array();
 
  170    private $userInfo = array();
 
  175    private $authParams = array();
 
  180    private $registrationParams = array();
 
  185    private $wellKnown = 
false;
 
  191    private $wellKnownConfigParameters = array();
 
  196    protected $timeOut = 60;
 
  201    private $leeway = 300;
 
  206    private $additionalJwks = array();
 
  211    protected $verifiedClaims = array();
 
  221    private $allowImplicitFlow = 
false;
 
  227    protected $enc_type = PHP_QUERY_RFC1738;
 
  233    private $codeChallengeMethod = 
false;
 
  238    private $pkceAlgs = array(
'S256' => 
'sha256', 
'plain' => 
false);
 
  248        $this->setProviderURL($provider_url);
 
  250            $this->setIssuer($provider_url);
 
  256        $this->clientSecret = $client_secret;
 
  258        $this->issuerValidator = 
function($iss){
 
  259                return ($iss === $this->getIssuer() || $iss === $this->getWellKnownIssuer() || $iss === $this->getWellKnownIssuer(
true));
 
  267        $this->providerConfig[
'providerUrl'] = $provider_url;
 
  274        $this->providerConfig[
'issuer'] = 
$issuer;
 
  281        $this->responseTypes = array_merge($this->responseTypes, (array)$response_types);
 
  291        if (isset($_REQUEST[
'error'])) {
 
  292            $desc = isset($_REQUEST[
'error_description']) ? 
' Description: ' . $_REQUEST[
'error_description'] : 
'';
 
  297        if (isset($_REQUEST[
'code'])) {
 
  299            $code = $_REQUEST[
'code'];
 
  300            $token_json = $this->requestTokens(
$code);
 
  303            if (isset($token_json->error)) {
 
  304                if (isset($token_json->error_description)) {
 
  311            if ($_REQUEST[
'state'] !== $this->getState()) {
 
  318            if (!property_exists($token_json, 
'id_token')) {
 
  322            $claims = $this->decodeJWT($token_json->id_token, 1);
 
  325            if ($this->canVerifySignatures()) {
 
  326                if (!$this->getProviderConfigValue(
'jwks_uri')) {
 
  329                if (!$this->verifyJWTsignature($token_json->id_token)) {
 
  333                user_error(
'Warning: JWT signature verification unavailable.');
 
  337            $this->idToken = $token_json->id_token;
 
  340            $this->accessToken = $token_json->access_token;
 
  343            if ($this->verifyJWTclaims($claims, $token_json->access_token)) {
 
  349                $this->tokenResponse = $token_json;
 
  352                $this->verifiedClaims = $claims;
 
  355                if (isset($token_json->refresh_token)) {
 
  356                    $this->refreshToken = $token_json->refresh_token;
 
  367        if ($this->allowImplicitFlow && isset($_REQUEST[
'id_token'])) {
 
  369            $id_token = $_REQUEST[
'id_token'];
 
  372            if (isset($_REQUEST[
'access_token'])) {
 
  373                $accessToken = $_REQUEST[
'access_token'];
 
  377            if ($_REQUEST[
'state'] !== $this->getState()) {
 
  384            $claims = $this->decodeJWT($id_token, 1);
 
  387            if ($this->canVerifySignatures()) {
 
  388                if (!$this->getProviderConfigValue(
'jwks_uri')) {
 
  391                if (!$this->verifyJWTsignature($id_token)) {
 
  395                user_error(
'Warning: JWT signature verification unavailable.');
 
  399            $this->idToken = $id_token;
 
  402            if ($this->verifyJWTclaims($claims, $accessToken)) {
 
  408                $this->verifiedClaims = $claims;
 
  412                    $this->accessToken = $accessToken;
 
  423        $this->requestAuthorization();
 
  440    public function signOut($accessToken, $redirect) {
 
  441        $signout_endpoint = $this->getProviderConfigValue(
'end_session_endpoint');
 
  443        $signout_params = 
null;
 
  444        if($redirect === 
null){
 
  445            $signout_params = array(
'id_token_hint' => $accessToken);
 
  448            $signout_params = array(
 
  449                'id_token_hint' => $accessToken,
 
  450                'post_logout_redirect_uri' => $redirect);
 
  453        $signout_endpoint  .= (strpos($signout_endpoint, 
'?') === 
false ? 
'?' : 
'&') . http_build_query( $signout_params, 
null, 
'&', $this->enc_type);
 
  454        $this->redirect($signout_endpoint);
 
  461        $this->scopes = array_merge($this->scopes, (array)$scope);
 
  468        $this->authParams = array_merge($this->authParams, (array)$param);
 
  475        $this->registrationParams = array_merge($this->registrationParams, (array)$param);
 
  482        $this->additionalJwks[] = $jwk;
 
  498        if (!isset($this->providerConfig[$param])) {
 
  499            $this->providerConfig[$param] = $this->getWellKnownConfigValue($param, 
$default);
 
  502        return $this->providerConfig[$param];
 
  518        if(!$this->wellKnown) {
 
  519            $well_known_config_url = rtrim($this->getProviderURL(), 
'/') . 
'/.well-known/openid-configuration';
 
  520            if (count($this->wellKnownConfigParameters) > 0){
 
  521                $well_known_config_url .= 
'?' .  http_build_query($this->wellKnownConfigParameters) ;
 
  523            $this->wellKnown = json_decode($this->fetchURL($well_known_config_url));
 
  527        if(isset($this->wellKnown->{$param})){
 
  528            $value = $this->wellKnown->{$param};
 
  540        throw new OpenIDConnectClientException(
"The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.");
 
  550        $this->wellKnownConfigParameters=
$params;
 
  558        if (parse_url(
$url,PHP_URL_HOST) !== 
false) {
 
  559            $this->redirectURL = 
$url;
 
  571        if (property_exists($this, 
'redirectURL') && $this->redirectURL) {
 
  572            return $this->redirectURL;
 
  588        if (isset(
$_SERVER[
'HTTP_UPGRADE_INSECURE_REQUESTS']) && (
$_SERVER[
'HTTP_UPGRADE_INSECURE_REQUESTS'] === 
'1')) {
 
  593                    ?: ((isset(
$_SERVER[
'HTTPS']) && 
$_SERVER[
'HTTPS'] === 
'on') ? 
'https' : 
'http');
 
  596        $port = @intval(
$_SERVER[
'HTTP_X_FORWARDED_PORT'])
 
  600        $host = @explode(
':', 
$_SERVER[
'HTTP_HOST'])[0]
 
  604        $port = (443 === $port) || (80 === $port) ? 
'' : 
':' . $port;
 
  606        return sprintf(
'%s://%s%s/%s', 
$protocol, $host, $port, @trim(reset(explode(
'?', 
$_SERVER[
'REQUEST_URI'])), 
'/'));
 
  619            return \bin2hex(\random_bytes(16));
 
  622        } 
catch (Exception $e) {
 
  634        $auth_endpoint = $this->getProviderConfigValue(
'authorization_endpoint');
 
  635        $response_type = 
'code';
 
  639        $nonce = $this->setNonce($this->generateRandString());
 
  642        $state = $this->setState($this->generateRandString());
 
  644        $auth_params = array_merge($this->authParams, array(
 
  645            'response_type' => $response_type,
 
  646            'redirect_uri' => $this->getRedirectURL(),
 
  647            'client_id' => $this->clientID,
 
  654        if (count($this->scopes) > 0) {
 
  655            $auth_params = array_merge($auth_params, array(
'scope' => implode(
' ', array_merge($this->scopes, array(
'openid')))));
 
  659        if (count($this->responseTypes) > 0) {
 
  660            $auth_params = array_merge($auth_params, array(
'response_type' => implode(
' ', $this->responseTypes)));
 
  664        if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue(
'code_challenge_methods_supported'))) {
 
  665            $codeVerifier = bin2hex(random_bytes(64));
 
  666            $this->setCodeVerifier($codeVerifier);
 
  667            if (!empty($this->pkceAlgs[$this->getCodeChallengeMethod()])) {
 
  668                $codeChallenge = rtrim(strtr(base64_encode(
hash($this->pkceAlgs[$this->getCodeChallengeMethod()], $codeVerifier, 
true)), 
'+/', 
'-_'), 
'=');
 
  670                $codeChallenge = $codeVerifier;
 
  672            $auth_params = array_merge($auth_params, array(
 
  673                'code_challenge' => $codeChallenge,
 
  674                'code_challenge_method' => $this->getCodeChallengeMethod()
 
  678        $auth_endpoint .= (strpos($auth_endpoint, 
'?') === 
false ? 
'?' : 
'&') . http_build_query($auth_params, 
null, 
'&', $this->enc_type);
 
  680        $this->commitSession();
 
  681        $this->redirect($auth_endpoint);
 
  690        $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
 
  694        $grant_type = 
'client_credentials';
 
  697            'grant_type'    => $grant_type,
 
  698            'client_id'     => $this->clientID,
 
  699            'client_secret' => $this->clientSecret,
 
  700            'scope'         => implode(
' ', $this->scopes)
 
  704        $post_params = http_build_query($post_data, 
null, 
'&', $this->enc_type);
 
  706        return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
 
  719        $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
 
  723        $grant_type = 
'password';
 
  726            'grant_type'    => $grant_type,
 
  727            'username'      => $this->authParams[
'username'],
 
  728            'password'      => $this->authParams[
'password'],
 
  729            'scope'         => implode(
' ', $this->scopes)
 
  734            $post_data[
'client_id']     = $this->clientID;
 
  739        $post_params = http_build_query($post_data, 
null, 
'&', $this->enc_type);
 
  741        return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
 
  753        $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
 
  754        $token_endpoint_auth_methods_supported = $this->getProviderConfigValue(
'token_endpoint_auth_methods_supported', [
'client_secret_basic']);
 
  758        $grant_type = 
'authorization_code';
 
  760        $token_params = array(
 
  761            'grant_type' => $grant_type,
 
  763            'redirect_uri' => $this->getRedirectURL(),
 
  764            'client_id' => $this->clientID,
 
  765            'client_secret' => $this->clientSecret
 
  768        # Consider Basic authentication if provider config is set this way 
  769        if (in_array(
'client_secret_basic', $token_endpoint_auth_methods_supported, 
true)) {
 
  770            $headers = [
'Authorization: Basic ' . base64_encode(urlencode($this->clientID) . 
':' . urlencode($this->clientSecret))];
 
  771            unset($token_params[
'client_secret']);
 
  772                unset($token_params[
'client_id']);
 
  775        if (!empty($this->getCodeChallengeMethod()) && !empty($this->getCodeVerifier())) {
 
  777            unset($token_params[
'client_secret']);
 
  778            $token_params = array_merge($token_params, array(
 
  779                'client_id' => $this->clientID,
 
  780                'code_verifier' => $this->getCodeVerifier()
 
  785        $token_params = http_build_query($token_params, 
null, 
'&', $this->enc_type);
 
  787        $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers));
 
  789        return $this->tokenResponse;
 
  800        $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
 
  802        $grant_type = 
'refresh_token';
 
  804        $token_params = array(
 
  805            'grant_type' => $grant_type,
 
  806            'refresh_token' => $refresh_token,
 
  807            'client_id' => $this->clientID,
 
  808            'client_secret' => $this->clientSecret,
 
  812        $token_params = http_build_query($token_params, 
null, 
'&', $this->enc_type);
 
  814        $json = json_decode($this->fetchURL($token_endpoint, $token_params));
 
  816        if (isset($json->access_token)) {
 
  817            $this->accessToken = $json->access_token;
 
  820        if (isset($json->refresh_token)) {
 
  821            $this->refreshToken = $json->refresh_token;
 
  835            if (
$key->kty === 
'RSA') {
 
  845        if ($this->additionalJwks) {
 
  846            foreach ($this->additionalJwks as 
$key) {
 
  847                if (
$key->kty === 
'RSA') {
 
  876        if (!class_exists(
'\phpseclib\Crypt\RSA') && !class_exists(
'Crypt_RSA')) {
 
  879        if (!(property_exists(
$key, 
'n') && property_exists(
$key, 
'e'))) {
 
  886        $public_key_xml = 
"<RSAKeyValue>\r\n".
 
  890        if(class_exists(
'Crypt_RSA', 
false)) {
 
  891            $rsa = 
new Crypt_RSA();
 
  892            $rsa->setHash($hashtype);
 
  893            if ($signatureType === 
'PSS') {
 
  894                $rsa->setMGFHash($hashtype);
 
  896            $rsa->loadKey($public_key_xml, Crypt_RSA::PUBLIC_FORMAT_XML);
 
  897            $rsa->signatureMode = $signatureType === 
'PSS' ? Crypt_RSA::SIGNATURE_PSS : Crypt_RSA::SIGNATURE_PKCS1;
 
  899            $rsa = new \phpseclib\Crypt\RSA();
 
  900            $rsa->setHash($hashtype);
 
  901            if ($signatureType === 
'PSS') {
 
  902                $rsa->setMGFHash($hashtype);
 
  904            $rsa->loadKey($public_key_xml, \phpseclib\Crypt\RSA::PUBLIC_FORMAT_XML);
 
  907        return $rsa->verify($payload, $signature);
 
  920        if (!function_exists(
'hash_hmac')) {
 
  924        $expected=hash_hmac($hashtype, $payload, 
$key, 
true);
 
  926        if (function_exists(
'hash_equals')) {
 
  927            return hash_equals($signature, $expected);
 
  930        return self::hashEquals($signature, $expected);
 
  939        if (!\is_string($jwt)) {
 
  942        $parts = explode(
'.', $jwt);
 
  943        if (!isset($parts[0])) {
 
  947        if (
false === $signature || 
'' === $signature) {
 
  954        $payload = implode(
'.', $parts);
 
  955        $jwks = json_decode($this->fetchURL($this->getProviderConfigValue(
'jwks_uri')));
 
  956        if ($jwks === NULL) {
 
  967                $hashtype = 
'sha' . substr(
$header->alg, 2);
 
  968                $signatureType = 
$header->alg === 
'PS256' ? 
'PSS' : 
'';
 
  970                $verified = $this->verifyRSAJWTsignature($hashtype,
 
  971                    $this->get_key_for_header($jwks->keys, 
$header),
 
  972                    $payload, $signature, $signatureType);
 
  977                $hashtype = 
'SHA' . substr(
$header->alg, 2);
 
  978                $verified = $this->verifyHMACJWTsignature($hashtype, $this->getClientSecret(), $payload, $signature);
 
  992        if(isset($claims->at_hash) && isset($accessToken)){
 
  993            if(isset($this->getIdTokenHeader()->alg) && $this->getIdTokenHeader()->alg !== 
'none'){
 
  994                $bit = substr($this->getIdTokenHeader()->alg, 2, 3);
 
  999            $len = ((int)$bit)/16;
 
 1000            $expected_at_hash = $this->urlEncode(substr(
hash(
'sha'.$bit, $accessToken, 
true), 0, $len));
 
 1002        return (($this->issuerValidator->__invoke($claims->iss))
 
 1003            && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, 
true))
 
 1004            && ($claims->nonce === $this->getNonce())
 
 1005            && ( !isset($claims->exp) || ((gettype($claims->exp) === 
'integer') && ($claims->exp >= time() - $this->leeway)))
 
 1006            && ( !isset($claims->nbf) || ((gettype($claims->nbf) === 
'integer') && ($claims->nbf <= time() + $this->leeway)))
 
 1007            && ( !isset($claims->at_hash) || $claims->at_hash === $expected_at_hash )
 
 1016        $enc = base64_encode($str);
 
 1017        $enc = rtrim($enc, 
'=');
 
 1018        $enc = strtr($enc, 
'+/', 
'-_');
 
 1029        $parts = explode(
'.', $jwt);
 
 1063        $user_info_endpoint = $this->getProviderConfigValue(
'userinfo_endpoint');
 
 1066        $user_info_endpoint .= 
'?schema=' . $schema;
 
 1070        $headers = [
"Authorization: Bearer {$this->accessToken}",
 
 1071            'Accept: application/json'];
 
 1073        $user_json = json_decode($this->fetchURL($user_info_endpoint,
null,$headers));
 
 1074        if ($this->getResponseCode() <> 200) {
 
 1075            throw new OpenIDConnectClientException(
'The communication to retrieve user data has failed with status code '.$this->getResponseCode());
 
 1077        $this->userInfo = $user_json;
 
 1079        if($attribute === 
null) {
 
 1080            return $this->userInfo;
 
 1083        if (property_exists($this->userInfo, $attribute)) {
 
 1084            return $this->userInfo->$attribute;
 
 1111        if($attribute === 
null) {
 
 1112            return $this->verifiedClaims;
 
 1115        if (property_exists($this->verifiedClaims, $attribute)) {
 
 1116            return $this->verifiedClaims->$attribute;
 
 1136        if ($post_body !== 
null) {
 
 1139            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 
'POST');
 
 1140            curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body);
 
 1143            $content_type = 
'application/x-www-form-urlencoded';
 
 1146            if (is_object(json_decode($post_body))) {
 
 1147                $content_type = 
'application/json';
 
 1151            $headers[] = 
"Content-Type: {$content_type}";
 
 1156        if(count($headers) > 0) {
 
 1157            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
 
 1161        curl_setopt($ch, CURLOPT_URL, 
$url);
 
 1163        if (isset($this->httpProxy)) {
 
 1164            curl_setopt($ch, CURLOPT_PROXY, $this->httpProxy);
 
 1168        curl_setopt($ch, CURLOPT_HEADER, 0);
 
 1171        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 
true);
 
 1177        if (isset($this->certPath)) {
 
 1178            curl_setopt($ch, CURLOPT_CAINFO, $this->certPath);
 
 1181        if($this->verifyHost) {
 
 1182            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
 
 1184            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
 
 1187        if($this->verifyPeer) {
 
 1188            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 
true);
 
 1190            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 
false);
 
 1194        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 
true);
 
 1197        curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeOut);
 
 1203        $info = curl_getinfo($ch);
 
 1204        $this->responseCode = 
$info[
'http_code'];
 
 1223        return $this->getWellKnownConfigValue(
'issuer') . ($appendSlash ? 
'/' : 
'');
 
 1232        if (!isset($this->providerConfig[
'issuer'])) {
 
 1236        return $this->providerConfig[
'issuer'];
 
 1244        if (!isset($this->providerConfig[
'providerUrl'])) {
 
 1248        return $this->providerConfig[
'providerUrl'];
 
 1255        header(
'Location: ' . 
$url);
 
 1263        $this->httpProxy = $httpProxy;
 
 1270        $this->certPath = $certPath;
 
 1278        return $this->certPath;
 
 1285        $this->verifyPeer = $verifyPeer;
 
 1292        $this->verifyHost = $verifyHost;
 
 1300        return $this->verifyHost;
 
 1308        return $this->verifyPeer;
 
 1319        $this->issuerValidator = $issuerValidator;
 
 1326        $this->allowImplicitFlow = $allowImplicitFlow;
 
 1334        return $this->allowImplicitFlow;
 
 1345        $this->providerConfig = array_merge($this->providerConfig, $array);
 
 1359        $this->clientID = $clientID;
 
 1368    public function register() {
 
 1370        $registration_endpoint = $this->getProviderConfigValue(
'registration_endpoint');
 
 1372        $send_object = (object ) array_merge($this->registrationParams, array(
 
 1373            'redirect_uris' => array($this->getRedirectURL()),
 
 1374            'client_name' => $this->getClientName()
 
 1377        $response = $this->fetchURL($registration_endpoint, json_encode($send_object));
 
 1379        $json_response = json_decode(
$response);
 
 1382        if ($json_response === 
false) {
 
 1386        if (isset($json_response->{
'error_description'})) {
 
 1390        $this->setClientID($json_response->{
'client_id'});
 
 1394        if (isset($json_response->{
'client_secret'})) {
 
 1395            $this->setClientSecret($json_response->{
'client_secret'});
 
 1397            throw new OpenIDConnectClientException(
'Error registering: 
 1398                                                    Please contact the OpenID Connect provider and obtain a Client ID and Secret directly from them');
 
 1415        $introspection_endpoint = $this->getProviderConfigValue(
'introspection_endpoint');
 
 1420        if ($token_type_hint) {
 
 1421            $post_data[
'token_type_hint'] = $token_type_hint;
 
 1427        $post_params = http_build_query($post_data, 
null, 
'&');
 
 1428        $headers = [
'Authorization: Basic ' . base64_encode(urlencode(
$clientId) . 
':' . urlencode(
$clientSecret)),
 
 1429            'Accept: application/json'];
 
 1431        return json_decode($this->fetchURL($introspection_endpoint, $post_params, $headers));
 
 1446        $revocation_endpoint = $this->getProviderConfigValue(
'revocation_endpoint');
 
 1451        if ($token_type_hint) {
 
 1452            $post_data[
'token_type_hint'] = $token_type_hint;
 
 1458        $post_params = http_build_query($post_data, 
null, 
'&');
 
 1459        $headers = [
'Authorization: Basic ' . base64_encode(urlencode(
$clientId) . 
':' . urlencode(
$clientSecret)),
 
 1460            'Accept: application/json'];
 
 1462        return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers));
 
 1469        return $this->clientName;
 
 1476        $this->clientName = $clientName;
 
 1483        return $this->clientID;
 
 1497        return class_exists(
'\phpseclib\Crypt\RSA') || class_exists(
'Crypt_RSA');
 
 1509        $this->accessToken = $accessToken;
 
 1516        return $this->accessToken;
 
 1523        return $this->refreshToken;
 
 1530        return $this->idToken;
 
 1537        return $this->decodeJWT($this->accessToken);
 
 1544        return $this->decodeJWT($this->accessToken, 1);
 
 1551        return $this->decodeJWT($this->idToken);
 
 1558        return $this->decodeJWT($this->idToken, 1);
 
 1565        return $this->tokenResponse;
 
 1575        $this->setSessionKey(
'openid_connect_nonce', $nonce);
 
 1585        return $this->getSessionKey(
'openid_connect_nonce');
 
 1594        $this->unsetSessionKey(
'openid_connect_nonce');
 
 1604        $this->setSessionKey(
'openid_connect_state', 
$state);
 
 1614        return $this->getSessionKey(
'openid_connect_state');
 
 1623        $this->unsetSessionKey(
'openid_connect_state');
 
 1633        $this->setSessionKey(
'openid_connect_code_verifier', $codeVerifier);
 
 1634        return $codeVerifier;
 
 1643        return $this->getSessionKey(
'openid_connect_code_verifier');
 
 1652        $this->unsetSessionKey(
'openid_connect_code_verifier');
 
 1662        return $this->responseCode;
 
 1672        $this->timeOut = $timeout;
 
 1680        return $this->timeOut;
 
 1690        if (function_exists(
'mb_strlen')) {
 
 1691            return mb_strlen($str, 
'8bit');
 
 1693        return strlen($str);
 
 1704        $len1=static::safeLength($str1);
 
 1705        $len2=static::safeLength($str2);
 
 1708        $len = min($len1, $len2);
 
 1710        for (
$i = 0; 
$i < $len; 
$i++) {
 
 1711            $status |= (ord($str1[
$i]) ^ ord($str2[
$i]));
 
 1714        $status |= ($len1 ^ $len2);
 
 1715        return ($status === 0);
 
 1728        $this->startSession();
 
 1730        session_write_close();
 
 1734        $this->startSession();
 
 1740        $this->startSession();
 
 1746        $this->startSession();
 
 1753        switch ($curEncoding)
 
 1755            case PHP_QUERY_RFC1738:
 
 1756                $this->enc_type = PHP_QUERY_RFC1738;
 
 1759            case PHP_QUERY_RFC3986:
 
 1760                $this->enc_type = PHP_QUERY_RFC3986;
 
 1774        return $this->scopes;
 
 1782        return $this->responseTypes;
 
 1790        return $this->authParams;
 
 1798        return $this->issuerValidator;
 
 1806        return $this->leeway;
 
 1813        return $this->codeChallengeMethod;
 
 1820        $this->codeChallengeMethod = $codeChallengeMethod;
 
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
An exception for terminatinating execution or to throw for unit testing.
OpenIDConnect Exception Class.
Require the CURL and JSON PHP extensions to be installed.
setState($state)
Stores $state.
getRedirectURL()
Gets the URL of the current page we are on, encodes, and returns it.
providerConfigParam($array)
Use this to alter a provider's endpoints and other attributes.
decodeJWT($jwt, $section=0)
requestClientCredentialsToken()
Requests a client credentials token.
fetchURL($url, $post_body=null, $headers=array())
introspectToken($token, $token_type_hint='', $clientId=null, $clientSecret=null)
Introspect a given token - either access token or refresh token.
getVerifiedClaims($attribute=null)
setProviderURL($provider_url)
setResponseTypes($response_types)
setClientSecret($clientSecret)
requestTokens($code)
Requests ID and Access tokens.
setAccessToken($accessToken)
Set the access token.
getNonce()
Get stored nonce.
setCodeChallengeMethod($codeChallengeMethod)
getResponseCode()
Get the response code from last action/curl request.
static safeLength($str)
Safely calculate length of binary string.
getState()
Get stored state.
revokeToken($token, $token_type_hint='', $clientId=null, $clientSecret=null)
Revoke a given token - either access token or refresh token.
setUrlEncoding($curEncoding)
startSession()
Use session to manage a nonce.
setNonce($nonce)
Stores nonce.
__construct($provider_url=null, $client_id=null, $client_secret=null, $issuer=null)
requestUserInfo($attribute=null)
getProviderConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.
unsetNonce()
Cleanup nonce.
get_key_for_header($keys, $header)
generateRandString()
Used for arbitrary value generation for nonces and state.
verifyHMACJWTsignature($hashtype, $key, $payload, $signature)
addRegistrationParam($param)
refreshToken($refresh_token)
Requests Access token with refresh token.
unsetCodeVerifier()
Cleanup state.
setVerifyPeer($verifyPeer)
setClientName($clientName)
getWellKnownConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.
getWellKnownIssuer($appendSlash=false)
setTimeout($timeout)
Set timeout (seconds)
getCodeVerifier()
Get stored codeVerifier.
requestResourceOwnerToken($bClientAuth=FALSE)
Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4....
setSessionKey($key, $value)
unsetState()
Cleanup state.
signOut($accessToken, $redirect)
It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provide...
requestAuthorization()
Start Here.
setWellKnownConfigParameters(array $params=[])
Set optionnal parameters for .well-known/openid-configuration.
setVerifyHost($verifyHost)
setIssuerValidator($issuerValidator)
Use this for custom issuer validation The given function should accept the issuer string from the JWT...
static hashEquals($str1, $str2)
Where has_equals is not available, this provides a timing-attack safe string comparison.
verifyRSAJWTsignature($hashtype, $key, $payload, $signature, $signatureType)
verifyJWTclaims($claims, $accessToken=null)
setCodeVerifier($codeVerifier)
Stores $codeVerifier.
setAllowImplicitFlow($allowImplicitFlow)
const SIGNATURE_PKCS1
Use the PKCS#1 scheme by default.
hash(StreamInterface $stream, $algo, $rawOutput=false)
Calculate a hash of a Stream.
b64url2b64($base64url)
Per RFC4648, "base64 encoding with URL-safe and filename-safe alphabet".
if(!class_exists('\phpseclib\Crypt\RSA') &&!class_exists( 'Crypt_RSA')) base64url_decode($base64url)
JWT signature verification support by Jonathan Reed jdreed@mit.edu Licensed under the same license as...
if(array_key_exists('provider', $_GET)) elseif(array_key_exists( 'provider', $_SESSION)) if(!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) $clientId
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']