34if (!class_exists(
'\phpseclib\Crypt\RSA') && !class_exists(
'Crypt_RSA')) {
35 user_error(
'Unable to find phpseclib Crypt/RSA.php. Ensure phpseclib is installed and in include_path before you include this file');
58 $padding = strlen($base64url) % 4;
60 $base64url .= str_repeat(
'=', 4 - $padding);
62 return strtr($base64url,
'-_',
'+/');
77if (!function_exists(
'curl_init')) {
80if (!function_exists(
'json_decode')) {
81 throw new OpenIDConnectClientException(
'OpenIDConnect needs the JSON PHP extension.');
110 private $providerConfig = array();
125 private $verifyPeer =
true;
130 private $verifyHost =
true;
155 private $scopes = array();
165 private $responseTypes = array();
170 private $userInfo = array();
175 private $authParams = array();
180 private $registrationParams = array();
185 private $wellKnown =
false;
191 private $wellKnownConfigParameters = array();
196 protected $timeOut = 60;
201 private $leeway = 300;
206 private $additionalJwks = array();
211 protected $verifiedClaims = array();
221 private $allowImplicitFlow =
false;
227 protected $enc_type = PHP_QUERY_RFC1738;
233 private $codeChallengeMethod =
false;
238 private $pkceAlgs = array(
'S256' =>
'sha256',
'plain' =>
false);
248 $this->setProviderURL($provider_url);
250 $this->setIssuer($provider_url);
256 $this->clientSecret = $client_secret;
258 $this->issuerValidator =
function($iss){
259 return ($iss === $this->getIssuer() || $iss === $this->getWellKnownIssuer() || $iss === $this->getWellKnownIssuer(
true));
267 $this->providerConfig[
'providerUrl'] = $provider_url;
274 $this->providerConfig[
'issuer'] =
$issuer;
281 $this->responseTypes = array_merge($this->responseTypes, (array)$response_types);
291 if (isset($_REQUEST[
'error'])) {
292 $desc = isset($_REQUEST[
'error_description']) ?
' Description: ' . $_REQUEST[
'error_description'] :
'';
297 if (isset($_REQUEST[
'code'])) {
299 $code = $_REQUEST[
'code'];
300 $token_json = $this->requestTokens(
$code);
303 if (isset($token_json->error)) {
304 if (isset($token_json->error_description)) {
311 if ($_REQUEST[
'state'] !== $this->getState()) {
318 if (!property_exists($token_json,
'id_token')) {
322 $claims = $this->decodeJWT($token_json->id_token, 1);
325 if ($this->canVerifySignatures()) {
326 if (!$this->getProviderConfigValue(
'jwks_uri')) {
329 if (!$this->verifyJWTsignature($token_json->id_token)) {
333 user_error(
'Warning: JWT signature verification unavailable.');
337 $this->idToken = $token_json->id_token;
340 $this->accessToken = $token_json->access_token;
343 if ($this->verifyJWTclaims($claims, $token_json->access_token)) {
349 $this->tokenResponse = $token_json;
352 $this->verifiedClaims = $claims;
355 if (isset($token_json->refresh_token)) {
356 $this->refreshToken = $token_json->refresh_token;
367 if ($this->allowImplicitFlow && isset($_REQUEST[
'id_token'])) {
369 $id_token = $_REQUEST[
'id_token'];
372 if (isset($_REQUEST[
'access_token'])) {
373 $accessToken = $_REQUEST[
'access_token'];
377 if ($_REQUEST[
'state'] !== $this->getState()) {
384 $claims = $this->decodeJWT($id_token, 1);
387 if ($this->canVerifySignatures()) {
388 if (!$this->getProviderConfigValue(
'jwks_uri')) {
391 if (!$this->verifyJWTsignature($id_token)) {
395 user_error(
'Warning: JWT signature verification unavailable.');
399 $this->idToken = $id_token;
402 if ($this->verifyJWTclaims($claims, $accessToken)) {
408 $this->verifiedClaims = $claims;
412 $this->accessToken = $accessToken;
423 $this->requestAuthorization();
440 public function signOut($accessToken, $redirect) {
441 $signout_endpoint = $this->getProviderConfigValue(
'end_session_endpoint');
443 $signout_params =
null;
444 if($redirect ===
null){
445 $signout_params = array(
'id_token_hint' => $accessToken);
448 $signout_params = array(
449 'id_token_hint' => $accessToken,
450 'post_logout_redirect_uri' => $redirect);
453 $signout_endpoint .= (strpos($signout_endpoint,
'?') ===
false ?
'?' :
'&') . http_build_query( $signout_params,
null,
'&', $this->enc_type);
454 $this->redirect($signout_endpoint);
461 $this->scopes = array_merge($this->scopes, (array)$scope);
468 $this->authParams = array_merge($this->authParams, (array)$param);
475 $this->registrationParams = array_merge($this->registrationParams, (array)$param);
482 $this->additionalJwks[] = $jwk;
498 if (!isset($this->providerConfig[$param])) {
499 $this->providerConfig[$param] = $this->getWellKnownConfigValue($param,
$default);
502 return $this->providerConfig[$param];
518 if(!$this->wellKnown) {
519 $well_known_config_url = rtrim($this->getProviderURL(),
'/') .
'/.well-known/openid-configuration';
520 if (count($this->wellKnownConfigParameters) > 0){
521 $well_known_config_url .=
'?' . http_build_query($this->wellKnownConfigParameters) ;
523 $this->wellKnown = json_decode($this->fetchURL($well_known_config_url));
527 if(isset($this->wellKnown->{$param})){
528 $value = $this->wellKnown->{$param};
540 throw new OpenIDConnectClientException(
"The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.");
550 $this->wellKnownConfigParameters=
$params;
558 if (parse_url(
$url,PHP_URL_HOST) !==
false) {
559 $this->redirectURL =
$url;
571 if (property_exists($this,
'redirectURL') && $this->redirectURL) {
572 return $this->redirectURL;
588 if (isset(
$_SERVER[
'HTTP_UPGRADE_INSECURE_REQUESTS']) && (
$_SERVER[
'HTTP_UPGRADE_INSECURE_REQUESTS'] ===
'1')) {
593 ?: ((isset(
$_SERVER[
'HTTPS']) &&
$_SERVER[
'HTTPS'] ===
'on') ?
'https' :
'http');
596 $port = @intval(
$_SERVER[
'HTTP_X_FORWARDED_PORT'])
600 $host = @explode(
':',
$_SERVER[
'HTTP_HOST'])[0]
604 $port = (443 === $port) || (80 === $port) ?
'' :
':' . $port;
606 return sprintf(
'%s://%s%s/%s',
$protocol, $host, $port, @trim(reset(explode(
'?',
$_SERVER[
'REQUEST_URI'])),
'/'));
619 return \bin2hex(\random_bytes(16));
622 }
catch (Exception $e) {
634 $auth_endpoint = $this->getProviderConfigValue(
'authorization_endpoint');
635 $response_type =
'code';
639 $nonce = $this->setNonce($this->generateRandString());
642 $state = $this->setState($this->generateRandString());
644 $auth_params = array_merge($this->authParams, array(
645 'response_type' => $response_type,
646 'redirect_uri' => $this->getRedirectURL(),
647 'client_id' => $this->clientID,
654 if (count($this->scopes) > 0) {
655 $auth_params = array_merge($auth_params, array(
'scope' => implode(
' ', array_merge($this->scopes, array(
'openid')))));
659 if (count($this->responseTypes) > 0) {
660 $auth_params = array_merge($auth_params, array(
'response_type' => implode(
' ', $this->responseTypes)));
664 if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue(
'code_challenge_methods_supported'))) {
665 $codeVerifier = bin2hex(random_bytes(64));
666 $this->setCodeVerifier($codeVerifier);
667 if (!empty($this->pkceAlgs[$this->getCodeChallengeMethod()])) {
668 $codeChallenge = rtrim(strtr(base64_encode(
hash($this->pkceAlgs[$this->getCodeChallengeMethod()], $codeVerifier,
true)),
'+/',
'-_'),
'=');
670 $codeChallenge = $codeVerifier;
672 $auth_params = array_merge($auth_params, array(
673 'code_challenge' => $codeChallenge,
674 'code_challenge_method' => $this->getCodeChallengeMethod()
678 $auth_endpoint .= (strpos($auth_endpoint,
'?') ===
false ?
'?' :
'&') . http_build_query($auth_params,
null,
'&', $this->enc_type);
680 $this->commitSession();
681 $this->redirect($auth_endpoint);
690 $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
694 $grant_type =
'client_credentials';
697 'grant_type' => $grant_type,
698 'client_id' => $this->clientID,
699 'client_secret' => $this->clientSecret,
700 'scope' => implode(
' ', $this->scopes)
704 $post_params = http_build_query($post_data,
null,
'&', $this->enc_type);
706 return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
719 $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
723 $grant_type =
'password';
726 'grant_type' => $grant_type,
727 'username' => $this->authParams[
'username'],
728 'password' => $this->authParams[
'password'],
729 'scope' => implode(
' ', $this->scopes)
734 $post_data[
'client_id'] = $this->clientID;
739 $post_params = http_build_query($post_data,
null,
'&', $this->enc_type);
741 return json_decode($this->fetchURL($token_endpoint, $post_params, $headers));
753 $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
754 $token_endpoint_auth_methods_supported = $this->getProviderConfigValue(
'token_endpoint_auth_methods_supported', [
'client_secret_basic']);
758 $grant_type =
'authorization_code';
760 $token_params = array(
761 'grant_type' => $grant_type,
763 'redirect_uri' => $this->getRedirectURL(),
764 'client_id' => $this->clientID,
765 'client_secret' => $this->clientSecret
768 # Consider Basic authentication if provider config is set this way
769 if (in_array(
'client_secret_basic', $token_endpoint_auth_methods_supported,
true)) {
770 $headers = [
'Authorization: Basic ' . base64_encode(urlencode($this->clientID) .
':' . urlencode($this->clientSecret))];
771 unset($token_params[
'client_secret']);
772 unset($token_params[
'client_id']);
775 if (!empty($this->getCodeChallengeMethod()) && !empty($this->getCodeVerifier())) {
777 unset($token_params[
'client_secret']);
778 $token_params = array_merge($token_params, array(
779 'client_id' => $this->clientID,
780 'code_verifier' => $this->getCodeVerifier()
785 $token_params = http_build_query($token_params,
null,
'&', $this->enc_type);
787 $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers));
789 return $this->tokenResponse;
800 $token_endpoint = $this->getProviderConfigValue(
'token_endpoint');
802 $grant_type =
'refresh_token';
804 $token_params = array(
805 'grant_type' => $grant_type,
806 'refresh_token' => $refresh_token,
807 'client_id' => $this->clientID,
808 'client_secret' => $this->clientSecret,
812 $token_params = http_build_query($token_params,
null,
'&', $this->enc_type);
814 $json = json_decode($this->fetchURL($token_endpoint, $token_params));
816 if (isset($json->access_token)) {
817 $this->accessToken = $json->access_token;
820 if (isset($json->refresh_token)) {
821 $this->refreshToken = $json->refresh_token;
835 if (
$key->kty ===
'RSA') {
845 if ($this->additionalJwks) {
846 foreach ($this->additionalJwks as
$key) {
847 if (
$key->kty ===
'RSA') {
876 if (!class_exists(
'\phpseclib\Crypt\RSA') && !class_exists(
'Crypt_RSA')) {
879 if (!(property_exists(
$key,
'n') && property_exists(
$key,
'e'))) {
886 $public_key_xml =
"<RSAKeyValue>\r\n".
890 if(class_exists(
'Crypt_RSA',
false)) {
891 $rsa =
new Crypt_RSA();
892 $rsa->setHash($hashtype);
893 if ($signatureType ===
'PSS') {
894 $rsa->setMGFHash($hashtype);
896 $rsa->loadKey($public_key_xml, Crypt_RSA::PUBLIC_FORMAT_XML);
897 $rsa->signatureMode = $signatureType ===
'PSS' ? Crypt_RSA::SIGNATURE_PSS : Crypt_RSA::SIGNATURE_PKCS1;
899 $rsa = new \phpseclib\Crypt\RSA();
900 $rsa->setHash($hashtype);
901 if ($signatureType ===
'PSS') {
902 $rsa->setMGFHash($hashtype);
904 $rsa->loadKey($public_key_xml, \phpseclib\Crypt\RSA::PUBLIC_FORMAT_XML);
907 return $rsa->verify($payload, $signature);
920 if (!function_exists(
'hash_hmac')) {
924 $expected=hash_hmac($hashtype, $payload,
$key,
true);
926 if (function_exists(
'hash_equals')) {
927 return hash_equals($signature, $expected);
930 return self::hashEquals($signature, $expected);
939 if (!\is_string($jwt)) {
942 $parts = explode(
'.', $jwt);
943 if (!isset($parts[0])) {
947 if (
false === $signature ||
'' === $signature) {
954 $payload = implode(
'.', $parts);
955 $jwks = json_decode($this->fetchURL($this->getProviderConfigValue(
'jwks_uri')));
956 if ($jwks === NULL) {
967 $hashtype =
'sha' . substr(
$header->alg, 2);
968 $signatureType =
$header->alg ===
'PS256' ?
'PSS' :
'';
970 $verified = $this->verifyRSAJWTsignature($hashtype,
971 $this->get_key_for_header($jwks->keys,
$header),
972 $payload, $signature, $signatureType);
977 $hashtype =
'SHA' . substr(
$header->alg, 2);
978 $verified = $this->verifyHMACJWTsignature($hashtype, $this->getClientSecret(), $payload, $signature);
992 if(isset($claims->at_hash) && isset($accessToken)){
993 if(isset($this->getIdTokenHeader()->alg) && $this->getIdTokenHeader()->alg !==
'none'){
994 $bit = substr($this->getIdTokenHeader()->alg, 2, 3);
999 $len = ((int)$bit)/16;
1000 $expected_at_hash = $this->urlEncode(substr(
hash(
'sha'.$bit, $accessToken,
true), 0, $len));
1002 return (($this->issuerValidator->__invoke($claims->iss))
1003 && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud,
true))
1004 && ($claims->nonce === $this->getNonce())
1005 && ( !isset($claims->exp) || ((gettype($claims->exp) ===
'integer') && ($claims->exp >= time() - $this->leeway)))
1006 && ( !isset($claims->nbf) || ((gettype($claims->nbf) ===
'integer') && ($claims->nbf <= time() + $this->leeway)))
1007 && ( !isset($claims->at_hash) || $claims->at_hash === $expected_at_hash )
1016 $enc = base64_encode($str);
1017 $enc = rtrim($enc,
'=');
1018 $enc = strtr($enc,
'+/',
'-_');
1029 $parts = explode(
'.', $jwt);
1063 $user_info_endpoint = $this->getProviderConfigValue(
'userinfo_endpoint');
1066 $user_info_endpoint .=
'?schema=' . $schema;
1070 $headers = [
"Authorization: Bearer {$this->accessToken}",
1071 'Accept: application/json'];
1073 $user_json = json_decode($this->fetchURL($user_info_endpoint,
null,$headers));
1074 if ($this->getResponseCode() <> 200) {
1075 throw new OpenIDConnectClientException(
'The communication to retrieve user data has failed with status code '.$this->getResponseCode());
1077 $this->userInfo = $user_json;
1079 if($attribute ===
null) {
1080 return $this->userInfo;
1083 if (property_exists($this->userInfo, $attribute)) {
1084 return $this->userInfo->$attribute;
1111 if($attribute ===
null) {
1112 return $this->verifiedClaims;
1115 if (property_exists($this->verifiedClaims, $attribute)) {
1116 return $this->verifiedClaims->$attribute;
1136 if ($post_body !==
null) {
1139 curl_setopt($ch, CURLOPT_CUSTOMREQUEST,
'POST');
1140 curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body);
1143 $content_type =
'application/x-www-form-urlencoded';
1146 if (is_object(json_decode($post_body))) {
1147 $content_type =
'application/json';
1151 $headers[] =
"Content-Type: {$content_type}";
1156 if(count($headers) > 0) {
1157 curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
1161 curl_setopt($ch, CURLOPT_URL,
$url);
1163 if (isset($this->httpProxy)) {
1164 curl_setopt($ch, CURLOPT_PROXY, $this->httpProxy);
1168 curl_setopt($ch, CURLOPT_HEADER, 0);
1171 curl_setopt($ch, CURLOPT_FOLLOWLOCATION,
true);
1177 if (isset($this->certPath)) {
1178 curl_setopt($ch, CURLOPT_CAINFO, $this->certPath);
1181 if($this->verifyHost) {
1182 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
1184 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
1187 if($this->verifyPeer) {
1188 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
true);
1190 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,
false);
1194 curl_setopt($ch, CURLOPT_RETURNTRANSFER,
true);
1197 curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeOut);
1203 $info = curl_getinfo($ch);
1204 $this->responseCode =
$info[
'http_code'];
1223 return $this->getWellKnownConfigValue(
'issuer') . ($appendSlash ?
'/' :
'');
1232 if (!isset($this->providerConfig[
'issuer'])) {
1236 return $this->providerConfig[
'issuer'];
1244 if (!isset($this->providerConfig[
'providerUrl'])) {
1248 return $this->providerConfig[
'providerUrl'];
1255 header(
'Location: ' .
$url);
1263 $this->httpProxy = $httpProxy;
1270 $this->certPath = $certPath;
1278 return $this->certPath;
1285 $this->verifyPeer = $verifyPeer;
1292 $this->verifyHost = $verifyHost;
1300 return $this->verifyHost;
1308 return $this->verifyPeer;
1319 $this->issuerValidator = $issuerValidator;
1326 $this->allowImplicitFlow = $allowImplicitFlow;
1334 return $this->allowImplicitFlow;
1345 $this->providerConfig = array_merge($this->providerConfig, $array);
1359 $this->clientID = $clientID;
1368 public function register() {
1370 $registration_endpoint = $this->getProviderConfigValue(
'registration_endpoint');
1372 $send_object = (object ) array_merge($this->registrationParams, array(
1373 'redirect_uris' => array($this->getRedirectURL()),
1374 'client_name' => $this->getClientName()
1377 $response = $this->fetchURL($registration_endpoint, json_encode($send_object));
1379 $json_response = json_decode(
$response);
1382 if ($json_response ===
false) {
1386 if (isset($json_response->{
'error_description'})) {
1390 $this->setClientID($json_response->{
'client_id'});
1394 if (isset($json_response->{
'client_secret'})) {
1395 $this->setClientSecret($json_response->{
'client_secret'});
1397 throw new OpenIDConnectClientException(
'Error registering:
1398 Please contact the OpenID Connect provider and obtain a Client ID and Secret directly from them');
1415 $introspection_endpoint = $this->getProviderConfigValue(
'introspection_endpoint');
1420 if ($token_type_hint) {
1421 $post_data[
'token_type_hint'] = $token_type_hint;
1427 $post_params = http_build_query($post_data,
null,
'&');
1428 $headers = [
'Authorization: Basic ' . base64_encode(urlencode(
$clientId) .
':' . urlencode(
$clientSecret)),
1429 'Accept: application/json'];
1431 return json_decode($this->fetchURL($introspection_endpoint, $post_params, $headers));
1446 $revocation_endpoint = $this->getProviderConfigValue(
'revocation_endpoint');
1451 if ($token_type_hint) {
1452 $post_data[
'token_type_hint'] = $token_type_hint;
1458 $post_params = http_build_query($post_data,
null,
'&');
1459 $headers = [
'Authorization: Basic ' . base64_encode(urlencode(
$clientId) .
':' . urlencode(
$clientSecret)),
1460 'Accept: application/json'];
1462 return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers));
1469 return $this->clientName;
1476 $this->clientName = $clientName;
1483 return $this->clientID;
1497 return class_exists(
'\phpseclib\Crypt\RSA') || class_exists(
'Crypt_RSA');
1509 $this->accessToken = $accessToken;
1516 return $this->accessToken;
1523 return $this->refreshToken;
1530 return $this->idToken;
1537 return $this->decodeJWT($this->accessToken);
1544 return $this->decodeJWT($this->accessToken, 1);
1551 return $this->decodeJWT($this->idToken);
1558 return $this->decodeJWT($this->idToken, 1);
1565 return $this->tokenResponse;
1575 $this->setSessionKey(
'openid_connect_nonce', $nonce);
1585 return $this->getSessionKey(
'openid_connect_nonce');
1594 $this->unsetSessionKey(
'openid_connect_nonce');
1604 $this->setSessionKey(
'openid_connect_state',
$state);
1614 return $this->getSessionKey(
'openid_connect_state');
1623 $this->unsetSessionKey(
'openid_connect_state');
1633 $this->setSessionKey(
'openid_connect_code_verifier', $codeVerifier);
1634 return $codeVerifier;
1643 return $this->getSessionKey(
'openid_connect_code_verifier');
1652 $this->unsetSessionKey(
'openid_connect_code_verifier');
1662 return $this->responseCode;
1672 $this->timeOut = $timeout;
1680 return $this->timeOut;
1690 if (function_exists(
'mb_strlen')) {
1691 return mb_strlen($str,
'8bit');
1693 return strlen($str);
1704 $len1=static::safeLength($str1);
1705 $len2=static::safeLength($str2);
1708 $len = min($len1, $len2);
1710 for (
$i = 0;
$i < $len;
$i++) {
1711 $status |= (ord($str1[
$i]) ^ ord($str2[
$i]));
1714 $status |= ($len1 ^ $len2);
1715 return ($status === 0);
1728 $this->startSession();
1730 session_write_close();
1734 $this->startSession();
1740 $this->startSession();
1746 $this->startSession();
1753 switch ($curEncoding)
1755 case PHP_QUERY_RFC1738:
1756 $this->enc_type = PHP_QUERY_RFC1738;
1759 case PHP_QUERY_RFC3986:
1760 $this->enc_type = PHP_QUERY_RFC3986;
1774 return $this->scopes;
1782 return $this->responseTypes;
1790 return $this->authParams;
1798 return $this->issuerValidator;
1806 return $this->leeway;
1813 return $this->codeChallengeMethod;
1820 $this->codeChallengeMethod = $codeChallengeMethod;
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
An exception for terminatinating execution or to throw for unit testing.
OpenIDConnect Exception Class.
Require the CURL and JSON PHP extensions to be installed.
setState($state)
Stores $state.
getRedirectURL()
Gets the URL of the current page we are on, encodes, and returns it.
providerConfigParam($array)
Use this to alter a provider's endpoints and other attributes.
decodeJWT($jwt, $section=0)
requestClientCredentialsToken()
Requests a client credentials token.
fetchURL($url, $post_body=null, $headers=array())
introspectToken($token, $token_type_hint='', $clientId=null, $clientSecret=null)
Introspect a given token - either access token or refresh token.
getVerifiedClaims($attribute=null)
setProviderURL($provider_url)
setResponseTypes($response_types)
setClientSecret($clientSecret)
requestTokens($code)
Requests ID and Access tokens.
setAccessToken($accessToken)
Set the access token.
getNonce()
Get stored nonce.
setCodeChallengeMethod($codeChallengeMethod)
getResponseCode()
Get the response code from last action/curl request.
static safeLength($str)
Safely calculate length of binary string.
getState()
Get stored state.
revokeToken($token, $token_type_hint='', $clientId=null, $clientSecret=null)
Revoke a given token - either access token or refresh token.
setUrlEncoding($curEncoding)
startSession()
Use session to manage a nonce.
setNonce($nonce)
Stores nonce.
__construct($provider_url=null, $client_id=null, $client_secret=null, $issuer=null)
requestUserInfo($attribute=null)
getProviderConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.
unsetNonce()
Cleanup nonce.
get_key_for_header($keys, $header)
generateRandString()
Used for arbitrary value generation for nonces and state.
verifyHMACJWTsignature($hashtype, $key, $payload, $signature)
addRegistrationParam($param)
refreshToken($refresh_token)
Requests Access token with refresh token.
unsetCodeVerifier()
Cleanup state.
setVerifyPeer($verifyPeer)
setClientName($clientName)
getWellKnownConfigValue($param, $default=null)
Get's anything that we need configuration wise including endpoints, and other values.
getWellKnownIssuer($appendSlash=false)
setTimeout($timeout)
Set timeout (seconds)
getCodeVerifier()
Get stored codeVerifier.
requestResourceOwnerToken($bClientAuth=FALSE)
Requests a resource owner token (Defined in https://tools.ietf.org/html/rfc6749#section-4....
setSessionKey($key, $value)
unsetState()
Cleanup state.
signOut($accessToken, $redirect)
It calls the end-session endpoint of the OpenID Connect provider to notify the OpenID Connect provide...
requestAuthorization()
Start Here.
setWellKnownConfigParameters(array $params=[])
Set optionnal parameters for .well-known/openid-configuration.
setVerifyHost($verifyHost)
setIssuerValidator($issuerValidator)
Use this for custom issuer validation The given function should accept the issuer string from the JWT...
static hashEquals($str1, $str2)
Where has_equals is not available, this provides a timing-attack safe string comparison.
verifyRSAJWTsignature($hashtype, $key, $payload, $signature, $signatureType)
verifyJWTclaims($claims, $accessToken=null)
setCodeVerifier($codeVerifier)
Stores $codeVerifier.
setAllowImplicitFlow($allowImplicitFlow)
const SIGNATURE_PKCS1
Use the PKCS#1 scheme by default.
hash(StreamInterface $stream, $algo, $rawOutput=false)
Calculate a hash of a Stream.
b64url2b64($base64url)
Per RFC4648, "base64 encoding with URL-safe and filename-safe alphabet".
if(!class_exists('\phpseclib\Crypt\RSA') &&!class_exists( 'Crypt_RSA')) base64url_decode($base64url)
JWT signature verification support by Jonathan Reed jdreed@mit.edu Licensed under the same license as...
if(array_key_exists('provider', $_GET)) elseif(array_key_exists( 'provider', $_SESSION)) if(!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) $clientId
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']