steverhoades / oauth2-openid-connect-server Goto Github PK
View Code? Open in Web Editor NEWAn OpenID Connect Server plugin for The PHP League's OAuth2 Server
License: MIT License
An OpenID Connect Server plugin for The PHP League's OAuth2 Server
License: MIT License
Hi any usage example / tutorial on how to use with phpleauge oauth2 server? I read your readme.md but not really understand how to use it
Relying parties who want to check the id_token
validity against the public key issue a GET /ket/set
on the OpenId Authorization Server/Provider.
We need a service to reply to this request with the public key.
Changes to make it work with new versions of Lcobucci/JWT library
I am looking into a way of passing the nonce
parameter through as discussed here:
thephpleague/oauth2-server#962
Any idea on how we can implement this, as it's required by the spec here: https://openid.net/specs/openid-connect-core-1_0.html
Drupal 10.1.0 requires psr/http-message:^2.0, so for Simple OAuth module we need to bump up league/oauth2-server to 8.5.3 see: https://www.drupal.org/project/simple_oauth/issues/3364376 and thephpleague/oauth2-server#1339. At the same time league/oauth2-server:8.5.3 requires lcobucci/jwt:^4.3, while steverhoades/oauth2-openid-connect-server only allows: 4.1.5|^4.2.
Can you please write, where configurations must be made? For example, paths // etc ?
Can it be added to laravel passport?
In addition to the OAuth2 specification for error codes the OpenID Connect specification defines the following:
interaction_required
The Authorization Server requires End-User interaction of some form to proceed. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User interaction.
login_required
The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication.
account_selection_required
The End-User is REQUIRED to select a session at the Authorization Server. The End-User MAY be authenticated at the Authorization Server with different associated accounts, but the End-User did not select a session. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface to prompt for a session to use.
consent_required
The Authorization Server requires End-User consent. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent.
invalid_request_uri
The request_uri in the Authorization Request returns an error or contains invalid data.
invalid_request_object
The request parameter contains an invalid Request Object.
request_not_supported
The OP does not support use of the request parameter defined in Section 6.
request_uri_not_supported
The OP does not support use of the request_uri parameter defined in Section 6.
registration_not_supported
The OP does not support use of the registration parameter defined in Section 7.2.1.
http://openid.net/specs/openid-connect-core-1_0.html#AuthError
Related to #9, it seems Packagist isn't set up to automatically pull down new versions of this repository as it's updated. Packagist did switch a while back from one form of GitHub integration to another, so it could be that this needs to be updated.
Since league/oauth2-server is not saving an in memory key to a temporary file anymore, the IdTokenResponse is failing. I've reported the BC-break in thephpleague/oauth2-server#1240, but I think it would be good to fix it in this package, too.
I've been trying your library and the example you have given and I found out that somehow I still need to setup the ScopeRepository
to include the openid
scope for an openid client to work.
I think you can either point this out in your example or maybe you can provide a default ScopeRepository
implementation that automatically include the openid
scope.
Seems like you have a problem with your composer.json and packagist is not updating anymore.
bash$ composer validate
./composer.json is valid for simple usage with composer but has
strict errors that make it unable to be published as a package:
See https://getcomposer.org/doc/04-schema.md for details on the schema
description : The property description is required
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
You should have more information in your packagist account. If you want to I can send you a PR adding the MIT License and a description.
Hi there, I was just wondering if you could cut a new tag for the 6 commits since the last release. I was hoping to avoid forking the repo or pointing composer directly at the master branch. Thanks!
Which branch should one use?
Packagist lists 0.3
as the latest but seems like master
branch is ahead of it.
Is master branch ready to use?
Hi,
I installed the package in my symfony project, but the requirement for lcobucci/jwt:4.1.5 force the downgrade of this lib from 4.2.1.
Is there any reason to have this requirement ? Do you want a PR with the new version ?
Regards,
The lcobucci/jwt
package is upgraded to version 4 in laravel/passport
via league/oauth2-server
.
Following the upgrade guide: https://lcobucci-jwt.readthedocs.io/en/latest/upgrading/#v3x-to-v4x
(new Builder())
should become $config->builder()
.
Do you have a roadmap for this implementation?
For example:
The examples depend on Zendframework/zend-diactoros which has been abandoned.
https://packagist.org/packages/zendframework/zend-diactoros
Packagist says it has been replaced by: laminas/laminas-diactoros
https://github.com/laminas/laminas-diactoros
Can someone who is comfortable with oauth2-openid-connect-server make the package replacement in the examples and ensure they are still functioning correctly?
p.s. I am brand new to openid connect in general and not even an experienced composer user, so I'm definitely not qualified to start tinkering with this framework.
First of all, thanks for all the work you did for this library.
In the app we're building with this package, we've run into a situation where we'd like to differentiate claims based on which client is authenticating (the same user may authenticate under different clients and needs different claims, in our case specifically, different access roles to the client. E.g. a user could be an admin in one client but only a user in the other).
As far as I can tell, there's no straight forward way to do this, seeing as the IdentityProvider interface only uses the user identifier from the access token.
Do you see a more straight forward way of doing this? Currently, I'm thinking I need to extend the IdTokenResponse and change the IdentityProvider::getUserEntityByIdentifier method to use the full AccessToken instead of just the user identifier, so we can get the client from the access token.
Hello,
The project suggests it will work with lower versions of PHP, however, cannot because of JWT 4.1.5 requirement. I believe JWT 3.4.6 is not only an API compatibility layer with 4.x but also has requisite security fixes applied that were applied to 4.1.5. Would it be possible to add 3.4.6 explicitly to the versions of JWT allowed?
Add support for the specific OpenID Connect request paramters:
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Per the specification:
The Authorization Server MUST attempt to Authenticate the End-User in the following cases:
The End-User is not already Authenticated.
The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.
Looking into using this but I'm a bit confused about the IdentityProviderInterface.
The method getUserEntityByIdentifier
does not document/specify what exactly it should return.
IdTokenResponse::getExtraParams() defines that it should be UserEntityInterface object, but then goes on to call getClaims() which does not seem to be defined on any interface?
Maybe this should define something like a UserEntityWithClaimsInterface?
Hi!
I'm trying to integrate this into our application.
My first usecase is authenticate to kubernetes. But Kubernetes expect a "id_token" as well as the "auth_token", (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens). And it seems your IdTokenResponse should handle it.
It seems creates a new RedirectResponse
in ImplicitGrant
, so the getExtraParams
is never called :/
Richard
Can you list, in the readme, the OIDC specs that your update implements?
Hi. Are there any plans to integrate this code into league/oauth2-server
?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.