steverhoades / oauth2-openid-connect-server Goto Github PK

Hi any usage example / tutorial on how to use with phpleauge oauth2 server? I read your readme.md but not really understand how to use it

Relying parties who want to check the id_token validity against the public key issue a GET /ket/set on the OpenId Authorization Server/Provider.

We need a service to reply to this request with the public key.

Changes to make it work with new versions of Lcobucci/JWT library

I am looking into a way of passing the nonce parameter through as discussed here:
thephpleague/oauth2-server#962

Any idea on how we can implement this, as it's required by the spec here: https://openid.net/specs/openid-connect-core-1_0.html

Drupal 10.1.0 requires psr/http-message:^2.0, so for Simple OAuth module we need to bump up league/oauth2-server to 8.5.3 see: https://www.drupal.org/project/simple_oauth/issues/3364376 and thephpleague/oauth2-server#1339. At the same time league/oauth2-server:8.5.3 requires lcobucci/jwt:^4.3, while steverhoades/oauth2-openid-connect-server only allows: 4.1.5|^4.2.

Can you please write, where configurations must be made? For example, paths // etc ?

Can it be added to laravel passport?

In addition to the OAuth2 specification for error codes the OpenID Connect specification defines the following:

interaction_required
The Authorization Server requires End-User interaction of some form to proceed. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User interaction.
login_required
The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication.
account_selection_required
The End-User is REQUIRED to select a session at the Authorization Server. The End-User MAY be authenticated at the Authorization Server with different associated accounts, but the End-User did not select a session. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface to prompt for a session to use.
consent_required
The Authorization Server requires End-User consent. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent.
invalid_request_uri
The request_uri in the Authorization Request returns an error or contains invalid data.
invalid_request_object
The request parameter contains an invalid Request Object.
request_not_supported
The OP does not support use of the request parameter defined in Section 6.
request_uri_not_supported
The OP does not support use of the request_uri parameter defined in Section 6.
registration_not_supported
The OP does not support use of the registration parameter defined in Section 7.2.1.

http://openid.net/specs/openid-connect-core-1_0.html#AuthError

Related to #9, it seems Packagist isn't set up to automatically pull down new versions of this repository as it's updated. Packagist did switch a while back from one form of GitHub integration to another, so it could be that this needs to be updated.

Since league/oauth2-server is not saving an in memory key to a temporary file anymore, the IdTokenResponse is failing. I've reported the BC-break in thephpleague/oauth2-server#1240, but I think it would be good to fix it in this package, too.

I've been trying your library and the example you have given and I found out that somehow I still need to setup the ScopeRepository to include the openid scope for an openid client to work.

I think you can either point this out in your example or maybe you can provide a default ScopeRepository implementation that automatically include the openid scope.

Seems like you have a problem with your composer.json and packagist is not updating anymore.

bash$ composer validate
./composer.json is valid for simple usage with composer but has
strict errors that make it unable to be published as a package:
See https://getcomposer.org/doc/04-schema.md for details on the schema
description : The property description is required
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.

You should have more information in your packagist account. If you want to I can send you a PR adding the MIT License and a description.

Hi there, I was just wondering if you could cut a new tag for the 6 commits since the last release. I was hoping to avoid forking the repo or pointing composer directly at the master branch. Thanks!

Which branch should one use?
Packagist lists 0.3 as the latest but seems like master branch is ahead of it.
Is master branch ready to use?

Hi,

I installed the package in my symfony project, but the requirement for lcobucci/jwt:4.1.5 force the downgrade of this lib from 4.2.1.
Is there any reason to have this requirement ? Do you want a PR with the new version ?

Regards,

The lcobucci/jwt package is upgraded to version 4 in laravel/passport via league/oauth2-server.

Following the upgrade guide: https://lcobucci-jwt.readthedocs.io/en/latest/upgrading/#v3x-to-v4x

(new Builder()) should become $config->builder().

Do you have a roadmap for this implementation?

For example:

• implement the /.well-known/openid-configuration handler
• implement a token-introspection handler
• ...

The examples depend on Zendframework/zend-diactoros which has been abandoned.

https://packagist.org/packages/zendframework/zend-diactoros

Packagist says it has been replaced by: laminas/laminas-diactoros

https://github.com/laminas/laminas-diactoros

Can someone who is comfortable with oauth2-openid-connect-server make the package replacement in the examples and ensure they are still functioning correctly?

p.s. I am brand new to openid connect in general and not even an experienced composer user, so I'm definitely not qualified to start tinkering with this framework.

First of all, thanks for all the work you did for this library.

In the app we're building with this package, we've run into a situation where we'd like to differentiate claims based on which client is authenticating (the same user may authenticate under different clients and needs different claims, in our case specifically, different access roles to the client. E.g. a user could be an admin in one client but only a user in the other).

As far as I can tell, there's no straight forward way to do this, seeing as the IdentityProvider interface only uses the user identifier from the access token.

Do you see a more straight forward way of doing this? Currently, I'm thinking I need to extend the IdTokenResponse and change the IdentityProvider::getUserEntityByIdentifier method to use the full AccessToken instead of just the user identifier, so we can get the client from the access token.

Hello,

The project suggests it will work with lower versions of PHP, however, cannot because of JWT 4.1.5 requirement. I believe JWT 3.4.6 is not only an API compatibility layer with 4.x but also has requisite security fixes applied that were applied to 4.1.5. Would it be possible to add 3.4.6 explicitly to the versions of JWT allowed?

Add support for the specific OpenID Connect request paramters:
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Per the specification:

The Authorization Server MUST attempt to Authenticate the End-User in the following cases:

The End-User is not already Authenticated.
The Authentication Request contains the prompt parameter with the value login. In this case, the Authorization Server MUST reauthenticate the End-User even if the End-User is already authenticated.

Looking into using this but I'm a bit confused about the IdentityProviderInterface.

The method getUserEntityByIdentifier does not document/specify what exactly it should return.

IdTokenResponse::getExtraParams() defines that it should be UserEntityInterface object, but then goes on to call getClaims() which does not seem to be defined on any interface?

Maybe this should define something like a UserEntityWithClaimsInterface?

Hi!

I'm trying to integrate this into our application.

My first usecase is authenticate to kubernetes. But Kubernetes expect a "id_token" as well as the "auth_token", (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens). And it seems your IdTokenResponse should handle it.

It seems creates a new RedirectResponse in ImplicitGrant, so the getExtraParams is never called :/

Richard

Can you list, in the readme, the OIDC specs that your update implements?

Hi. Are there any plans to integrate this code into league/oauth2-server?