glance-project/authorization-service

Abstraction on top of the CERN Authorization Service API

Maintainers

Details

gitlab.cern.ch/fence/common/authorization-service

Installs: 6 372

Dependents: 0

Suggesters: 0

Security: 0

v2.6.1 2025-08-20 08:44 UTC

Requires

Requires (Dev)

proprietary 2febc1925db81fa44aa5368910f2d26de8d50851

  • Mario Gunter Simao <mario.simao.woop@cern.ch>

This package is auto-updated.

Last update: 2025-08-20 08:45:06 UTC

README

This is an SDK to use CERN Authorization Service API.

Installation

Install using Composer:

composer require glance-project/authorization-service

Getting started

To use this library, you might need to have an application registered on Application Portal. If you do not know what this means, refer to the CERN Authorization Service documentation

With your application registered, you will use the Client ID and Client secret.

Usage

This library was designed to be used through several providers.

All providers can be created with application credentials or with an access token.

// Example of $inProduction. Adapt for your needs!
$inProduction = getenv("ENVIRONMENT") === "PRODUCTION";

$groupProvider = GroupProvider::createWithAppCredentials($clientId, $clientSecret, $inProduction);

$identityProvider = IdentityProvider::createWithAccessToken("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUziJ9...", $inProduction);

GroupProvider

GroupProvider::findGroupByIdentifier()

Find a group by the identifier.

A GroupNotFoundException is thrown if the group does not exist.

$group = $groupProvider->findGroupByIdentifier("fence-developers");

$group->identifier();     // "fence-developers"
$group->id()->toString(); // "08d771b2-78da-2fc0-fbd3-3816f92282c8"

GroupProvider::findApplicationIdByIdentifier()

Find the application Id by the application identifier. The output object type is ManagerId.

A FailedToFindApplicationException is thrown if the application does not exist.

$applicationId = $groupProvider->findApplicationIdByIdentifier("development-application");

GroupProvider::createStaticGroup()

Create a static group. Only the identifier, display name and description are required.

$group = $groupProvider->createStaticGroup(
    "test-group",                                                 // Identifier             (required)
    "A test group",                                               // Display name           (required)
    "This is a test group description",                           // Description            (required)
    GroupId::fromString("08d779a9-1e2c-72ad-52ff-45ff27e620c1"),  // Administrators group   (optional)
    Category::test(),                                             // Category               (optional)
    new DateTimeImmutable("2021-12-31"),                          // Expiration date        (optional)
    SelfSubscriptionPolicy::closed(),                             // Self subscription      (optional)
    PrivacyPolicy::groupAdministrators(),                         // Privacy policy         (optional)
    true,                                                         // Approval required      (optional)
    ManagerId::fromString("08d779a9-1e2c-72ad-52ff-45ff27e620c1") // Application manager id (optional)
);

GroupProvider::updateGroup()

Update a static group. Only the identifier is required.

$group = $groupProvider->updateGroup(
    "test-group",                                                 // Identifier             (required)
    "A test group",                                               // Display name           (optional)
    "This is a test group description",                           // Description            (optional)
    GroupId::fromString("08d779a9-1e2c-72ad-52ff-45ff27e620c1"),  // Administrators group   (optional)
    Category::test(),                                             // Category               (optional)
    new DateTimeImmutable("2021-12-31"),                          // Expiration date        (optional)
    SelfSubscriptionPolicy::closed(),                             // Self subscription      (optional)
    PrivacyPolicy::groupAdministrators(),                         // Privacy policy         (optional)
    true,                                                         // Approval required      (optional)
    ManagerId::fromString("08d779a9-1e2c-72ad-52ff-45ff27e620c1") // Application manager id (optional)
);

GroupProvider::deleteGroup()

Delete a group by the identifier.

$groupProvider->deleteGroup("fence-developers");

GroupProvider::synchronizeMembers()

Define the composition of a group using Identity IDs.

Members witch are not present on the given array of Identity IDs will be removed.

At the end, only the informed members will be part of the group.

$identityIds = $identityProvider->getIdsFromPersonIds([837034, 123456]);

$groupProvider->synchronizeMembers("fence-developers", $identityIds);

$members = $groupProvider->findMemberIdentities("fence-developers");

foreach ($members as $member) {
    echo $member->personId(); . "\n"
}

// Output:
// 837034
// 123456

GroupProvider::addMembersToGroup()

Add members to group without changing the whole group composition. The variable $ids can have both personIds and IdentityIds.

$groupProvider->addMembersToGroup("fence-developers", $ids);

GroupProvider::addMembersToGroupWithComments()

Add members and group members to group with comments. $membersGroups is expected to be an array of groups that should be added and $members, an array of members.

Here is an example: $membersGroups = [

[
    'id' => 'fence-developers'
    'comment => 'this is an example of id as group identifier'
],
[
    'id' => '08d779a9-1e2c-72ad-52ff-45ff27e620c1'
    'comment => 'this is an example of id as groupId'
],

]

$members = [

[
    'id' => 'lenzirafaella@gmail.com'
    'comment => 'this is an example of external user (id is email)'
],
[
    'id' => 'atglance'
    'comment => 'this is an example of service account (id is username)'
],
[
    'id' => '872957'
    'comment => 'this is an example of person (id is personId)'
]

]

$groupProvider->addMembersToGroupWithComments("fence-developers", $memberGroups, $members);

GroupProvider::removeMembersFromGroup()

Remove members from group without changing the whole group composition.

$identityIds = $identityProvider->getIdsFromPersonIds([ 837034 ]);

$groupProvider->removeMembersFromGroup("fence-developers", $identityIds);

GroupProvider::findMemberIdentities()

Find members which are inside group. Returns an array of Identity objects.

$members = $groupProvider->findMemberIdentities("fence-developers");

foreach ($members as $member) {
    $member->personId();
    $member->displayName();
}

GroupProvider::findMemberGroupsFromGroup()

An exception will be thrown if there is no matching groupId or if the method fails.

$groups = $groupProvider->findMemberGroupsFromGroup("59edf297-bd07-4000-904d-80cc6288004a");

foreach ($groups as $group) {
    echo $group->toString() . "\n";
}

// Output:
// 59edf297-bd07-4000-904d-80cc6288004a
// dbcd6647-fd50-493e-9162-635f355794d4

GroupProvider::removeMemberGroupsFromGroup()

Removes member groups from a group. The variable $ids can have both identifiers and GroupIds

$groupProvider->removeMemberGroupsFromGroup("fence-developers", $ids);

GroupProvider::removeAllMembersFromGroup()

An exception will be thrown if there is no matching groupId/identifier or if the method fails.

$groupProvider->removeAllMembersFromGroup("fence-developers");

GroupProvider::removeAllMemberGroupsFromGroup()

An exception will be thrown if there is no matching groupId/identifier or if the method fails.

$groupProvider->removeAllMemberGroupsFromGroup("fence-developers");

GroupProvider::removeAllMembersAndAllGroupMembersFromGroup()

An exception will be thrown if there is no matching groupId/identifier or if the method fails.

$groupProvider->removeAllMembersAndAllGroupMembersFromGroup("fence-developers");

GroupProvider::addMemberGroupsToGroup()

Add member groups to group without changing the whole group composition. The variable $ids can have both identifiers and GroupIds.

$groupProvider->addMemberGroupsToGroup("fence-developers", $ids);

GroupProvider::transferGroupOwnership()

Transfer group ownership. The variable $newOwnerIdentity is expected to be type IdentityId.

$groupProvider->addMemberGroupsToGroup("fence-developers", $newOwnerIdentity);

GroupProvider::setGroupMailProperties()

Set the Mail Properties of a group. The variable $mailProperties is expected to be type MailProperties.

$groupProvider->setGroupMailProperties("fence-developers", $mailProperties);

GroupProvider::getGroupMailProperties()

Get the Mail Properties of a group. This method returns an array with the Mail Properties of a group.

$groupProvider->getGroupMailProperties("fence-developers");

GroupProvider::getCurrentMembersOfGroup()

Get the current members of a group.

$groupProvider->getCurrentMembersOfGroup("fence-developers");

GroupProvider::getCurrentMemberGroupsOfGroup()

Get the current member groups of a group.

$groupProvider->getCurrentMemberGroupsOfGroup("fence-developers");

GroupProvider::setGroupScope()

Set the group scope of a group. The $scope variable is expected to be type Scope.

$groupProvider->setGroupScope("fence-developers", $scope);

GroupProvider::setGroupModerator()

Set a group as moderator of a group by its identifier.

$groupProvider->setGroupModerator("fence-developers", $moderatorGroupIdentifier);

GroupProvider::removeGroupModerator()

Remove a moderator from a group by its identifier.

$groupProvider->removeGroupModerator("fence-developers", $moderatorGroupIdentifier);

GroupProvider::getGroupModerators()

Gets all moderators of a group.

$groupProvider->getGroupModerators("fence-developers");

GroupProvider::setGroupReader()

Set a group as reader of a group by its identifier.

$groupProvider->setGroupReader("fence-developers", $readerGroupIdentifier);

GroupProvider::removeGroupReader()

Remove a group reader from a group by its identifier.

$groupProvider->removeGroupReader("fence-developers", $readerGroupIdentifier);

GroupProvider::getGroupReaders()

Gets all group readers of a group.

$groupProvider->getGroupReaders("fence-developers");

IdentityProvider

IdentityProvider::getIdsFromPersonIds()

Get Identity IDs from given Person IDs.

When it is not possible to get a Identity ID, a FailedToFindIdentityIdException is thrown.

If you want a result with only the found IDs, refer to IdentityProvider::findIdsFromPersonIds().

$ids = $identityProvider->getIdsFromPersonIds([837034, 823204]);

foreach ($ids as $id) {
    echo $id->toString() . "\n";
}

// Output:
// 59edf297-bd07-4000-904d-80cc6288004a
// dbcd6647-fd50-493e-9162-635f355794d4

IdentityProvider::findIdsFromPersonIds()

Finds Identity IDs from given Person IDs.

When it is not possible to get a Identity ID, it is skipped and only the found IDs are returned.

If you want a method which throws an exception, refer to IdentityProvider::getIdsFromPersonIds().

$ids = $identityProvider->findIdsFromPersonIds([837034, 123456]); // 123456 does not exist

foreach ($ids as $id) {
    echo $id->toString() . "\n";
}

// Output:
// 59edf297-bd07-4000-904d-80cc6288004a

IdentityProvider::searchByName()

$identities = $identityProvider->searchByName("Mar");

foreach ($identities as $identity) {
    echo $identity->displayName() . "\n";
}

// Output:
// Mario Gunter Simao
// Marcelo Teixeira dos Santos

IdentityProvider::findByPersonId()

An exception will be thrown if there is no matching personId or if the method fails.

$identity = $identityProvider->findByPersonId(837034);

echo $identity->displayName();

// Output:
// Mario Gunter Simao

IdentityProvider::findByIdentityId()

An exception will be thrown if there is no matching identityId or if the method fails.

$identity = $identityProvider->findByIdentityId("59edf297-bd07-4000-904d-80cc6288004a");

echo $identity->displayName();

// Output:
// Mario Gunter Simao

GroupService

Service created to avoid instantiating different providers outside the bundle. This approach maintains the integrity of the GroupProvider and IdentityProvider by ensuring that one provider does not call another directly. Whenever a new method is added to either provider, it should also be incorporated into the GroupService.