itk-dev/openid-connect

OpenID connect configuration package

3.0.0 2022-01-05 12:11 UTC

This package is auto-updated.

Last update: 2022-05-05 13:32:59 UTC


README

Github Release PHP Version Build Status Codecov Code Coverage Read License Package downloads on Packagist

Composer package for configuring OpenID Connect via OpenID Connect Discovery document.

This library is made and tested for use with Azure AD B2C but should be usable for other OpenID Connect providers.

References

Usage

Framework

If you are looking to use this in a Symfony or Drupal project you should use either:

Direct Installation

To install this library directly run

composer require itk-dev/openid-connect

To use the library you must provide a cache implementation of PSR-6: Caching Interface. Look to PHP Cache for documentation and implementations.

Direct usage

Flow

When a user wishes to authenticate themselves, we create an instance of OpenIdConfigurationProvider and redirect them to the authorization url this provides. Here the user can authenticate and if successful be redirected back the redirect uri provided. During verification of the response from the authorizer we can extract information about the user from the id_token, depending on which claims are supported.

Configuration

To use the package import the namespace, create and configure a provider

require_once __DIR__.'/vendor/autoload.php';

use ItkDev\OpenIdConnect\Security\OpenIdConfigurationProvider;

$provider = new OpenIdConfigurationProvider([
    'redirectUri' => 'https://some.url', // Absolute url to where the user is redirected after a successful login            
    'openIDConnectMetadataUrl' => 'https:/.../openid-configuration', // url to OpenId Discovery document
    'cacheItemPool' => 'Psr6/CacheItemPoolInterface', // Implementation of CacheItemPoolInterface for caching above discovery document
    'clientId' => 'client_id', // Client id assigned by authorizer
    'clientSecret' => 'client_secret', // Client password assigned by authorizer
    // optional values
    'leeway' => 30 // Defaults to 10 (seconds)
    'cacheDuration' => 3600 // Defaults to 86400 (seconds)
 ]);
Leeway

To account for clock skew times between the signing and verifying servers, you can set a leeway when configuring the provider. It is recommended that leeway should not be bigger than a few minutes.

Defaults to 10 seconds

For more information see the following:

Non-authorized requests

Non-authorized requests should be redirected to the authorization url.

To generate the authorization url you must supply "state" and "nonce":

State:
"A value included in the request that's also returned in the token response. It can be a string of any content that you want. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The state is also used to encode information about the user's state in the application before the authentication request occurred, such as the page they were on."

Nonce:
"A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request."

See: Send authentication requests

You must persist these locally so that they can be used to validate the token when the user is redirected back to your application.

// Get "state" and "nonce"
$state = $provider->generateState();
$nonce = $provider->generateNonce();

// Save to session
$session->set('oauth2state', $state);
$session->set('oauth2nonce', $nonce);

$authUrl = $provider->getAuthorizationUrl(['state' => $state, 'nonce' => $nonce]);

// redirect to $authUrl

Note that the default response type and mode is set in OpenIdConfigurationProvider.php

'response_type' => 'id_token',
'response_mode' => 'query',

Verify authorized requests

The authorization service will redirect the user back to the redirectUri. This should be an endpoint in your application where you validate the token and the user.

Load the "state" and "nonce" from local storage and validate against the request values

// Validate that the request state and session state match
$sessionState = $this->session->get('oauth2state');
$this->session->remove('oauth2state');
if (!$sessionState || $request->query->get('state') !== $sessionState) {
    throw new ValidationException('Invalid state');
}

// Validate the id token. This will validate the token against the keys published by the 
// provider (Azure AD B2C). If the token is invalid or the nonce doesn't match an
// exception will thrown.
try {
    $claims = $provider->validateIdToken($request->query->get('id_token'), $session->get('oauth2nonce'));
    // Authentication successful
} catch (ItkOpenIdConnectException $exception) {
    // Handle failed authentication
} finally {
    $this->session->remove('oauth2nonce');
}

Development Setup

A docker-compose.yml file with a PHP 7.4 image is included in this project. To install the dependencies you can run

docker compose up -d
docker compose exec phpfpm composer install

Unit Testing

A PhpUnit/Mockery setup is included in this library. To run the unit tests:

docker compose exec phpfpm composer install
docker compose exec phpfpm ./vendor/bin/phpunit

The test suite uses Mockery in order mock public static methods in 3rd party libraries like the JWT::decode method from firebase/jwt.

Psalm static analysis

Where using Psalm for static analysis. To run psalm do

docker compose exec phpfpm composer install
docker compose exec phpfpm ./vendor/bin/psalm

Check Coding Standard

The following command let you test that the code follows the coding standard for the project.

  • PHP files (PHP-CS-Fixer)

    docker compose exec phpfpm composer check-coding-standards
  • Markdown files (markdownlint standard rules)

    docker run -v ${PWD}:/app itkdev/yarn:latest install
    docker run -v ${PWD}:/app itkdev/yarn:latest check-coding-standards

Apply Coding Standards

To attempt to automatically fix coding style

  • PHP files (PHP-CS-Fixer)

    docker compose exec phpfpm composer apply-coding-standards
  • Markdown files (markdownlint standard rules)

    docker run -v ${PWD}:/app itkdev/yarn:latest install
    docker run -v ${PWD}:/app itkdev/yarn:latest check-coding-standards

CI

Github Actions are used to run the test suite and code style checks on all PR's.

If you wish to test against the jobs locally you can install act. Then do:

act -P ubuntu-latest=shivammathur/node:latest pull_request

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the MIT License - see the LICENSE.md file for details