muffycompo/oidconnect-laravel

OpenID Connect client library for Laravel Framework

dev-master 2017-12-07 22:36 UTC

README

The OpenIDConnect Laravel package is meant to provide you an opportunity to easily authenticate users using OpenID Connect protocol.

Latest Stable Version Latest Unstable Version Total Downloads License

Installation

To install this package you will need:

  • Laravel 5.5+
  • PHP 7.1+

Use composer to install

composer require muffycompo/oidconnect-laravel:dev-master

Open config/app.php and register the required service providers above your application providers.

'providers' => [
    ...
    Laravel\Socialite\SocialiteServiceProvider::class,
    Furdarius\OIDConnect\ServiceProvider::class
    ...
]

If you'd like to make configuration changes in the configuration file you can pubish it with the following Aritsan command:

php artisan vendor:publish --provider="Furdarius\OIDConnect\ServiceProvider"

After that, roll up migrations:

php artisan migrate

Usage

Configuration

At first you will need to add credentials for the OpenID Connect service your application utilizes. These credentials should be placed in your config/opidconnect.php configuration file.

<?php

return [
    'client_id' => 'CLIENT_ID_HERE',
    'client_secret' => 'CLIENT_SECRET_HERE',
    'redirect' => env('APP_URL') . '/auth/callback',
    'auth' => 'https://oidc.service.com/auth',
    'token' => 'https://oidc.service.com/token',
    'keys' => 'https://oidc.service.com/keys',
];

Endpoints

Now, your app has auth endpoints:

  • GET /auth/redirect - Used to redirect client to Auth Service login page.
  • GET /auth/callback - Used when Auth Service redirect client to callback url with code.
  • POST /auth/refresh - Used by client for ID Token refreshing.

Middleware

You need to use Auth Middleware on protected routes. Open App\Http\Kernel and register middleware in $routeMiddleware:

protected $routeMiddleware = [
    'token' => \Furdarius\OIDConnect\TokenMiddleware::class
];

And then use it as usual:

Route::middleware('token')->get('/protected-resource', function (Illuminate\Http\Request $request) {
    return "You are on protected zone";
});

User Auth

Create your own StatelessGuard and setup it in config/auth.php. Example:

Guard:

<?php

namespace App\Auth;

use Illuminate\Auth\AuthenticationException;
use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Guard;
use Illuminate\Support\Traits\Macroable;

class StatelessGuard implements Guard
{
    use GuardHelpers, Macroable;

    /**
     * @return \Illuminate\Contracts\Auth\Authenticatable
     * @throws AuthenticationException
     */
    public function user()
    {
        if (null === $this->user) {
            throw new AuthenticationException('Unauthenticated user');
        }

        return $this->user;
    }

    /**
     * @param array $credentials
     * @return bool
     */
    public function validate(array $credentials = [])
    {
        return $this->user instanceof Authenticatable;
    }
}

Config (config/auth.php):

'defaults' => [
    'guard' => 'stateless',
    'passwords' => 'users',
],

...

'guards' => [
    'stateless' => [
        'driver' => 'stateless'
    ]
],

Then implement own Authenticator. Example:

<?php

namespace App\Auth;

use App\User;
use Furdarius\OIDConnect\Contract\Authenticator;
use Furdarius\OIDConnect\Exception\AuthenticationException;
use Lcobucci\JWT\Token\DataSet;

class PersonAuthenticatorAdapter implements Authenticator
{
    /**
     * @param DataSet $claims
     *
     * @return void
     */
    public function authUser(DataSet $claims)
    {
        $email = $claims->get('email');
        if (!$email) {
            throw new AuthenticationException('User\'s email not present in token');
        }

        $model = new User(['email' => $email]);

        \Auth::setUser($model);
    }
}

And implement auth guard service provider. Example:

<?php

namespace App\Auth;

use Furdarius\OIDConnect\Contract\Authenticator;
use Illuminate\Support\ServiceProvider;

class AuthenticatorServiceProvider extends ServiceProvider
{
    /**
     * Bootstrap any application services.
     *
     * @return void
     */
    public function boot()
    {
        \Auth::extend('stateless', function () {
            return new StatelessGuard();
        });
    }

    /**
     * Register any application services.
     *
     * @return void
     */
    public function register()
    {
        $this->app->singleton(Authenticator::class, function ($app) {
            return new PersonAuthenticatorAdapter();
        });
    }
}

Then register it in config/app.php:

'providers' => [
    ...
    App\Auth\AuthenticatorServiceProvider::class,
    ...
]

Now you can use \Auth::user(); for getting current user information.