okta/sdk

PHP Wrapper for the Okta API

1.3.0 2021-03-03 22:01 UTC

README

Build Status Codecov License Support

Installation

okta-sdk-php is available on Packagist as the okta/sdk package.

Run composer require okta/sdk from the root of your project in terminal, and you are done.

Client Initialization

Once you have the SDK installed in your project, you will need to instantiate a Client object. We follow the builder pattern for building a Client. You can create a Client by calling the ClientBuilder and relying on the ~/.okta/okta .yaml file for the settings

$client = (new \Okta\ClientBuilder())
            ->build();

By default, The client builder will look for a file in your home directory with the Okta properties you want to use. This file should be placed at ~/.okta/okta.yaml. If at this location, you do not need to define the location during initialization. If you are unable to place the file there, or you are on a Windows based machine, you will have to define the location of this file manually if you want to use the file.

$client = (new \Okta\ClientBuilder())
            ->setConfigFileLocation('path/to/okta.yaml')
            ->build();

If you need to override any of the defaults from your ~/.okta/okta.yaml file, or you do not have one, you can set the properties on the client builder directly. The minimum required properties are your token and organization url.

$client = (new \Okta\ClientBuilder())
            ->setToken('YourApiToken')
            ->setOrganizationUrl('https://dev-123456.oktapreview.com')
            ->build();

Changing your Http Client Instance

The Okta PHP SDK follows PSR-7 standards for HTTP Messages. We are using Httplug which allows you to change out to any PSR-7 compliant Http Client. Create a new instance of a Http\Client\HttpClient implementation and pass it into the client builder.

$client = (new \Okta\ClientBuilder())
            ->setHttpClient(new Http\Client\HttpClient())
            ->build();

OAuth 2.0

Okta allows you to interact with Okta APIs using scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by which scopes the access token contains.

This SDK supports this feature only for service-to-service applications. Check out our guides to learn more about how to register a new service application using a private and public key pair.

When using this approach you won't need an API Token because the SDK will request an access token for you. In order to use OAuth 2.0, construct a client instance by passing the following parameters:

$client = (new \Okta\ClientBuilder)
            ->setAuthorizationMode(new \Okta\Utilities\AuthorizationMode(\Okta\Utilities\AuthorizationMode::PRIVATE_KEY))
            ->setClientId({{clientId}})
            ->setScopes("okta.users.read okta.apps.read")
            ->setPrivateKey("{{PEM PRIVATE KEY BLOCK}}")
            ->build();

Users

Finding a user by id

$user = new \Okta\Users\User();
$foundUser = $user->get('00uak5dkxjhg4AQ230h7');
dump($foundUser);

Finding a user by email

$user = new \Okta\Users\User();
$foundUser = $user->get('email@example.com');
dump($foundUser);

Creating a User

$user = new \Okta\Users\User();
$profile = new \Okta\Users\UserProfile();

$profile->setFirstName('John')
    ->setLastName('User')
    ->setLogin('auser@example.com')
    ->setEmail('auser@example.com');
$user->setProfile($profile);

$credentials = new \Okta\Users\UserCredentials();

$password = new \Okta\Users\PasswordCredential();
$password->setValue('Abcd1234!');

$recoveryQuestion = new \Okta\Users\RecoveryQuestionCredential();
$recoveryQuestion->setQuestion('What Language do I write in?')
    ->setAnswer('PHP!');


$provider = new \Okta\Users\AuthenticationProvider();
$provider->setName('OKTA')
    ->setType('OKTA');


$credentials->setPassword($password);
$credentials->setRecoveryQuestion($recoveryQuestion);
$credentials->setProvider($provider);


$user->setCredentials($credentials);


$user->create();

Update user profile

Our SDK allows you to fill in the default profile fields, as well as other dynamic fields that you create in your profile.

$user = new \Okta\Users\User();
$foundUser = $user->get('00unz7r7oRzov7Hm55d6');
$profile = $foundUser->getProfile();
$profile->middleName = 'Middle Name';
$foundUser->setProfile($profile);
$foundUser->save();

Pagination and Collections

All of our calls that return a set of items will return a Collection object. The collection object we built on top of is the tightenco/collect object.

Getting all users

$users = (new \Okta\Okta)->getUsers();

// get the first user in the collection
$firstUser = $users->first();

Narrowing Responses

To start at the second entry and get the next two items:

$users = (new \Okta\Okta)->getUsers(['query' => ['limit' => 2, 'after' => 2]]);

Caching

The Okta PHP SDK allows any resource with a self link to be cached by default. The SDK uses any PSR-6 caching adaptor that you would like to use. By default, we ship with the filesystem cache pool with the flysystem memory adaptor. By doing this, there is no need to configure anything, however, if you would like to run with your own Cache strategy, or change how the default works, you are able to swap out the Cache Manager. Create a new Cache Manager that extends the base \Okta\Cache\CacheManager class, and call the parent setCachePool() method. This should be called with an instance of a PSR-6 compliant cache pool implementation. Once created, you can swap out the manager using the ClientBuilder class

$clientBuilder = new ClientBuilder();
        $clientBuilder->setCacheManager(new MyCacheManager());
        $client = $clientBuilder->build();

Contents of the okta.yaml File

okta:
  client:
    orgUrl: "https://{yourOktaDomain}"
    token: "{token}"

When you use OAuth 2.0 the full YAML configuration looks like:

okta:
  client:
    connectionTimeout: 30 # seconds
    orgUrl: "https://{yourOktaDomain}"
    proxy:
      port: null
      host: null
      username: null
      password: null
    authorizationMode: "PrivateKey"
    clientId: "{yourClientId}"
    Scopes:
      - scope.1
      - scope.2
    PrivateKey: "{PEM PRIVATE KEY}"
    requestTimeout: 0 # seconds
    rateLimit:
      maxRetries: 4

You can pass the path to your private key pem file as well instead of copying the pem string into the YAML configuration E.g PrivateKey: /Path/to/privateKey.pem

For information on what can go into the query property, visit our documentation