uisits / laravel-oidc
Shibboleth OIDC driver for Laravel Socialite
Requires
- illuminate/filesystem: ^9.0|^10.0
- illuminate/support: ^9.0|^10.0
- laravel/socialite: ^5.10
Requires (Dev)
- laravel/pint: ^1.10
- mockery/mockery: ^1.5
- orchestra/testbench: ^7.24|^8.5
- pestphp/pest: ^1.0|^2.6
- pestphp/pest-plugin-laravel: ^1.0|^2.0
- phpunit/phpunit: ^9.0|^10.1
README
This package extends the Laravel's first-party package socialite to authenticate and authorize using Shibboleth.
Usage:
- Install the package:
composer require uisits/laravel-oidc - Optional: Add Service provider to
config/app.phpfile.UisIts/Oidc/ShibbolethServiceProvider::class - Important: Install the package:
php artisan shibboleth:install - Set environment variables in .env file (Check the
config/shibboleth.phpfile)
Migrate database
Run php artisan migrate
Note:
For Authorization set
APP_AD_AUTHORIZE_GROUPin the .env file.You can check user is admin using gates or directly using user model. ex:
In AuthServiceProvider: Gate::define('admin', function (User $user) { return $user->hasRole('admin'); }); To check if user is admin you can either use: User::find()->hasRole OR Gate::allows('admin')
Using SAML authentication
- Set the SAML environment variables
- Set the type property in
config/shibboleth.phpto saml
Using OIDC authentication
- Set the OIDC environment variables
- Set the type property in
config/shibboleth.phpto oidc
Set up authentication routes
set the authentication routes in routes/web.php files
use UisIts\Oidc\Http\Controllers\AuthController; Route::name('login')->get('login', [AuthController::class, 'login']); Route::name('callback')->get('/auth/callback', [AuthController::class, 'callback']); Route::name('logout')->get('/logout', [AuthController::class, 'logout']);
Authorization
- Define the ad group name in the .env file
- You can configure the redirect route to use after successfully authentication by overriding the
redirect_toproperty in theconfig/shibboleth.phpfile. - Set up the name of the group in
config/shibboleth.phpfile under theauthorizationproperty'authorization' => env('APP_AD_AUTHORIZE_GROUP', null) - Add the trait
HasRolesto theUsersmodeluse Spatie\Permission\Traits\HasRoles; class User extends Authenticatable { use HasRoles; }
- In your
app/AuthServiceProvider.phpfile you can now assign Gates or check if user is admin anywhere in the application using the below logic:# In AuthServiceProvider Gate::define('admin', function (User $user) { return $user->hasRole('admin'); }); # OR $user->hasRole('admin');
You can extend the roles and permissions functionality to add new roles or permissions using Spatie Permission package
Token Introspection
For token introspection using OIDC add the following middleware to the app/Http/Kernel.php file:
Under alias property:
'introspect' => \UisIts\Oidc\Http\Middleware\Introspect::class,
Now you can use the middleware on your protected route as such:
use UisIts\Oidc\Http\Middleware\Introspect; Route::middleware(['introspect'])->get('/introspect', function (Request $request) { dump($request->bearerToken()); dd(Introspect::getUserFromToken($request->bearerToken())); })->name('introspect');
Note: Below is the response received when you get a user from token
Introspect::getUserFromToken($request->bearerToken()); array:8 [▼ // routes/api.php:24 "sub" => "xyz@abc.org" "uisedu_is_member_of" => array:42 [▶] "uisedu_uin" => "123456789" "preferred_username" => "xyz" "given_name" => "John" "preferred_display_name" => "Doe, John" "family_name" => "Doe" "email" => "xyz@abc.org" ];
Code Style
You can use Laravel pint to automatically fix code styles.
./vendor/bin/pint
Testing
You can run the tests for the package using pest.
./vendor/bin/pest
Issues and Concerns
Please open an issue on the GitHub repository with detailed description and logs (if available).
In case of security concerns please write an email to UIS ITS ADDS Team.