digitalcz/openid-connect
最新稳定版本:v1.1.0
Composer 安装命令:
composer require digitalcz/openid-connect
包简介
PHP implementation of OpenID Connect using symfony/contracts
README 文档
README
PHP implementation of OpenID Connect using symfony/contracts
Install
Via Composer
$ composer require digitalcz/openid-connect
Usage
Initialization
Using the OIDC discovery endpoint
use DigitalCz\OpenIDConnect\OidcFactory; use Symfony\Component\HttpClient\HttpClient; $httpClient = HttpClient::create(); $oidc = OidcFactory::create( httpClient: $httpClient, issuer: 'https://auth.example.com', clientId: 'my-client-id', clientSecret: 'my-client-secret', redirectUri: 'https://myapp.example.com/callback', );
Using manual issuer configuration
use DigitalCz\OpenIDConnect\OidcFactory; use DigitalCz\OpenIDConnect\Config\IssuerMetadata; use Symfony\Component\HttpClient\HttpClient; $httpClient = HttpClient::create(); $issuerMetadata = new IssuerMetadata([ 'authorization_endpoint' => 'https://auth.example.com/authorize', 'token_endpoint' => 'https://auth.example.com/token', 'jwks_uri' => 'https://auth.example.com/.well-known/jwks.json', 'issuer' => 'https://auth.example.com', ]); $oidc = OidcFactory::create( httpClient: $httpClient, issuer: $issuerMetadata, clientId: 'my-client-id', clientSecret: 'my-client-secret', redirectUri: 'https://myapp.example.com/callback', );
Configuration Options
The OidcFactory::create() method accepts the following configuration options:
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
httpClient | HttpClientInterface | ✓ | - | HTTP client for making requests |
issuer | string|array|IssuerMetadata | ✓ | - | Issuer URL for discovery, metadata array, or IssuerMetadata instance |
clientId | string | ✓ | - | OAuth2/OIDC client identifier |
clientSecret | string|null | - | null | OAuth2/OIDC client secret (required for some authentication methods) |
redirectUri | string|null | - | null | Redirect URI for authorization code flow |
defaultScopes | string|array | - | ['openid', 'profile', 'email'] | Default scopes to request (space-separated string or array) |
authenticationMethod | string|AuthenticationMethod | - | client_secret_post | Client authentication method for token endpoint |
pkceMethod | string|PkceMethod | - | S256 | PKCE method for authorization code flow (S256, plain, or none) |
cache | CacheInterface|null | - | null | Optional cache for storing discovery metadata and JWKS |
clock | ClockInterface | - | SimpleClock | Clock implementation for time-based operations |
cacheSecret | string | - | 'default-oidc-cache-secret' | Secret used for HMAC-based cache key generation |
privateKey | string|null | - | null | PEM-encoded private key for private_key_jwt authentication |
privateKeyJwk | JWK|null | - | null | JWK private key for private_key_jwt authentication (alternative to privateKey) |
tokenEndpointAuthSigningAlg | string|null | - | null | Signature algorithm for client assertion JWT (e.g., 'HS256', 'RS256') |
clientAssertionAudience | string|null | - | null | Audience claim for client assertion JWT. Special values: '{issuer}', '{token_endpoint}', or custom URL |
Authentication Methods
client_secret_post- Send client credentials in POST bodyclient_secret_basic- Send client credentials in Authorization headerclient_secret_jwt- Use JWT signed with client secretprivate_key_jwt- Use JWT signed with private keynone- No client authentication (public clients)
Authorization Code flow
Step 1 - Redirect the user to authorization endpoint
$authorizationCode = $oidc->authorizationCode(); $url = $authorizationCode->createAuthorizationUrl([ 'state' => 'random-state', 'nonce' => 'random-nonce' ]); // Redirect user to $url
Step 2 - Handle the callback and exchange code for tokens
// Get the authorization code from the callback URL $code = $_GET['code']; $nonce = 'random-nonce'; // Same nonce used in step 1 $tokens = $authorizationCode->fetchTokens($code, $nonce); echo "Access Token: " . $tokens->accessToken() . PHP_EOL; echo "ID Token: " . $tokens->idToken() . PHP_EOL; echo "Refresh Token: " . $tokens->refreshToken() . PHP_EOL;
Client Credentials flow
$clientCredentials = $oidc->clientCredentials(); $tokens = $clientCredentials->fetchTokens(); echo "Access Token: " . $tokens->accessToken() . PHP_EOL;
Resource Server (Token Validation)
use DigitalCz\OpenIDConnect\ResourceServer\JwtAccessToken; use DigitalCz\OpenIDConnect\ResourceServer\OpaqueAccessToken; use DigitalCz\OpenIDConnect\Util\JWT; $resourceServer = $oidc->resourceServer(); $accessToken = new JwtAccessToken($jwt); $validatedToken = $resourceServer->introspect($accessToken); echo "Token is valid for subject: " . $validatedToken->sub() . PHP_EOL; echo "Token expires at: " . date('Y-m-d H:i:s', $validatedToken->exp()) . PHP_EOL;
See examples for more complete examples
Testing
$ composer csfix # fix codestyle $ composer checks # run all checks # or separately $ composer tests # run phpunit $ composer phpstan # run phpstan $ composer cs # run codesniffer
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email devs@digital.cz instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
统计信息
- 总下载量: 17.84k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 5
- 点击次数: 3
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-01-04