Skip to content

umich-iam/sso-examples-oidc-php-oidc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

docker-compose.env

docker-compose.env

 
 

docker-compose.yml

docker-compose.yml

 
 

index.php

index.php

 
 

runapache

runapache

 
 

server.conf

server.conf

 
 

server.crt

server.crt

 
 

server.key

server.key

 
 

Repository files navigation

Example PHP Application using JumboJett OpenID Connect library

The jumbojett/OpenID-Connect-PHP git repository contains a sample application that demonstrates how to use this implementation of the OpenID Connect (OIDC) library in PHP.

To use this sample application in the U-M ITS Virtual Web Hosting environment, you will need to request a virtual host through the ITS Virtual Hosting service:

You will also need to obtain a SSL/TLS certificate for your site as your site should only support HTTPS (no insecure HTTP traffic).

A full step-by-step explanation of how to obtain AFS space, a Virtual Host, SSL/TLS certificate, and DNS entry for your site are beyond the scope of this how-to.

After you have the above components created for you and configured, you can set up your site to use the sample application to exercise the jumbojett OpenID Connect PHP library via the following steps:

  • Clone repo jumbojett/OpenID-Connect-PHP

    git clone https://github.com/jumbojett/OpenID-Connect-PHP.git

  • Copy client_example.php into your application's document root

    cp OpenID-Connect-PHP/client_example.php [document root]/.

  • Use Composer to install the JumboJett OpenID Connect PHP library in your application's document root. If your web application resides in AFS, you can use the version of Composer that is already installed on the ITS Web Hosting login server, umpire.dsc.umich.edu (you will need to activate the version of PHP your app uses after you log in).

    cd [document root]

    composer require jumbojett/openid-connect-php

  • Obtain OIDC Service Client credentials

You can self-provision OIDC Service Client credentials using the "OIDC Provisioning and Management" (OPaM) tool as documented in the following ITS KNowledge Base article:

For this example application, you should configure the Redirect URI to https://my.site.url/client_example.php (substitute my.site.url with the fully qualified domain name (FQDN) for your site) when you provision the OIDC Service Client credentials for your site.

  • Modify the client_example.php code

There are currently a few issues with the default code in the jumbojett/OpenID-Connect-PHP GitHub repository which require modifications to work correctly in the U-M ITS Virtual Web Hosting environment.

Currently, the code looks like this:

...
require __DIR__ . '/vendor/autoload.php';

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient(
    'http://myproviderURL.com/',
    'ClientIDHere',
    'ClientSecretHere'
);

$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');
...

The issues to address:

  • You need to fill in the correct details for the OpenIDConnectClient call. ClientID and ClientSecret are obtained via the self-provisioning process in the OPaM tool. The correct Provider URL for U-M is 'https://weblogin.umich.edu/'.

  • The jumbojett library supports the Client Authentication method client_secret_basic by default. The OPaM tool default is client_secret_post and does not yet allow the option of selecting another method when provisioning OIDC service client credentials. There is a code change required to explicitly set the Client Authentication method to client_secret_post.

  • Need to add explicit scopes (openid email profile edumember) to optimize for U-M OIDC environment, otherwise it will default to openid only.

The resulting code should look like this (note the ClientID and ClientSecret are obscured here and should be filled in with your site's actual values):

...
require __DIR__ . '/vendor/autoload.php';

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient(
    'https://weblogin.umich.edu/',
    'XXXXXXXXXXXXXXXXXXXXXXXXXX',
    'YYYYYYYYYYYYYYYYYYYYYYYYYY'
);

$oidc->setTokenEndpointAuthMethodsSupported(['client_secret_post']);

$oidc->addScope('openid email profile edumember');

$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');
...
  • Test

Navigate to https://my.site.url/client_example.php (substitute my.site.url with the fully qualified domain name (FQDN) for your site). You should be automatically redirected to U-M Weblogin for single sign-on authentication. Upon successful authentication, you should see Hello uniqname (where uniqname is your U-M username you authenticated as).

A docker example has been provided for demonstration purposes. To use:

  • replace server.key with a valid key
  • replace server.crt with a valid web cert
  • Edit server.conf, and replace SERVER on the ServerName line with your example service name, matching the CN in your server.crt
  • Fill in the variables in docker-compose.env with your OIDC Client ID and Secret that have been provisioned
  • docker-compose build or docker compose build (depending on which docker-compose you have installed)
  • docker-compose up -d or docker compose up -d (depending, same as prior)

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages