Alexander Lehmann revised this gist . Go to revision
3 files changed, 105 insertions
composer.json(file created)
| @@ -0,0 +1,5 @@ | |||
| 1 | + | { | |
| 2 | + | "require": { | |
| 3 | + | "jumbojett/openid-connect-php": "^1.0" | |
| 4 | + | } | |
| 5 | + | } | |
config.php_example(file created)
| @@ -0,0 +1,4 @@ | |||
| 1 | + | <?php | |
| 2 | + | define('OIDC_URL', 'https://provider'); | |
| 3 | + | define('OIDC_ID', 'appid'); | |
| 4 | + | define('OIDC_SECRET', 'secret'); | |
index_partial.php(file created)
| @@ -0,0 +1,96 @@ | |||
| 1 | + | <?php // -*-c++-*- | |
| 2 | + | ||
| 3 | + | # debug mode, don't do that on a live service | |
| 4 | + | ini_set('display_errors', 1); | |
| 5 | + | ini_set('display_startup_errors', 1); | |
| 6 | + | error_reporting(E_ALL); | |
| 7 | + | ||
| 8 | + | require __DIR__ . '/vendor/autoload.php'; | |
| 9 | + | ||
| 10 | + | use Jumbojett\OpenIDConnectClient; | |
| 11 | + | ||
| 12 | + | require_once("config.php"); | |
| 13 | + | ||
| 14 | + | if(isset($_COOKIE['access_token'])) { | |
| 15 | + | $oidc = new OpenIDConnectClient(OIDC_URL, OIDC_ID, OIDC_SECRET); | |
| 16 | + | $oidc->addScope(['email']); | |
| 17 | + | ||
| 18 | + | $data = $oidc->introspectToken($_COOKIE['access_token']); | |
| 19 | + | if(!$data->active) { | |
| 20 | + | // assume we need to refresh | |
| 21 | + | if(isset($_COOKIE['refresh_token'])) { | |
| 22 | + | $oidc->refreshToken($_COOKIE['refresh_token']); | |
| 23 | + | $data = $oidc->introspectToken($oidc->getAccessToken()); | |
| 24 | + | if(!$data->active) { | |
| 25 | + | echo "refreshToken didn't work\n"; | |
| 26 | + | http_response_code(403); | |
| 27 | + | exit; | |
| 28 | + | } | |
| 29 | + | } else { | |
| 30 | + | echo "no refresh token not available\n"; | |
| 31 | + | http_response_code(403); | |
| 32 | + | exit; | |
| 33 | + | } | |
| 34 | + | $tokenExpire=$data->exp; | |
| 35 | + | setcookie('access_token', $oidc->getAccessToken(), $tokenExpire, "", "", true, true); | |
| 36 | + | } else { | |
| 37 | + | $id=$data->email; | |
| 38 | + | } | |
| 39 | + | } else { | |
| 40 | + | ||
| 41 | + | session_start(); | |
| 42 | + | ||
| 43 | + | if(isset($_SESSION['oidc'])) { | |
| 44 | + | $oidc=$_SESSION['oidc']; | |
| 45 | + | ||
| 46 | + | try { | |
| 47 | + | $id=$oidc->requestUserInfo('email'); | |
| 48 | + | } catch(Exception $e) { | |
| 49 | + | try { | |
| 50 | + | $oidc->authenticate(); | |
| 51 | + | $id=$oidc->requestUserInfo('email'); | |
| 52 | + | } catch(Exception $e) { | |
| 53 | + | echo "reauthentication failed."; | |
| 54 | + | exit(0); | |
| 55 | + | } | |
| 56 | + | } | |
| 57 | + | ||
| 58 | + | if(!isset($id)) { | |
| 59 | + | echo "could not get login name from oidc session\n"; | |
| 60 | + | exit(0); | |
| 61 | + | } | |
| 62 | + | ||
| 63 | + | # if we are on the first request from the oidc provider, send a redirect | |
| 64 | + | if(isset($_GET['code'])) { | |
| 65 | + | header("Location: ."); | |
| 66 | + | exit(0); | |
| 67 | + | } | |
| 68 | + | } else { | |
| 69 | + | ||
| 70 | + | try { | |
| 71 | + | $oidc = new OpenIDConnectClient(OIDC_URL, OIDC_ID, OIDC_SECRET); | |
| 72 | + | $oidc->addScope(["email"]); | |
| 73 | + | $oidc->authenticate(); | |
| 74 | + | #$name = $oidc->requestUserInfo('user_id'); | |
| 75 | + | } catch (Exception $e) { | |
| 76 | + | echo '<pre>Caught exception: ', $e->getMessage(), "\n"; | |
| 77 | + | echo $e->getTraceAsString(), "</pre>\n"; | |
| 78 | + | exit(0); | |
| 79 | + | } | |
| 80 | + | $_SESSION['oidc']=$oidc; | |
| 81 | + | ||
| 82 | + | if(isset($_GET['code'])) { | |
| 83 | + | header("Location: ."); | |
| 84 | + | exit(0); | |
| 85 | + | } | |
| 86 | + | } | |
| 87 | + | } | |
| 88 | + | ||
| 89 | + | if(isset($_GET['token']) && $_GET['token']) { | |
| 90 | + | echo "<pre>\n"; | |
| 91 | + | echo "access_token=".$oidc->getAccessToken()."\n"; | |
| 92 | + | echo "refresh_token=".$oidc->getRefreshToken()."\n"; | |
| 93 | + | echo "</pre>\n"; | |
| 94 | + | exit; | |
| 95 | + | } | |
| 96 | + | ||
Newer
Older