[
// OIDC server root URL
"url" => "https://connection.example.com",
// Client ID (as provided by your IDP)
"client_id" => "27d65748-0aaa-42d9-90dc-353d94f2840a",
// Client secret (as provided by your IDP)
"client_secret" => "5d86b271-a3b8-4d75-b569-a86d48b75658",
// Requested OIDC scopes
"scopes" => ["profile", "email"],
// Expected attributes (optional, retrieve all proposed attributes otherwise)
/*
"expected_attributes" => [
"preferred_username",
"given_name",
"family_name",
"email",
],
*/
],
];
// FQDN of OIDC server
$default_oidc_server = key($oidc_servers);
/*
************************************
* Main *
************************************
*/
session_start();
$_SESSION["warnings"] = isset($_SESSION["warnings"]) && is_array($_SESSION["warnings"])?$_SESSION["warnings"]:[];
if (isset($_REQUEST['server']) && !isset($oidc_servers[$_REQUEST['server']])) {
$_SESSION["warnings"][] = "Invalid OIDC server choiced";
unset($_REQUEST['server']);
}
if (isset($_REQUEST['server'])) {
$oidc_server = $_REQUEST['server'];
if ($_SESSION['oidc_server'] != $oidc_server) {
$_SESSION = []; // reset session on changing OIDC server
}
}
elseif (isset($_SESSION['oidc_server'])) {
$oidc_server = $_SESSION['oidc_server'];
}
else {
$oidc_server = $default_oidc_server;
$_SESSION = []; // reset session
}
$_SESSION['oidc_server'] = $oidc_server;
function reset_session() {
global $oidc_server;
$_SESSION = [];
if (isset($oidc_server) && $oidc_server)
$_SESSION['oidc_server'] = $oidc_server;
}
$_show_oidc_client_config = false;
function show_oidc_client_config() {
global $_show_oidc_client_config, $oidc_client_config;
if ($_show_oidc_client_config) return true;
$_show_oidc_client_config = true;
echo "OIDC Client configuration
";
foreach($oidc_client_config as $cfg_name => $cfg_val) {
echo "- $cfg_name : $cfg_val
";
}
echo "
";
}
function show_warnings() {
if (!empty($_SESSION["warnings"])) {
echo "Warnings message
";
foreach ($_SESSION["warnings"] as $msg) {
echo "- $msg
";
}
echo "
";
}
$_SESSION["warnings"] = [];
}
$_SESSION["messages"] = isset($_SESSION["messages"]) && is_array($_SESSION["messages"])?$_SESSION["messages"]:[];
function show_messages() {
if (!empty($_SESSION["messages"])) {
echo "";
if (count($_SESSION["messages"]) == 1) {
echo $_SESSION["messages"][0];
}
else {
echo "
";
foreach($_SESSION["messages"] as $msg)
echo "- $msg
";
echo "
";
}
echo "
Token ID
";
echo "".vardump($_SESSION['id_token'])."
";
echo "Verified claims
";
echo "".vardump($_SESSION['verified_claims'])."
";
echo "Attributes
";
echo "";
foreach($_SESSION['attributes'] as $attr => $value) {
$value = vardump($value);
echo "- {$attr} :
{$value} \n";
}
echo "
";
}
?>
Test OIDC
Test OIDC Application
OIDC server selection
Menu
OIDC Client Initialization ...
$public_app_url,
'OIDC Hostname' => $oidc_server,
'IDP URL' => $oidc_servers[$oidc_server]['url'],
'Client ID' => (
substr($oidc_servers[$oidc_server]['client_id'], 0, 4)."...".
substr($oidc_servers[$oidc_server]['client_id'], -2)
),
'Client secret' => (
substr($oidc_servers[$oidc_server]['client_secret'], 0, 4)."...".
substr($oidc_servers[$oidc_server]['client_secret'], -2)
),
];
$oidc = new OpenIDConnectClient(
$oidc_servers[$oidc_server]['url'],
$oidc_servers[$oidc_server]['client_id'],
$oidc_servers[$oidc_server]['client_secret']
);
$client_redirect_url = $public_app_url."/?do=login";
$oidc_client_config["Client redirect URL"] = $client_redirect_url;
$oidc->setRedirectURL($client_redirect_url);
$client_logout_redirect_url = "$public_app_url/?do=logout_callback";
$oidc_client_config["Client logout redirect URL"] = $client_logout_redirect_url;
$oidc_client_config["Scopes"] = implode(", ", $oidc_servers[$oidc_server]['scopes']);
$oidc->addScope($oidc_servers[$oidc_server]['scopes']);
$oidc_client_config['Expected attributes'] = (
isset($oidc_servers[$oidc_server]['expected_attributes']) // @phpstan-ignore-line
&& is_array($oidc_servers[$oidc_server]['expected_attributes'])
&& ! empty($oidc_servers[$oidc_server]['expected_attributes'])?
implode(", ", $oidc_servers[$oidc_server]['expected_attributes']):
"none (retrieve all provided attributes)"
);
echo "Client successfully initialized
";
show_oidc_client_config();
show_warnings();
?>
Action
State before running action
Running action...
authenticate();
}
catch(OpenIDConnectClientException $e) {
$_SESSION["warnings"][] = "Fail to authenticate: ".$e->getMessage();
redirect();
}
$_SESSION["messages"][] = "Successfully authenticated";
$_SESSION['id_token'] = $oidc->getIdToken();
$_SESSION['verified_claims'] = $oidc->getVerifiedClaims();
$_SESSION['attributes'] = [];
if (
isset($oidc_servers[$oidc_server]['expected_attributes']) // @phpstan-ignore-line
&& is_array($oidc_servers[$oidc_server]['expected_attributes'])
&& !empty($oidc_servers[$oidc_server]['expected_attributes'])
) {
foreach($oidc_servers[$oidc_server]['expected_attributes'] as $attr) {
try {
$_SESSION['attributes'][$attr] = $oidc->requestUserInfo($attr);
}
catch(OpenIDConnectClientException $e) {
$_SESSION["warnings"][] = "Fail to retrieve attribute '$attr': ".$e->getMessage();
}
}
}
else {
try {
$_SESSION['attributes'] = get_object_vars($oidc->requestUserInfo());
}
catch(OpenIDConnectClientException $e) {
$_SESSION["warnings"][] = "Fail to retrieve attributes: ".$e->getMessage();
}
}
redirect();
break;
case 'logout':
if (isset($_SESSION['id_token'])) {
$_SESSION["logout_expected"] = true;
$oidc->signOut($_SESSION['id_token'], $client_logout_redirect_url);
}
else {
$_SESSION["warnings"] = "Not yet authenticated, can't logout!";
redirect();
}
break;
case "logout_callback":
if (isset($_SESSION["logout_expected"]) && $_SESSION["logout_expected"]) {
$_SESSION = ["oidc_server" => $oidc_server];
$_SESSION["messages"][] = "Successfully logout from OIDC server and client application.";
unset($_SESSION["logout_expected"]);
}
else {
$_SESSION["warnings"] = "Unexpected logout callback URL call";
}
redirect();
break;
case 'local_logout':
$_SESSION = ["oidc_server" => $oidc_server];
$_SESSION["messages"][] = "Successfully logout from client application only.";
redirect();
break;
default:
$_SESSION["warningsverified_claims"] = "Incorrect requested action";
redirect();
}
}
else {
echo "Nothing to do";
}
if (isset($_SESSION['id_token'])) {
echo "Authenticated user information
";
show_user_infos();
}
?>