jumbojett / openid-connect-php Goto Github PK

I am getting this page:

Error: redirect_uri_mismatch

Description: The redirection URI provided does not match a pre-registered value.

I have added the client secret &c to the client. Also when I add the redirect URL as:

http://m.y.i.p.:port/folder/client_example.php on OpenAM OpenID Connect Server, I get a redirect loop.

Irrelevant, error was on my end.

Getting below error:

OpenIDConnectClientException: Unable to verify JWT claims in C:\xampp\htdocs\mywiki\extensions\OpenIDConnect\vendor\jumbojett\openid-connect-php\OpenIDConnectClient.php:228

URL is -

http://localhost/mywiki/index.php/Special:PluggableAuthLogin?code=91b01f5527c63868d1f8383c9dd4b9f5a2a4e873493c5761fcf1c77cd7feefa2&scope=openid%20email&state=81ec95aaffb00ffe7132e9738e908cac&session_state=BMo3BqCddmkNYzXleTM4p1LdoRQb7FLn9TfK5hygKjQ.2099bc7dbd791f3c98ae22216db8d02d

configuration in local setting

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['http://localhost:5000'] = [
'clientID' => 'wiki',
'clientsecret' => 'wikisecret',
'scope' => array( 'openid', 'email')
];

This is more of a feature request than a bug.

I'm developing a system that will perform OpenID authentication against an in-house system. However, this system will be in the cloud, using containers and load balancers, which means we cannot use php's sessions because the next request might or might not come to the same server.

Is there any reason why this has not been implemented or could be simple enough to do it?

Looks like the code covers the first couple of the items in the list at http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, but not the others, for example, expiration time. Is this intentional?

I'm getting PHP Fatal error: Undefined class constant 'PUBLIC_FORMAT_XML'. I see in the code you are using Crypt_RSA::PUBLIC_FORMAT_XML syntax while latest version from http://phpseclib.sourceforge.net doesn't have class constant. Am I missing something obvious?

Hello,

i have the problem see above.
This doesn't help, I have no trailing slash in my url
I get a logon form from my Identity Server, and then I get this error

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBConnection] Connected to database 0 at 'localhost'. [session] Session "s1kesl4pef5o5aevd20t64h2m1qlahfd" requested without UserID cookie OpenIDConnectClientException: Unable to verify JWT claims in /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:281 Stack trace: #0 /var/www/html/mw/extensions/OpenIDConnect/OpenIDConnect.class.php(151): OpenIDConnectClient->authenticate() #1 /var/www/html/mw/extensions/PluggableAuth/PluggableAuthLogin.php(46): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL) #2 /var/www/html/mw/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL) #3 /var/www/html/mw/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL) #4 /var/www/html/mw/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext)) #5 /var/www/html/mw/includes/MediaWiki.php(862): MediaWiki->performRequest() #6 /var/www/html/mw/includes/MediaWiki.php(523): MediaWiki->main() #7 /var/www/html/mw/index.php(43): MediaWiki->run() #8 {main}

my setup:
wso2 is 5.3.0
mediawiki 1.29
PluggableAuth 4.0
OpenID Connect 4.0
and jumbojett/openid-connect-php 0.3.0

LocalSettings:
$wgOpenIDConnect_Config['https://identity_server_fqdn/oauth2/oidcdiscovery'] = [ 'clientID' => 'ieY3KuRxxxxxxxxxxxxx', 'clientsecret' => '2pSxxxxxxxxxxxxx', 'scope' => [ 'openid', 'email', 'profile' ] ];

Callback URL: https://wiki_server_fqdn/mw/index.php/Spezial:PluggableAuthLogin

any suggestions?

thx

Excuse my lack of knowledge, it's the first time I implement an authorization system.

If understand the system correctly, when a user signs in for the first time I should do something like the dynamic registration example, take both the client id and client secret from the provider and store them in my database. Is that correct?

Then, the next time a user tries to log in, how can I check their identity? do I get their client id and compare it to the one I have? If so, how does the client get his/her own id? According to what I read they just get a temporary token from the provider, not an id number...

Again, excuse my lack of knowledge, it's all really technical and I'm a little confused.

Additional requirements include phpseclib and composer. I recognize that this is one file and for most it is easy to figure out where it goes but if you are going to include installation instructions and they require composer, I would argue that the package requires composer.

I'm using a simple test of:

$oidc = new OpenIDConnectClient('https://accounts.google.com/',
                                'XXX',
                                'YYY');

$oidc->addScope(array("openid", "email", "profile"));
$oidc->authenticate();

but keep getting:

PHP message: PHP Fatal error:  Uncaught exception 'OpenIDConnectClientException' with message 'Unable to verify JWT claims' in OpenID-Connect-PHP/OpenIDConnectClient.php:228
Stack trace:
#0 OpenID-Connect-PHP/client_example.php(33): OpenIDConnectClient->authenticate()
#1 {main}
  thrown in OpenID-Connect-PHP/OpenIDConnectClient.php on line 228

any ideas?

I want to authenticate users with OpenID in my application, and this library describing its goal of

[hoping] to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID Connect protocol to setup authentication

makes this a perfect choice as I've never dealt with OpenID before, and I just want it to work (tm). But I can't wrap my head around any of this. Am I supposed to read the OpenID specification and the source code of this library to understand how to use this? I thought that was what this library was supposed to relieve me from!

The grand total of documentation on how to use this that I've found so far is 3 short examples with no description at all on what the examples do or how they work, and a very, very brief description of each of the API entry points. That makes this project to me almost unusable, the barrier to entry is pretty much the same as any of the other more heavy and feature laden libraries. If this project is to be of any use for casual developers it has to have documentation that adequately describes the processes involved with authenticating a user, and how this library accomplishes it.

Hi, this library is missing a license specification.

I want to fork it to make it a bit more complicated for my specific need, but without an Open Source license I can't really do it.

Can you please specify what license this library is distributed under? I'd appreciate it if in can be a BSD or MIT license, but I can work with most OSI approved licenses, if you rather use something else.

This commit broke the ability to use IdentityServer

Could you explain why this code checks for isset($header->kid) ?

IdentityServer doesn't provide the alg parameter in their .well-known/jkws

421: if (sizeof($this->setResponseTypes) > 0) {
should be
421: if (sizeof($this->responseTypes) > 0) {

There are two steps to discovery:

1. figuring out which "issuer" to use for a given user
2. figuring out the configuration once you have the issuer

One way of supporting this feature is utilizing an account chooser.

1. look for the "iss" parameter on a login page for your issuer
2. once you have that, you can get the configuration, and go
   it's particularly useful if you're logging in using multiple issuers

Server discovery in Java
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java

• Effectively, if it gets an "iss" parameter, it uses that as the issuer.
  If it doesn't, it redirects you to the account chooser URL
  This gets tied into the rest of the client filter that does the heavy lifting.

Hi,
I recently try to test it but...

Notice: Trying to get property of non-object in OpenIDConnectClient.php5 on line 268

# Line 268
$value = json_decode($this->fetchURL($well_known_config_url))->{$param};

Any clue?

Thanks!

Hi,
UserInfo endpoint should have support for Bearer Token Usage. Am using this framework as the provider. See how expect request:

POST /openid/userinfo/ HTTP/1.1
Host: localhost:8000
Authorization: Bearer [ACCESS_TOKEN]

This package use query string for access token.

"GET /openid/userinfo/?schema=openid&access_token=9a01043111f84e18a8ef392771592a59 HTTP/1.1" 401 0

The Spec say:

The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token. It is RECOMMENDED that the request use the HTTP GET method and the Access Token be sent using the Authorization header field. http://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest

Greetings!

I'm running a test client under IIS at https://localhost:44396/.

When the code redirects to the identity provider - it is adding the port number twice in the redirectURL (i.e. https://localhost:44396:44396/)

I've tracked this down to the use of _SERVER["HTTP_HOST"], which in my case includes the port.

I've modified the code to strip the port if present. I'll try and send a pull request with this fix in.

I'm having trouble using Google as an OpenID Connect provider. I've been debugging with client_example.php and poking around with Firebug, and it looks like things are getting hung up verifying the JWT signature: the exception I get is "Unable to verify signature."

Things I've checked:

• The code is finding the right key to check the signature with.
• If I disable the JWT signature check, everything else works fine
• The signature is valid if I verify with the tools at http://jwt.io, using the second certificate at
  https://www.googleapis.com/oauth2/v1/certs

FWIW, I'm using PHP 5.5.9 (Ubuntu Trusty up-to-date) with phpseclib 0.3.5. The bug persists with phpseclib 3.10 (the current version.)

I'm working on the "master" branch; branch jumbojett-patch-1 has bug in get_key_for_alg which always returns the first key in $keys.

Any clues?

Hi,

I currently have phpseclib required in my dependencies, with the 2.0.9 version as a minimum. Is there any reason your package requires the version 2.0.1 of phpseclib specifically?

Thanks!

Provider Port is set based on standard ports, internal networks might set custom ports,
We should allow the provider to specify a specific port for curl requests

This might be really dumb, but is there any higher level wrapper to check if the user is authenticated? (except the session variable)

I would like to use your library for the Fossology project.
Because your project is licensed under the Apache-2.0 License it would be unfortunately not possible to integrate it, as the Apache-2.0 License is not compatible with the GPL-2.0 License. Would you mind changing the license or to add dual-licensing to your library to be compatible with Fossology? (e.g. using MIT, BSD, GPL-2.0 License)

Thanks for your consideration

I had exactly the same issue as reported in bug #104.
And like for bug #104, this required updating the require instruction, AND downloading the latest dev package from GitHub to fix it.
So my point is that bug #104 should not have been closed:

1. The instructions on https://github.com/jumbojett/OpenID-Connect-PHP are indeed wrong, and it's necessary to do...
   require __DIR__ . '/vendor/autoload.php';
   ... as explained on composer doc: https://getcomposer.org/doc/01-basic-usage.md
2. The jumbojett/OpenID-Connect-PHP package version 0.3.0 downloaded by composer from its default repositories does not work (at least in some cases like ours), and should be fixed.

Hello Michael,

I am setting up authentication using your OpenID-Connect-PHP library in the fossology solution.
However, I am blocked since Fossology is GPLv2, which is not compatible with ApacheV2.

Would you possibly consider adding (for example) a BSD license so that it could be used along GPLv2 products ?

This would be of great help, thanks,

Nicolas

He,

Some of the previous issues did mention a specific problem of the Google OpenIDConnect API, but I hope to revive this issue to create a fix.

As mentioned in the docs of OpenIDConnect of Google, the ISS returned from google can be two values:

Verify that the value of iss in the ID token is equal to https://accounts.google.com or accounts.google.com.

I've read up for other packages how they handle this problem, for example the Google PHP library itself, which explicitly compares for the two options. See https://github.com/google/google-api-php-client/blob/43996f09df274158fd04fce98e8a82effe5f3717/src/Google/AccessToken/Verify.php

@jumbojett is this on your planning to account for this? I love your library, but would love to use it for several OpenIDConnect providers, but I'm struggling with the Google one right now.

I see two options:

1. Identify the google variant and verify the ISS accordingly. This would be most secure, since other providers won't be interfered with

2. Make a comparison between the iss and the getProviderURL in two ways: one with the original values and one where you remove the https:// from the providerURL as well

I have been able to use this with Google and SalesForce

• ... = new OpenIDConnectClient("accounts.google.com", '28...", "9328");
• ... = new OpenIDConnectClient("https://login.salesforce.com", '3MV...", "xyz");

Has any one been able to use this with GitHub and others? if so can you share how you connected.

Hi I tried to use basic authentication from example but got error on line 1090

Undefined index: openid_connect_state

my code is

  $oidc = new OpenIDConnectClient($providerUrl, $clientId, $clientSecret);

  $oidc->authenticate();
  $oidc->addScope('email');

  $clientCredentialsToken = $oidc->requestClientCredentialsToken();

Thanks for any help

id_token and claims expiration are not stored so how to check if the user is already logged in or not?

Hi,

I've tried to authenticate against our ADFS 4.0 using the client_example.php. Authentication worked (it seems), but $name was empty, so I added var_dump($oidc->requestUserInfo()); to see all contents of the userinfo. The result is this:

object(stdClass)#7 (1) { ["sub"]=> string(44) "GZlsnJmtb....[redacted]" }

What's wrong here? Am I missing something in the configuration on the ADFS side of things?

Hi,

My error is Unable to verify JWT claims but when I saw the requests that my provider receives, realize that for example is double POSTing the /token endpoint.

[28/Jul/2015 17:44:57]"GET /openid/authorize/?response_type=code&redirect_uri=http%3A%2F%2Fphp_openid.local%2Fclient_example.php&client_id=123&nonce=23d0598cccd8966cefd5a2a97e13b707&state=16aa9047a6f214c37e9bbcebd06c743b&scope=openid+email+profile HTTP/1.1" 302 0
[28/Jul/2015 17:44:57]"GET /openid/.well-known/openid-configuration/ HTTP/1.1" 200 440
[28/Jul/2015 17:44:57]"GET /openid/.well-known/openid-configuration/ HTTP/1.1" 200 440
[28/Jul/2015 17:44:57]"POST /openid/token/ HTTP/1.1" 200 484
[28/Jul/2015 17:44:57]"POST /openid/token/ HTTP/1.1" 400 232
[28/Jul/2015 17:44:57]"GET /openid/.well-known/openid-configuration/ HTTP/1.1" 200 440
[28/Jul/2015 17:44:57]"GET /openid/.well-known/openid-configuration/ HTTP/1.1" 200 440
[28/Jul/2015 17:44:57]"GET /openid/jwks/ HTTP/1.1" 200 292
[28/Jul/2015 17:44:57]"GET /openid/jwks/ HTTP/1.1" 200 292

Is this bad or am I wrong?

Greetings.

I'm trying to use this library to log into a Mediawiki instance using its OpenID Connect sign-in plugin and am using Google as the provider. I use the Google Developer's Console to obtain the Client ID and Client Secret from the project. Unfortunately, I run into a few issues that require manual changes to the code:

1. Nonce values are not accepted by Google's servers, so I need to comment out the nonce code or else the Google servers will return an error.
2. The log in sometimes will work, while other times, there is an issue with the RSA key verification and the login will fail. I'm not sure if it's a problem with Google or if it's a problem with the Mediawiki's server's security. I don't know much about how encryption works, so I'm very lost. It might be caused by the disabled noncing I mentioned above. I'm also considering if it's a problem with proxies, but again, I don't know for sure anything. If you know anything that can help with this, or need certain information to help, let me know.

Hello. I apologise for my weak skills, but this kind of code really tough, that is why I would like to ensure right set up of this client.

So, I installed package OpenID-Connect-PHP-master , that includes (README.md, OpenIDConnectClient.php, LICENSE.txt, composer.json, client_example.php).
Client_example.php includes the following code:

`<?php

require "../../autoload.php"; # * # <--- I dont actually understand which document should i past here*

$oidc = new OpenIDConnectClient('http://myproviderURL.com/',
'ClientIDHere',
'ClientSecretHere');

$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');

?>`

So it would be very helpful if someone provides a short guide how should I exactly install this package.

Thank you.

Hi!
Your library suits well in my project. Thanks! But when I use the method requestResourceOwnerToken, the request comes with an error. As it turned out, I need to add a header "Authorization: Basic" in the method. As in next method requestTokens. Then everything works.
When you tested this method, did you have an error? It may be worth adding the possibility that the person who uses this library can add their own headers outside this method?

$_SERVER['SERVER_NAME'] is populated based upon the value of Host sent in the request which means the redirect_uri in https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L432
can be modified to go to a different site. An example of this attack would be if a browser extension has been compromised.

Some providers like coreos/dex doesn't implement the userInfo endpoint.

Is it possible to check the received claims in the id token first before trying to get them with the userInfo endpoint?
This should be also a performance boost.

The CURLOPT_TIMEOUT value (in the fetchUrl method) is too big - 60 seconds - and really should be configurable.

AT

public function authenticate() {
// Do a preemptive check to see if the provider has thrown an error from a previous redirect
if (isset($_REQUEST['error'])) {
throw new OpenIDConnectClientException("Error: " . $_REQUEST['error'] . " Description: " . $_REQUEST['error_description']);
}

$_REQUEST['error_description'] is OPTIONAL, so a check needs to be done to ensure it exists.

Also, there's apparently a https://github.com/phpseclib/phpseclib that seems more "recent" (class name and structure). I used that one and adapted your code to it (there's almost nothing to do).

Lastly, in the function requestUserInfo($attribute), a fetchURL is being done to populate $this->userInfo.
The attributes listed in the comments are nice, but they don't reflect google's implementation of OpenID Connect: they don't use "user_id" and seem to use "sub" instead.
In light of this, an helper function for developpers ould be nice in order to see what's actually available in the userInfo variable.

Best regards.

Disable JWT verification for development environments: #110

This is just a minor suggestion, but it would help for those who are using your library to include a version number and a change log to help understand what's new since we've last visited.

Is back channel logout supported?

Hi, the instructions say to require '/vendor/autoload.php';

This assumes your project is on the root of a drive and returns an error if not:
Fatal error: require(): Failed opening required '/vendor/autoload.php'

The package has a PHP version requirement of >=5.2, but the code contains 5.2 incompatible code, e.g. short array declarations. Example in https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/OpenIDConnectClient.php#L470

Hello,

Is it possible to release another composer update for this? Looks like its been a while and there are some good changes in the code :)

According to the dialogue from a user in #6 , it looks like the client filter isn't catching the error codes that come back from the server on an error condition and is instead trying to attempt the authentication event again immediately. This leads to an infinite redirect loop.

I'm wondering about why there is an unused variable in line 481 https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/OpenIDConnectClient.php#L481 of OpenIDConnectClient.php

$token_endpoint_auth_methods_supported = $this->getProviderConfigValue("token_endpoint_auth_methods_supported");

Is it by intention to throw an error if there is no "token_endpoint_auth_methods_supported" config set?

Hi, I am using okat to test from my localhost xampp install on windows. First I got an error regarding phseclib which I had to include. This is my code with cert turned off for now:

include('phpseclib1.0.5/Crypt/RSA.php');
require "OpenIDConnectClient.php";

$oidc = new OpenIDConnectClient('https://myaccount.oktapreview.com',
                                'id',
                                'secret');
$oidc->setVerifyHost(false);
$oidc->setVerifyPeer(false);
$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');

Am redirected to okta and able to pass my creds. Also getting correctly redirected to local file after entering creds on okta. On callback to local am getting the following error:
OpenIDConnectClientException: Cannot supply client credentials in both the Authentication header and the request-body. in C:\xampp\htdocs\openid\OpenIDConnectClient.php on line 228

Not able to figure out if this is an okta issue or openid-connect-php issue.
Any help appreciated.

In the requestTokens function, the following code was added two years ago:

# Consider Basic authentication if provider config is set this way
if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
    $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
    unset($token_params['client_secret']);
}

So if client_secret_basic is one of the possible token endpoint authentication methods, that header will be added, regardless if the method is actually used. For example, for Azure I was using client_secret_post, and that failed, because the client_secret token param is also unset.

Or am I missing something here?

Having some trouble, and not sure what's wrong.

I've created a new OpenIDConnectClient by passing in the authorize url

Then I get an error stating "the provider authorization_endpoint has not been set.

How do I set that?

I tried addauthparam, but that didn't work.
Code snippet below.

$providerurl = 'https://login.microsoftonline.com/xxxxx/oauth2/authorize';


$clientID = 'abc123';  #azure Object ID
$secret = 'secret';    #key in Azure settings

 $oidc = new OpenIDConnectClient($providerurl,
                               $clientID,
                             $secret);

$oidc->addauthParam("authorization_endpoint", $providerurl);
$oidc->authenticate();