I am getting this page:

Error: redirect_uri_mismatch

Description: The redirection URI provided does not match a pre-registered value.

I have added the client secret &c to the client. Also when I add the redirect URL as:

http://m.y.i.p.:port/folder/client_example.php on OpenAM OpenID Connect Server, I get a redirect loop.

I'm trying to use this library to log into a Mediawiki instance using its OpenID Connect sign-in plugin and am using Google as the provider. I use the Google Developer's Console to obtain the Client ID and Client Secret from the project. Unfortunately, I run into a few issues that require manual changes to the code:

1. Nonce values are not accepted by Google's servers, so I need to comment out the nonce code or else the Google servers will return an error.
2. The log in sometimes will work, while other times, there is an issue with the RSA key verification and the login will fail. I'm not sure if it's a problem with Google or if it's a problem with the Mediawiki's server's security. I don't know much about how encryption works, so I'm very lost. It might be caused by the disabled noncing I mentioned above. I'm also considering if it's a problem with proxies, but again, I don't know for sure anything. If you know anything that can help with this, or need certain information to help, let me know.

This commit broke the ability to use IdentityServer

Could you explain why this code checks for isset($header->kid) ?

IdentityServer doesn't provide the alg parameter in their .well-known/jkws

I have been able to use this with Google and SalesForce

• ... = new OpenIDConnectClient("accounts.google.com", '28...", "9328");
• ... = new OpenIDConnectClient("https://login.salesforce.com", '3MV...", "xyz");

Has any one been able to use this with GitHub and others? if so can you share how you connected.

Hi I tried to use basic authentication from example but got error on line 1090

Undefined index: openid_connect_state

my code is

  $oidc = new OpenIDConnectClient($providerUrl, $clientId, $clientSecret);

  $oidc->authenticate();
  $oidc->addScope('email');

  $clientCredentialsToken = $oidc->requestClientCredentialsToken();

Thanks for any help

This security fix will break compatibility with PHP versions prior to 7.0. But in my opinion, it doesn't matter since these are End-of-Life since more than a year. Anyway, including random_compat may be a solution.

RFC 6749 recommends CSRF protection via state parameter. Therefore, its value needs to be cryptographically secure (uniqid does not provide that). The OIDC-Spec states the same for nonce:

The nonce parameter value needs to include per-session state and be unguessable to attackers. One method to achieve this for Web Server Clients is to store a cryptographically random value as an HttpOnly session cookie and use a cryptographic hash of the value as the nonce parameter.

List of common tasks a pull request require complete

• [x] Changelog entry is added or the pull request don't alter library's functionality

Currently, this library can only be used by including the single source file in the application, directly loading global function which are never required in global scope.

I think this library can benefit from some decent object oriented design, so that it can easily be reused by other libraries such as Symfony library.

Currently, I've adapted this library to fit directly in my library, but are you interested to have it backported here?

Hi! Your library suits well in my project. Thanks! But when I use the method requestResourceOwnerToken, the request comes with an error. As it turned out, I need to add a header "Authorization: Basic" in the method. As in next method requestTokens. Then everything works. When you tested this method, did you have an error? It may be worth adding the possibility that the person who uses this library can add their own headers outside this method?

Having some trouble, and not sure what's wrong.

I've created a new OpenIDConnectClient by passing in the authorize url

Then I get an error stating "the provider authorization_endpoint has not been set.

How do I set that?

I tried addauthparam, but that didn't work. Code snippet below.

$providerurl = 'https://login.microsoftonline.com/xxxxx/oauth2/authorize';


$clientID = 'abc123';  #azure Object ID
$secret = 'secret';    #key in Azure settings

 $oidc = new OpenIDConnectClient($providerurl,
                               $clientID,
                             $secret);

$oidc->addauthParam("authorization_endpoint", $providerurl);
$oidc->authenticate();

Hello Michael,

I am setting up authentication using your OpenID-Connect-PHP library in the fossology solution. However, I am blocked since Fossology is GPLv2, which is not compatible with ApacheV2.

Would you possibly consider adding (for example) a BSD license so that it could be used along GPLv2 products ?

This would be of great help, thanks,

Nicolas

Hi, the instructions say to require '/vendor/autoload.php';

This assumes your project is on the root of a drive and returns an error if not: Fatal error: require(): Failed opening required '/vendor/autoload.php'

This will prevent php warning for php 8 project while trying to authenticate client.

List of common tasks a pull request require complete

• [ ] Fix php 8 warning on client authenticate

If you use this library on a php 8 project with php warnings enabled you experience this problem.

In OpenIDConnectClient class, in authenticate method there will be a warning in line 341 $_REQUEST['state'] that the state in not defined. And after this error you get this error Warning: Cannot modify header information - headers already sent by... and then it fails.

I will provide a pull request, with an extra check if $_REQUEST['state'] exists.

Hello, thanks for this lib.

I'm a web dev without many experience on SSO and OIDC. I don't get how to work with OIDC and AzureAD.

I need to build a complete "workflow" for users using a test app in AzureAD and my PHP system. There is: login, logout, get email or userid (sub).

I build this script (ommit values specific of my app): https://gist.github.com/tomasdelvechio/5fa4d25cb7399eba21e33370f790a2d1#file-testing-php

The above script redirect to AzureAD, let me login in success and return an id_token, state and session_state. But from this, I can't get the sub value, email, etc...

From the AzureAD app I check the options redirect uri and ID tokens (used for implicit and hybrid flows).

Questions:

• I have to call authenticate() method in each request to my app? or is it enough with just create Oidc object?
• Some software (open source) implement full the AzureAD API in php using this lib, to learn from there how to use the package for my app?
• Some reference code or other material relevant? I read RFCs, OIDC doc online, this repo Wiki, issues, PRs, etc...

previously, when aud was correct, the in_array clause was evaluated but failed with an error (aud is not array), so the verifyLogoutTokenClaims function returned false for a valid token

List of common tasks a pull request require complete

• [x] Changelog entry is added or the pull request don't alter library's functionality

Fixes issue #347

List of common tasks a pull request require complete

• [x] Changelog entry is added or the pull request don't alter library's functionality