Class yii\authclient\OpenIdConnect
Inheritance | yii\authclient\OpenIdConnect » yii\authclient\OAuth2 » yii\authclient\BaseOAuth » yii\authclient\BaseClient » yii\base\Component » yii\base\BaseObject |
---|---|
Implements | yii\authclient\ClientInterface, yii\base\Configurable |
Available since version | 2.1.3 |
Source Code | https://github.com/yiisoft/yii2-authclient/blob/master/OpenIdConnect.php |
OpenIdConnect serves as a client for the OpenIdConnect flow.
Application configuration example:
'components' => [
'authClientCollection' => [
'class' => 'yii\authclient\Collection',
'clients' => [
'google' => [
'class' => 'yii\authclient\OpenIdConnect',
'issuerUrl' => 'https://accounts.google.com',
'clientId' => 'google_client_id',
'clientSecret' => 'google_client_secret',
'name' => 'google',
'title' => 'Google OpenID Connect',
],
],
]
// ...
]
This class requires web-token/jwt-checker
,web-token/jwt-key-mgmt
, web-token/jwt-signature
, web-token/jwt-signature-algorithm-hmac
,
web-token/jwt-signature-algorithm-ecdsa
and web-token/jwt-signature-algorithm-rsa
libraries to be installed for
JWS verification. This can be done via composer:
composer require --prefer-dist "web-token/jwt-checker:>=1.0 <3.0" "web-token/jwt-signature:>=1.0 <3.0"
"web-token/jwt-signature:>=1.0 <3.0" "web-token/jwt-signature-algorithm-hmac:>=1.0 <3.0"
"web-token/jwt-signature-algorithm-ecdsa:>=1.0 <3.0" "web-token/jwt-signature-algorithm-rsa:>=1.0 <3.0"
Note: if you are using well-trusted OpenIdConnect provider, you may disable $validateJws, making installation of
web-token
library redundant, however it is not recommended as it violates the protocol specification.
See also:
Public Properties
Property | Type | Description | Defined By |
---|---|---|---|
$accessToken | yii\authclient\OAuthToken | Auth token instance. Note that the type of this property differs in getter and setter. See getAccessToken() and setAccessToken() for details. | yii\authclient\BaseOAuth |
$allowedJwsAlgorithms | array | JWS algorithms, which are allowed to be used. | yii\authclient\OpenIdConnect |
$apiBaseUrl | string | API base URL. | yii\authclient\BaseOAuth |
$authUrl | string | Authorize URL. | yii\authclient\BaseOAuth |
$autoRefreshAccessToken | boolean | Whether to automatically perform 'refresh access token' request on expired access token. | yii\authclient\BaseOAuth |
$behaviors | yii\base\Behavior[] | List of behaviors attached to this component. | yii\base\Component |
$cache | yii\caching\Cache|null | The cache object, null - if not enabled. Note that the type of this property
differs in getter and setter. See getCache() and setCache() for details. |
yii\authclient\OpenIdConnect |
$clientId | string | OAuth client ID. | yii\authclient\OAuth2 |
$clientSecret | string | OAuth client secret. | yii\authclient\OAuth2 |
$configParams | array | OpenID provider configuration parameters. | yii\authclient\OpenIdConnect |
$configParamsCacheKeyPrefix | string | The prefix for the key used to store $configParams data in cache. | yii\authclient\OpenIdConnect |
$defaultIdTokenClaims | array | Predefined OpenID Connect Claims | yii\authclient\OpenIdConnect |
$enablePkce | boolean | Whether to enable proof key for code exchange (PKCE) support and add
a code_challenge and code_verifier to the auth request. |
yii\authclient\OAuth2 |
$httpClient | yii\httpclient\Client | Internal HTTP client. Note that the type of this property differs in getter and setter. See getHttpClient() and setHttpClient() for details. | yii\authclient\BaseClient |
$id | string | Service id. | yii\authclient\BaseClient |
$issuerUrl | string | OpenID Issuer (provider) base URL, e.g. `https://example. | yii\authclient\OpenIdConnect |
$name | string | Service name. | yii\authclient\BaseClient |
$normalizeUserAttributeMap | array | Normalize user attribute map. | yii\authclient\BaseClient |
$parametersToKeepInReturnUrl | array | List of the parameters to keep in default return url. | yii\authclient\BaseOAuth |
$requestOptions | array | HTTP request options. | yii\authclient\BaseClient |
$returnUrl | string | Return URL. | yii\authclient\BaseOAuth |
$scope | string | Auth request scope. | yii\authclient\OpenIdConnect |
$signatureMethod | yii\authclient\signature\BaseMethod | Signature method instance. Note that the type of this property differs in getter and setter. See getSignatureMethod() and setSignatureMethod() for details. | yii\authclient\BaseOAuth |
$stateStorage | yii\authclient\StateStorageInterface | Stage storage. Note that the type of this property differs in getter and setter. See getStateStorage() and setStateStorage() for details. | yii\authclient\BaseClient |
$title | string | Service title. | yii\authclient\BaseClient |
$tokenUrl | string | Token request URL endpoint. | yii\authclient\OAuth2 |
$userAttributes | array | List of user attributes. | yii\authclient\BaseClient |
$validateAuthNonce | boolean | Whether to use and validate auth 'nonce' parameter in authentication flow. | yii\authclient\OpenIdConnect |
$validateAuthState | boolean | Whether to use and validate auth 'state' parameter in authentication flow. | yii\authclient\OAuth2 |
$validateJws | boolean | Whether to validate/decrypt JWS received with Auth token. | yii\authclient\OpenIdConnect |
$version | string | Protocol version. | yii\authclient\OAuth2 |
$viewOptions | array | View options in format: optionName => optionValue. | yii\authclient\BaseClient |
Public Methods
Protected Methods
Property Details
JWS algorithms, which are allowed to be used.
These are used by web-token
library for JWS validation/decryption.
Make sure to install web-token/jwt-signature-algorithm-hmac
, web-token/jwt-signature-algorithm-ecdsa
and web-token/jwt-signature-algorithm-rsa
packages that support the particular algorithm before adding it here.
'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'
]
The cache object, null
- if not enabled. Note that the type of this property
differs in getter and setter. See getCache() and setCache() for details.
OpenID provider configuration parameters.
The prefix for the key used to store $configParams data in cache. Actual cache key will be formed addition $id value to it.
See also $cache.
Predefined OpenID Connect Claims
See also https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2.
'iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'nonce', 'acr', 'amr', 'azp'
]
OpenID Issuer (provider) base URL, e.g. https://example.com
.
Auth request scope.
Whether to use and validate auth 'nonce' parameter in authentication flow.
Whether to validate/decrypt JWS received with Auth token.
Note: this functionality requires web-token/jwt-checker
, web-token/jwt-key-mgmt
, web-token/jwt-signature
composer package to be installed. You can disable this option in case of usage of trusted OpenIDConnect provider,
however this violates the protocol rules, so you are doing it on your own risk.
Method Details
Applies access token to the HTTP request instance.
public void applyAccessTokenToRequest ( $request, $accessToken ) | ||
$request | yii\httpclient\Request | HTTP request instance. |
$accessToken | yii\authclient\OAuthToken | Access token instance. |
Applies client credentials (e.g. $clientId and $clientSecret) to the HTTP request instance.
This method should be invoked before sending any HTTP request, which requires client credentials.
protected void applyClientCredentialsToRequest ( $request ) | ||
$request | yii\httpclient\Request | HTTP request instance. |
Composes user authorization URL.
public string buildAuthUrl ( array $params = [] ) | ||
$params | array | Additional auth GET params. |
return | string | Authorization URL. |
---|
Creates token from its configuration.
protected yii\authclient\OAuthToken createToken ( array $tokenConfig = [] ) | ||
$tokenConfig | array | Token configuration. |
return | yii\authclient\OAuthToken | Token instance. |
---|
Discovers OpenID Provider configuration parameters.
protected array discoverConfig ( ) | ||
return | array | OpenID Provider configuration parameters. |
---|---|---|
throws | yii\authclient\InvalidResponseException | on failure. |
Fetches access token from authorization code.
public yii\authclient\OAuthToken fetchAccessToken ( $authCode, array $params = [] ) | ||
$authCode | string | Authorization code, usually comes at GET parameter 'code'. |
$params | array | Additional request params. |
return | yii\authclient\OAuthToken | Access token. |
---|---|---|
throws | yii\web\HttpException | on invalid auth state in case enableStateValidation is enabled. |
Generates the auth nonce value.
protected string generateAuthNonce ( ) | ||
return | string | Auth nonce value. |
---|
public yii\caching\Cache|null getCache ( ) | ||
return | yii\caching\Cache|null | The cache object, |
---|
Returns particular configuration parameter value.
public mixed getConfigParam ( $name, $default = null ) | ||
$name | string | Configuration parameter name. |
$default | mixed | Value to be returned if the configuration parameter isn't set. |
return | mixed | Configuration parameter value. |
---|
public array getConfigParams ( ) | ||
return | array | OpenID provider configuration parameters. |
---|
Return JwkSet, returning related data.
protected \yii\authclient\JWKSet getJwkSet ( ) | ||
return | \yii\authclient\JWKSet | Object represents a key set. |
---|---|---|
throws | yii\authclient\InvalidResponseException | on failure. |
Return JWSLoader that validate the JWS token.
protected \Jose\Component\Signature\JWSLoader getJwsLoader ( ) | ||
return | \Jose\Component\Signature\JWSLoader | To do token validation. |
---|---|---|
throws | yii\base\InvalidConfigException | on invalid algorithm provide in configuration. |
public boolean getValidateAuthNonce ( ) | ||
return | boolean | Whether to use and validate auth 'nonce' parameter in authentication flow. |
---|
Initializes authenticated user attributes.
protected array initUserAttributes ( ) | ||
return | array | Auth user attributes. |
---|
Decrypts/validates JWS, returning related data.
protected array loadJws ( $jws ) | ||
$jws | string | Raw JWS input. |
return | array | JWS underlying data. |
---|---|---|
throws | yii\web\HttpException | on invalid JWS signature. |
Gets new auth token to replace expired one.
public yii\authclient\OAuthToken refreshAccessToken ( yii\authclient\OAuthToken $token ) | ||
$token | yii\authclient\OAuthToken | Expired auth token. |
return | yii\authclient\OAuthToken | New auth token. |
---|
Sets up a component to be used for caching.
This can be one of the following:
- an application component ID (e.g.
cache
) - a configuration array
- a yii\caching\Cache object
When null
is passed, it means caching is not enabled.
public void setCache ( $cache ) | ||
$cache | yii\caching\Cache|array|string|null | The cache object or the ID of the cache application component. |
Set the OpenID provider configuration manually, this will bypass the automatic discovery via the /.well-known/openid-configuration endpoint.
public void setConfigParams ( $configParams ) | ||
$configParams | array | OpenID provider configuration parameters. |
public void setValidateAuthNonce ( $validateAuthNonce ) | ||
$validateAuthNonce | boolean | Whether to use and validate auth 'nonce' parameter in authentication flow. |
Validates the claims data received from OpenID provider.
protected void validateClaims ( array $claims ) | ||
$claims | array | Claims data. |
throws | yii\web\HttpException | on invalid claims. |
---|