Home‎ > ‎SSO Single Sign-On‎ > ‎

Adapting existing systems to connect with OpenAM via OAuth2 using a generic code library

This guide shows how to adapt existing institutional systems to an OAuth2 federated environment. The access management solution used on this example is OpenAM. OpenAM uses SAML as default authentication protocol, so we need to enable OAuth2 capabilities to selected realm as is shown on this guide.

Please replace every openam.sso.appsedudemo.com with OpenAM domain and sso.appsedudemo.com with your domain where your application is installed. OpenAM uses realms to separate different configurations, we are using the sp-google-idp-ldap realm name, if you are using the base realm (default) leave the realm parameter in blank.


  • Java web server (i.e. Tomcat)
  • OpenAM
  • Google Apps domain
  • Web server (i.e. Apache)


  • If you don't have OpenAM installed please follow the Installing OpenAM guide.
  • Log in to admin console and enable OAuth2 server with the default parameters

  • Go to Access Control > / (Top Level Realm) > Agents > OAuth 2.0 Client and create a new user with an user and a password, on this example we are using demo as user and egdpassword as password.
  • Click on the user created and configure it as is shown

  • Create a Subject on Access Control > / (Top Level Realm) > Subject , on this example we are using demo as user and egdpassword as password.
  • This is all the configuration on OpenAM now is time to configure a web server with an OAuth 2.0 library.
  • Download the language required library from OAuth2 site . (On this example we will use the PHP OAuth 2.0 client )
  • Extract to your web root folder.
  • Edit the php-oauth2/example/simple project with the following values:



require_once 'vendor/autoload.php';

$apiUri = "http://openam.sso.appsedudemo.com:8080/openam/oauth2/tokeninfo?realm=sp-google-idp-ldap&token_type=Bearer";
$authorize_endpoint = "http://openam.sso.appsedudemo.com:8080/openam/oauth2/authorize?realm=sp-google-idp-ldap&redirect_uri=http://sso.appsedudemo.com/php-oauth2/example/simple/callback.php&scope=mail";

$clientConfig = new fkooman\OAuth\Client\ClientConfig(
        "authorize_endpoint" => $authorize_endpoint,
        "client_id" => "demo",
        "client_secret" => "egdpassword",
        "token_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/access_token?realm=sp-google-idp-ldap&scope=mail&client_id=demo&grant_type=password&username=demo&password=egdpassword",

... (the rest of the file maintains unchanged)



require_once 'vendor/autoload.php';

$clientConfig = new fkooman\OAuth\Client\ClientConfig(
        "authorize_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/authorize?realm=sp-google-idp-ldap&redirect_uri=http://sso.appsedudemo.com/php-oauth2/example/simple/callback.php&scope=mail",
        "client_id" => "demo",
        "client_secret" => "egdpassword",
        "token_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/access_token?realm=sp-google-idp-ldap&scope=mail&client_id=demo&grant_type=password&username=demo&password=egdpassword",

try {
    $tokenStorage = new fkooman\OAuth\Client\SessionStorage();
    $httpClient = new Guzzle\Http\Client();
    $cb = new fkooman\OAuth\Client\Callback("foo", $clientConfig, $tokenStorage, $httpClient);
    header("HTTP/1.1 302 Found");
    header("Location: http://sso.appsedudemo.com/php-oauth2/example/simple/");
} catch (fkooman\OAuth\Client\Exception\AuthorizeException $e) {
    // this exception is thrown by Callback when the OAuth server returns a
    // specific error message for the client, e.g.: the user did not authorize
    // the request
    die(sprintf("ERROR: %s, DESCRIPTION: %s", $e->getMessage(), $e->getDescription()));
} catch (Exception $e) {
    // other error, these should never occur in the normal flow
    die(sprintf("ERROR: %s", $e->getMessage()));
... (the rest of the file maintains unchanged)

Sometimes OpenAM OAuth2 server blocks or overrides some parameters posted. If the parameters are not being processed in the right way you can change the invocation method as shown below;
    private function accessTokenRequest(array $p)
        if ($this->clientConfig->getCredentialsInRequestBody()) {
            // provide credentials in the POST body
            $p['client_id'] = $this->clientConfig->getClientId();
            $p['client_secret'] = $this->clientConfig->getClientSecret();
        } else {
            // use basic authentication
            $curlAuth = new \Guzzle\Plugin\CurlAuth\CurlAuthPlugin(

        try {
            $request = $this->c->post($this->clientConfig->getTokenEndpoint());
	    //$request->addHeader('Accept', 'application/json');
            $responseData = $request->send()->json();
            // some servers do not provide token_type, so we allow for setting
            // a default
            // issue: https://github.com/fkooman/php-oauth-client/issues/13
            if (null !== $this->clientConfig->getDefaultTokenType()) {
                if (is_array($responseData) && !isset($responseData['token_type'])) {
                    $responseData['token_type'] = $this->clientConfig->getDefaultTokenType();

... (the rest of the file maintains unchanged)