This guide shows how to adapt existing institutional systems to an OAuth2 federated environment. The access management solution used on this example is OpenAM. OpenAM uses SAML as default authentication protocol, so we need to enable OAuth2 capabilities to selected realm as is shown on this guide. Please replace every openam.sso.appsedudemo.com with OpenAM domain and sso.appsedudemo.com with your domain where your application is installed. OpenAM uses realms to separate different configurations, we are using the sp-google-idp-ldap realm name, if you are using the base realm (default) leave the realm parameter in blank. Prerequisites:
Instructions:
php-oauth2/example/simple/index.php <?php require_once 'vendor/autoload.php'; $apiUri = "http://openam.sso.appsedudemo.com:8080/openam/oauth2/tokeninfo?realm=sp-google-idp-ldap&token_type=Bearer"; $authorize_endpoint = "http://openam.sso.appsedudemo.com:8080/openam/oauth2/authorize?realm=sp-google-idp-ldap&redirect_uri=http://sso.appsedudemo.com/php-oauth2/example/simple/callback.php&scope=mail"; $clientConfig = new fkooman\OAuth\Client\ClientConfig( array( "authorize_endpoint" => $authorize_endpoint, "client_id" => "demo", "client_secret" => "egdpassword", "token_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/access_token?realm=sp-google-idp-ldap&scope=mail&client_id=demo&grant_type=password&username=demo&password=egdpassword", ) ); ... (the rest of the file maintains unchanged) php-oauth2/example/simple/callback.php <?php require_once 'vendor/autoload.php'; $clientConfig = new fkooman\OAuth\Client\ClientConfig( array( "authorize_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/authorize?realm=sp-google-idp-ldap&redirect_uri=http://sso.appsedudemo.com/php-oauth2/example/simple/callback.php&scope=mail", "client_id" => "demo", "client_secret" => "egdpassword", "token_endpoint" => "http://openam.sso.appsedudemo.com:8080/openam/oauth2/access_token?realm=sp-google-idp-ldap&scope=mail&client_id=demo&grant_type=password&username=demo&password=egdpassword", ) ); try { $tokenStorage = new fkooman\OAuth\Client\SessionStorage(); $httpClient = new Guzzle\Http\Client(); $cb = new fkooman\OAuth\Client\Callback("foo", $clientConfig, $tokenStorage, $httpClient); $cb->handleCallback($_GET); header("HTTP/1.1 302 Found"); header("Location: http://sso.appsedudemo.com/php-oauth2/example/simple/"); exit; } catch (fkooman\OAuth\Client\Exception\AuthorizeException $e) { // this exception is thrown by Callback when the OAuth server returns a // specific error message for the client, e.g.: the user did not authorize // the request die(sprintf("ERROR: %s, DESCRIPTION: %s", $e->getMessage(), $e->getDescription())); } catch (Exception $e) { // other error, these should never occur in the normal flow die(sprintf("ERROR: %s", $e->getMessage())); } ... (the rest of the file maintains unchanged) Sometimes OpenAM OAuth2 server blocks or overrides some parameters posted. If the parameters are not being processed in the right way you can change the invocation method as shown below; php-oauth2/example/simple/vendor/fkooman/php-oauth-client/src/fkooman/OAuth/Client/TokenRequest.php ... private function accessTokenRequest(array $p) { if ($this->clientConfig->getCredentialsInRequestBody()) { // provide credentials in the POST body $p['client_id'] = $this->clientConfig->getClientId(); $p['client_secret'] = $this->clientConfig->getClientSecret(); } else { // use basic authentication $curlAuth = new \Guzzle\Plugin\CurlAuth\CurlAuthPlugin( $this->clientConfig->getClientId(), $this->clientConfig->getClientSecret() ); //$this->c->addSubscriber($curlAuth); } try { $request = $this->c->post($this->clientConfig->getTokenEndpoint()); //$request->addPostFields($p); //$request->addHeader('Accept', 'application/json'); $responseData = $request->send()->json(); // some servers do not provide token_type, so we allow for setting // a default // issue: https://github.com/fkooman/php-oauth-client/issues/13 if (null !== $this->clientConfig->getDefaultTokenType()) { if (is_array($responseData) && !isset($responseData['token_type'])) { $responseData['token_type'] = $this->clientConfig->getDefaultTokenType(); } }
|
Home > SSO Single Sign-On >