The jumbojett/OpenID-Connect-PHP git repository contains a sample application that demonstrates how to use this implementation of the OpenID Connect (OIDC) library in PHP.
To use this sample application in the U-M ITS Virtual Web Hosting environment, you will need to request a virtual host through the ITS Virtual Hosting service:
You will also need to obtain a SSL/TLS certificate for your site as your site should only support HTTPS (no insecure HTTP traffic).
A full step-by-step explanation of how to obtain AFS space, a Virtual Host, SSL/TLS certificate, and DNS entry for your site are beyond the scope of this how-to.
After you have the above components created for you and configured, you can set up your site to use the sample application to exercise the jumbojett OpenID Connect PHP library via the following steps:
-
Clone repo jumbojett/OpenID-Connect-PHP
git clone https://github.com/jumbojett/OpenID-Connect-PHP.git -
Copy client_example.php into your application's document root
cp OpenID-Connect-PHP/client_example.php [document root]/. -
Use Composer to install the JumboJett OpenID Connect PHP library in your application's document root. If your web application resides in AFS, you can use the version of Composer that is already installed on the ITS Web Hosting login server,
umpire.dsc.umich.edu(you will need to activate the version of PHP your app uses after you log in).cd [document root]composer require jumbojett/openid-connect-php -
Obtain OIDC Service Client credentials
You can self-provision OIDC Service Client credentials using the "OIDC Provisioning and Management" (OPaM) tool as documented in the following ITS KNowledge Base article:
For this example application, you should configure the Redirect URI to https://my.site.url/client_example.php (substitute my.site.url with the fully qualified domain name (FQDN) for your site) when you provision the OIDC Service Client credentials for your site.
- Modify the client_example.php code
There are currently a few issues with the default code in the jumbojett/OpenID-Connect-PHP GitHub repository which require modifications to work correctly in the U-M ITS Virtual Web Hosting environment.
Currently, the code looks like this:
...
require __DIR__ . '/vendor/autoload.php';
use Jumbojett\OpenIDConnectClient;
$oidc = new OpenIDConnectClient(
'http://myproviderURL.com/',
'ClientIDHere',
'ClientSecretHere'
);
$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');
...
The issues to address:
-
You need to fill in the correct details for the
OpenIDConnectClientcall. ClientID and ClientSecret are obtained via the self-provisioning process in the OPaM tool. The correct Provider URL for U-M is 'https://weblogin.umich.edu/'. -
The jumbojett library supports the Client Authentication method
client_secret_basicby default. The OPaM tool default isclient_secret_postand does not yet allow the option of selecting another method when provisioning OIDC service client credentials. There is a code change required to explicitly set the Client Authentication method toclient_secret_post. -
Need to add explicit scopes (
openid email profile edumember) to optimize for U-M OIDC environment, otherwise it will default toopenidonly.
The resulting code should look like this (note the ClientID and ClientSecret are obscured here and should be filled in with your site's actual values):
...
require __DIR__ . '/vendor/autoload.php';
use Jumbojett\OpenIDConnectClient;
$oidc = new OpenIDConnectClient(
'https://weblogin.umich.edu/',
'XXXXXXXXXXXXXXXXXXXXXXXXXX',
'YYYYYYYYYYYYYYYYYYYYYYYYYY'
);
$oidc->setTokenEndpointAuthMethodsSupported(['client_secret_post']);
$oidc->addScope('openid email profile edumember');
$oidc->authenticate();
$name = $oidc->requestUserInfo('given_name');
...
- Test
Navigate to https://my.site.url/client_example.php (substitute my.site.url with the fully qualified domain name (FQDN) for your site). You should be automatically redirected to U-M Weblogin for single sign-on authentication. Upon successful authentication, you should see Hello uniqname (where uniqname is your U-M username you authenticated as).
A docker example has been provided for demonstration purposes. To use:
- replace
server.keywith a valid key - replace
server.crtwith a valid web cert - Edit
server.conf, and replaceSERVERon theServerNameline with your example service name, matching the CN in yourserver.crt - Fill in the variables in
docker-compose.envwith your OIDC Client ID and Secret that have been provisioned docker-compose buildordocker compose build(depending on which docker-compose you have installed)docker-compose up -dordocker compose up -d(depending, same as prior)