stevenmaguire / oauth2-keycloak
Keycloak OAuth 2.0 Client Provider for The PHP League OAuth2-Client
Maintainers
Requires
- php: ^8.0
- firebase/php-jwt: ^7.0
- league/oauth2-client: ^2.8
Requires (Dev)
- mockery/mockery: ^1.6
- phpstan/phpstan: ^1.12
- phpunit/phpunit: ~9.6.4
- squizlabs/php_codesniffer: ~3.7.0
README
This package provides Keycloak OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
Installation
To install, use composer:
composer require stevenmaguire/oauth2-keycloak
Usage
Usage is the same as The League's OAuth client, using \Stevenmaguire\OAuth2\Client\Provider\Keycloak as the provider.
Use authServerUrl to specify the Keycloak server URL. This depends on your Keycloak version:
- legacy releases often use
http://localhost:8080/auth - modern releases (Keycloak 17+) typically use
http://localhost:8080
Use realm to specify the Keycloak realm name. In client configuration exports this is represented as realm, e.g. master.
Authorization Code Flow
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ 'authServerUrl' => '{keycloak-server-url}', 'realm' => '{keycloak-realm}', 'clientId' => '{keycloak-client-id}', 'clientSecret' => '{keycloak-client-secret}', 'redirectUri' => 'https://example.com/callback-url', 'encryptionAlgorithm' => 'RS256', // optional 'encryptionKeyPath' => '../key.pem', // optional 'encryptionKey' => 'contents_of_key_or_certificate', // optional 'version' => '20.0.1', // optional ]); if (!isset($_GET['code'])) { // If we don't have an authorization code then get one $authUrl = $provider->getAuthorizationUrl(); $_SESSION['oauth2state'] = $provider->getState(); header('Location: '.$authUrl); exit; // Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); exit('Invalid state, make sure HTTP sessions are enabled.'); } else { // Try to get an access token (using the authorization code grant) try { $token = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); } catch (Exception $e) { exit('Failed to get access token: '.$e->getMessage()); } // Optional: Now you have a token you can look up a users profile data try { // We got an access token, let's now get the user's details $user = $provider->getResourceOwner($token); // Use these details to create a new profile printf('Hello %s!', $user->getName()); } catch (Exception $e) { exit('Failed to get resource owner: '.$e->getMessage()); } // Use this to interact with an API on the users behalf echo $token->getToken(); }
Refreshing a Token
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ 'authServerUrl' => '{keycloak-server-url}', 'realm' => '{keycloak-realm}', 'clientId' => '{keycloak-client-id}', 'clientSecret' => '{keycloak-client-secret}', 'redirectUri' => 'https://example.com/callback-url', ]); $token = $provider->getAccessToken('refresh_token', ['refresh_token' => $token->getRefreshToken()]);
Handling encryption
If you've configured your Keycloak instance to use encryption, there are some advanced options available to you.
Configure the provider to use the same encryption algorithm
$provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ // ... 'encryptionAlgorithm' => 'RS256', ]);
or
$provider->setEncryptionAlgorithm('RS256');
Configure the provider to use the expected decryption public key or certificate
By key value
$key = "-----BEGIN PUBLIC KEY-----\n....\n-----END PUBLIC KEY-----"; // or // $key = "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----"; $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ // ... 'encryptionKey' => $key, ]);
or
$provider->setEncryptionKey($key);
By key path
$keyPath = '../key.pem'; $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([ // ... 'encryptionKeyPath' => $keyPath, ]);
or
$provider->setEncryptionKeyPath($keyPath);
Testing
$ composer test
Contributing
Please see CONTRIBUTING for details.
Credits
License
The MIT License (MIT). Please see License File for more information.