Class yii\authclient\OpenIdConnect
| Inheritance | yii\authclient\OpenIdConnect » yii\authclient\OAuth2 » yii\authclient\BaseOAuth » yii\authclient\BaseClient » yii\base\Component |
|---|---|
| Implements | yii\authclient\ClientInterface |
| Available since extension's version | 2.1.3 |
| Source Code | https://github.com/yiisoft/yii2-authclient/blob/master/src/OpenIdConnect.php |
OpenIdConnect serves as a client for the OpenIdConnect flow.
Application configuration example:
'components' => [
'authClientCollection' => [
'class' => 'yii\authclient\Collection',
'clients' => [
'google' => [
'class' => 'yii\authclient\OpenIdConnect',
'issuerUrl' => 'https://accounts.google.com',
'clientId' => 'google_client_id',
'clientSecret' => 'google_client_secret',
'name' => 'google',
'title' => 'Google OpenID Connect',
],
],
]
// ...
]
This class requires web-token/jwt-checker,web-token/jwt-key-mgmt, web-token/jwt-signature, web-token/jwt-signature-algorithm-hmac,
web-token/jwt-signature-algorithm-ecdsa and web-token/jwt-signature-algorithm-rsa libraries to be installed for
JWS verification. This can be done via composer:
composer require --prefer-dist "web-token/jwt-checker:>=1.0 <3.0" "web-token/jwt-signature:>=1.0 <3.0"
"web-token/jwt-signature:>=1.0 <3.0" "web-token/jwt-signature-algorithm-hmac:>=1.0 <3.0"
"web-token/jwt-signature-algorithm-ecdsa:>=1.0 <3.0" "web-token/jwt-signature-algorithm-rsa:>=1.0 <3.0"
Note: if you are using well-trusted OpenIdConnect provider, you may disable $validateJws, making installation of
web-token library redundant, however it is not recommended as it violates the protocol specification.
See also:
Public Properties
Public Methods
Protected Methods
Constants
| Constant | Value | Description | Defined By |
|---|---|---|---|
| ACCESS_TOKEN_LOCATION_BODY | 'body' | Apply the access token to the request body | yii\authclient\OAuth2 |
| ACCESS_TOKEN_LOCATION_HEADER | 'header' | Apply the access token to the request header | yii\authclient\OAuth2 |
Property Details
The location of the access token when it is applied to the request.
NOTE: According to the OAuth2 specification this should be header by default,
however, for backwards compatibility the default value used here is body.
JWS algorithms, which are allowed to be used.
These are used by web-token library for JWS validation/decryption.
Make sure to install web-token/jwt-signature-algorithm-hmac, web-token/jwt-signature-algorithm-ecdsa
and web-token/jwt-signature-algorithm-rsa packages that support the particular algorithm before adding it here.
'HS256',
'HS384',
'HS512',
'ES256',
'ES384',
'ES512',
'RS256',
'RS384',
'RS512',
'PS256',
'PS384',
'PS512',
]
The cache object, null - if not enabled. Note that the type of this property
differs in getter and setter. See getCache() and setCache() for details.
OpenID provider configuration parameters.
The prefix for the key used to store $configParams data in cache. Actual cache key will be formed addition $id value to it.
See also $cache.
Predefined OpenID Connect Claims
See also https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2.
'iss',
'sub',
'aud',
'exp',
'iat',
'auth_time',
'nonce',
'acr',
'amr',
'azp',
]
OpenID Issuer (provider) base URL, e.g. https://example.com.
Whether to use and validate auth 'nonce' parameter in authentication flow.
Whether to validate/decrypt JWS received with Auth token.
Note: this functionality requires web-token/jwt-checker, web-token/jwt-key-mgmt, web-token/jwt-signature
composer package to be installed. You can disable this option in case of usage of trusted OpenIDConnect provider,
however this violates the protocol rules, so you are doing it on your own risk.
Method Details
Defined in: yii\authclient\BaseOAuth::api()
Performs request to the OAuth API returning response data.
You may use createApiRequest() method instead, gaining more control over request execution.
See also createApiRequest().
| public array api ( $apiSubUrl, $method = 'GET', $data = [], $headers = [] ) | ||
| $apiSubUrl | string|array |
API sub URL, which will be append to $apiBaseUrl, or absolute API URL. |
| $method | string |
Request method. |
| $data | array|string |
Request data or content. |
| $headers | array |
Additional request headers. |
| return | array |
API response data. |
|---|---|---|
public function api($apiSubUrl, $method = 'GET', $data = [], $headers = [])
{
$request = $this->createApiRequest()
->setMethod($method)
->setUrl($apiSubUrl)
->addHeaders($headers);
if (!empty($data)) {
if (is_array($data)) {
$request->setData($data);
} else {
$request->setContent($data);
}
}
return $this->sendRequest($request);
}
Defined in: yii\authclient\OAuth2::applyAccessTokenToRequest()
Applies access token to the HTTP request instance.
| public void applyAccessTokenToRequest ( $request, $accessToken ) | ||
| $request | \yii\httpclient\Request |
HTTP request instance. |
| $accessToken | yii\authclient\OAuthToken |
Access token instance. |
| throws | \yii\base\InvalidConfigException | |
|---|---|---|
public function applyAccessTokenToRequest($request, $accessToken)
{
switch($this->accessTokenLocation) {
case self::ACCESS_TOKEN_LOCATION_BODY:
$data = $request->getData();
$data['access_token'] = $accessToken->getToken();
$request->setData($data);
break;
case self::ACCESS_TOKEN_LOCATION_HEADER:
$request->getHeaders()->set('Authorization', 'Bearer ' . $accessToken->getToken());
break;
default:
throw new InvalidConfigException('Unknown access token location: ' . $this->accessTokenLocation);
}
}
Applies client credentials (e.g. $clientId and $clientSecret) to the HTTP request instance.
This method should be invoked before sending any HTTP request, which requires client credentials.
| protected void applyClientCredentialsToRequest ( $request ) | ||
| $request | \yii\httpclient\Request |
HTTP request instance. |
protected function applyClientCredentialsToRequest($request)
{
$supportedAuthMethods = $this->getConfigParam('token_endpoint_auth_methods_supported', 'client_secret_basic');
if (in_array('client_secret_basic', $supportedAuthMethods)) {
$request->addHeaders([
'Authorization' => 'Basic ' . base64_encode($this->clientId . ':' . $this->clientSecret)
]);
} elseif (in_array('client_secret_post', $supportedAuthMethods)) {
$request->addData([
'client_id' => $this->clientId,
'client_secret' => $this->clientSecret,
]);
} elseif (in_array('client_secret_jwt', $supportedAuthMethods)) {
$header = [
'typ' => 'JWT',
'alg' => 'HS256',
];
$payload = [
'iss' => $this->clientId,
'sub' => $this->clientId,
'aud' => $this->tokenUrl,
'jti' => $this->generateAuthNonce(),
'iat' => time(),
'exp' => time() + 3600,
];
$signatureBaseString = base64_encode(Json::encode($header)) . '.' . base64_encode(Json::encode($payload));
$signatureMethod = new HmacSha(['algorithm' => 'sha256']);
$signature = $signatureMethod->generateSignature($signatureBaseString, $this->clientSecret);
$assertion = $signatureBaseString . '.' . $signature;
$request->addData([
'assertion' => $assertion,
]);
} else {
throw new InvalidConfigException('Unable to authenticate request: none of following auth methods is suported: ' . implode(', ', $supportedAuthMethods));
}
}
Defined in: yii\authclient\OAuth2::authenticateClient()
Authenticate OAuth client directly at the provider without third party (user) involved, using 'client_credentials' grant type.
| public yii\authclient\OAuthToken authenticateClient ( $params = [] ) | ||
| $params | array |
Additional request params. |
| return | yii\authclient\OAuthToken |
Access token. |
|---|---|---|
public function authenticateClient($params = [])
{
$defaultParams = [
'grant_type' => 'client_credentials',
];
if (!empty($this->scope)) {
$defaultParams['scope'] = $this->scope;
}
$request = $this->createRequest()
->setMethod('POST')
->setUrl($this->tokenUrl)
->setData(array_merge($defaultParams, $params));
$this->applyClientCredentialsToRequest($request);
$response = $this->sendRequest($request);
$token = $this->createToken(['params' => $response]);
$this->setAccessToken($token);
return $token;
}
Defined in: yii\authclient\OAuth2::authenticateUser()
Authenticates user directly by 'username/password' pair, using 'password' grant type.
| public yii\authclient\OAuthToken authenticateUser ( $username, $password, $params = [] ) | ||
| $username | string |
User name. |
| $password | string |
User password. |
| $params | array |
Additional request params. |
| return | yii\authclient\OAuthToken |
Access token. |
|---|---|---|
public function authenticateUser($username, $password, $params = [])
{
$defaultParams = [
'grant_type' => 'password',
'username' => $username,
'password' => $password,
];
if (!empty($this->scope)) {
$defaultParams['scope'] = $this->scope;
}
$request = $this->createRequest()
->setMethod('POST')
->setUrl($this->tokenUrl)
->setData(array_merge($defaultParams, $params));
$this->applyClientCredentialsToRequest($request);
$response = $this->sendRequest($request);
$token = $this->createToken(['params' => $response]);
$this->setAccessToken($token);
return $token;
}
Defined in: yii\authclient\OAuth2::authenticateUserJwt()
Authenticates user directly using JSON Web Token (JWT).
See also https://tools.ietf.org/html/rfc7515.
| public yii\authclient\OAuthToken authenticateUserJwt ( $username, $signature = null, $options = [], $params = [] ) | ||
| $username | string | |
| $signature | yii\authclient\signature\BaseMethod|array |
Signature method or its array configuration. If empty - $signatureMethod will be used. |
| $options | array |
Additional options. Valid options are:
|
| $params | array |
Additional request params. |
| return | yii\authclient\OAuthToken |
Access token. |
|---|---|---|
public function authenticateUserJwt($username, $signature = null, $options = [], $params = [])
{
if (empty($signature)) {
$signatureMethod = $this->getSignatureMethod();
} elseif (is_object($signature)) {
$signatureMethod = $signature;
} else {
$signatureMethod = $this->createSignatureMethod($signature);
}
$header = isset($options['header']) ? $options['header'] : [];
$payload = isset($options['payload']) ? $options['payload'] : [];
$header = array_merge([
'typ' => 'JWT'
], $header);
if (!isset($header['alg'])) {
$signatureName = $signatureMethod->getName();
if (preg_match('/^([a-z])[a-z]*\-([a-z])[a-z]*([0-9]+)$/is', $signatureName, $matches)) {
// convert 'RSA-SHA256' to 'RS256' :
$signatureName = $matches[1] . $matches[2] . $matches[3];
}
$header['alg'] = $signatureName;
}
$payload = array_merge([
'iss' => $username,
'scope' => $this->scope,
'aud' => $this->tokenUrl,
'iat' => time(),
], $payload);
if (!isset($payload['exp'])) {
$payload['exp'] = $payload['iat'] + 3600;
}
$signatureBaseString = base64_encode(Json::encode($header)) . '.' . base64_encode(Json::encode($payload));
$signatureKey = isset($options['signatureKey']) ? $options['signatureKey'] : $this->clientSecret;
$signature = $signatureMethod->generateSignature($signatureBaseString, $signatureKey);
$assertion = $signatureBaseString . '.' . $signature;
$request = $this->createRequest()
->setMethod('POST')
->setUrl($this->tokenUrl)
->setData(array_merge([
'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion' => $assertion,
], $params));
$response = $this->sendRequest($request);
$token = $this->createToken(['params' => $response]);
$this->setAccessToken($token);
return $token;
}
Defined in: yii\authclient\BaseOAuth::beforeApiRequestSend()
Handles Request::EVENT_BEFORE_SEND event.
Applies $accessToken to the request.
| public void beforeApiRequestSend ( $event ) | ||
| $event | \yii\httpclient\RequestEvent |
Event instance. |
| throws | \yii\base\Exception |
on invalid access token. |
|---|---|---|
public function beforeApiRequestSend($event)
{
$accessToken = $this->getAccessToken();
if (!is_object($accessToken) || (!$accessToken->getIsValid() && !$this->autoRefreshAccessToken)) {
throw new Exception('Invalid access token.');
} elseif ($accessToken->getIsExpired() && $this->autoRefreshAccessToken) {
$accessToken = $this->refreshAccessToken($accessToken);
}
$this->applyAccessTokenToRequest($event->request, $accessToken);
}
Composes user authorization URL.
| public string buildAuthUrl ( array $params = [] ) | ||
| $params | array |
Additional auth GET params. |
| return | string |
Authorization URL. |
|---|---|---|
public function buildAuthUrl(array $params = [])
{
if ($this->authUrl === null) {
$this->authUrl = $this->getConfigParam('authorization_endpoint');
}
if (!isset($params['nonce']) && $this->getValidateAuthNonce()) {
$nonce = $this->generateAuthNonce();
$this->setState('authNonce', $nonce);
$params['nonce'] = $nonce;
}
return parent::buildAuthUrl($params);
}
Defined in: yii\authclient\BaseOAuth::composeUrl()
Composes URL from base URL and GET params.
| protected string composeUrl ( $url, array $params = [] ) | ||
| $url | string |
Base URL. |
| $params | array |
GET params. |
| return | string |
Composed URL. |
|---|---|---|
protected function composeUrl($url, array $params = [])
{
if (!empty($params)) {
if (strpos($url, '?') === false) {
$url .= '?';
} else {
$url .= '&';
}
$url .= http_build_query($params, '', '&', PHP_QUERY_RFC3986);
}
return $url;
}
Defined in: yii\authclient\BaseOAuth::createApiRequest()
Creates an HTTP request for the API call.
The created request will be automatically processed adding access token parameters and signature before sending. You may use createRequest() to gain full control over request composition and execution.
See also createRequest().
| public \yii\httpclient\Request createApiRequest ( ) | ||
| return | \yii\httpclient\Request |
HTTP request instance. |
|---|---|---|
public function createApiRequest()
{
$request = $this->createRequest();
$request->on(Request::EVENT_BEFORE_SEND, [$this, 'beforeApiRequestSend']);
return $request;
}
Defined in: yii\authclient\BaseOAuth::createHttpClient()
Creates HTTP client instance from reference or configuration.
| protected \yii\httpclient\Client createHttpClient ( $reference ) | ||
| $reference | string|array |
Component name or array configuration. |
| return | \yii\httpclient\Client |
HTTP client instance. |
|---|---|---|
protected function createHttpClient($reference)
{
$httpClient = parent::createHttpClient($reference);
$httpClient->baseUrl = $this->apiBaseUrl;
return $httpClient;
}
Defined in: yii\authclient\BaseClient::createRequest()
Creates HTTP request instance.
| public \yii\httpclient\Request createRequest ( ) | ||
| return | \yii\httpclient\Request |
HTTP request instance. |
|---|---|---|
public function createRequest()
{
return $this->getHttpClient()
->createRequest()
->addOptions($this->defaultRequestOptions())
->addOptions($this->getRequestOptions());
}
Defined in: yii\authclient\BaseOAuth::createSignatureMethod()
Creates signature method instance from its configuration.
| protected yii\authclient\signature\BaseMethod createSignatureMethod ( array $signatureMethodConfig ) | ||
| $signatureMethodConfig | array |
Signature method configuration. |
| return | yii\authclient\signature\BaseMethod |
Signature method instance. |
|---|---|---|
protected function createSignatureMethod(array $signatureMethodConfig)
{
if (!array_key_exists('class', $signatureMethodConfig)) {
$signatureMethodConfig['class'] = signature\HmacSha1::className();
}
return Yii::createObject($signatureMethodConfig);
}
Creates token from its configuration.
| protected yii\authclient\OAuthToken createToken ( array $tokenConfig = [] ) | ||
| $tokenConfig | array |
Token configuration. |
| return | yii\authclient\OAuthToken |
Token instance. |
|---|---|---|
protected function createToken(array $tokenConfig = [])
{
if ($this->validateJws) {
$jwsData = $this->loadJws($tokenConfig['params']['id_token']);
$this->validateClaims($jwsData);
$tokenConfig['params'] = array_merge($tokenConfig['params'], $jwsData);
if ($this->getValidateAuthNonce()) {
$authNonce = $this->getState('authNonce');
if (
!isset($jwsData['nonce'])
|| empty($authNonce)
|| !Yii::$app->getSecurity()->compareString($jwsData['nonce'], $authNonce)
) {
throw new HttpException(400, 'Invalid auth nonce');
} else {
$this->removeState('authNonce');
}
}
}
return parent::createToken($tokenConfig);
}
Defined in: yii\authclient\BaseClient::defaultName()
Generates service name.
| protected string defaultName ( ) | ||
| return | string |
Service name. |
|---|---|---|
protected function defaultName()
{
return Inflector::camel2id(StringHelper::basename(get_class($this)));
}
Defined in: yii\authclient\BaseClient::defaultNormalizeUserAttributeMap()
Returns the default $normalizeUserAttributeMap value.
Particular client may override this method in order to provide specific default map.
| protected array defaultNormalizeUserAttributeMap ( ) | ||
| return | array |
Normalize attribute map. |
|---|---|---|
protected function defaultNormalizeUserAttributeMap()
{
return [];
}
Defined in: yii\authclient\BaseOAuth::defaultRequestOptions()
Returns default HTTP request options.
| protected array defaultRequestOptions ( ) | ||
| return | array |
HTTP request options. |
|---|---|---|
protected function defaultRequestOptions()
{
return [
'userAgent' => Inflector::slug(Yii::$app->name) . ' OAuth ' . $this->version . ' Client',
'timeout' => 30,
];
}
Defined in: yii\authclient\BaseOAuth::defaultReturnUrl()
Composes default $returnUrl value.
| protected string defaultReturnUrl ( ) | ||
| return | string |
Return URL. |
|---|---|---|
protected function defaultReturnUrl()
{
$params = Yii::$app->getRequest()->getQueryParams();
$params = array_intersect_key($params, array_flip($this->parametersToKeepInReturnUrl));
$params[0] = Yii::$app->controller->getRoute();
return Yii::$app->getUrlManager()->createAbsoluteUrl($params);
}
Defined in: yii\authclient\BaseClient::defaultTitle()
Generates service title.
| protected string defaultTitle ( ) | ||
| return | string |
Service title. |
|---|---|---|
protected function defaultTitle()
{
return StringHelper::basename(get_class($this));
}
Defined in: yii\authclient\BaseClient::defaultViewOptions()
Returns the default $viewOptions value.
Particular client may override this method in order to provide specific default view options.
| protected array defaultViewOptions ( ) | ||
| return | array |
List of default $viewOptions |
|---|---|---|
protected function defaultViewOptions()
{
return [];
}
Discovers OpenID Provider configuration parameters.
| protected array discoverConfig ( ) | ||
| return | array |
OpenID Provider configuration parameters. |
|---|---|---|
| throws | yii\authclient\InvalidResponseException |
on failure. |
protected function discoverConfig()
{
$request = $this->createRequest();
$configUrl = rtrim($this->issuerUrl, '/') . '/.well-known/openid-configuration';
$request->setMethod('GET')
->setUrl($configUrl);
$response = $this->sendRequest($request);
return $response;
}
Fetches access token from authorization code.
| public yii\authclient\OAuthToken fetchAccessToken ( $authCode, array $params = [] ) | ||
| $authCode | string |
Authorization code, usually comes at GET parameter 'code'. |
| $params | array |
Additional request params. |
| return | yii\authclient\OAuthToken |
Access token. |
|---|---|---|
| throws | \yii\web\HttpException |
on invalid auth state in case enableStateValidation is enabled. |
public function fetchAccessToken($authCode, array $params = [])
{
if ($this->tokenUrl === null) {
$this->tokenUrl = $this->getConfigParam('token_endpoint');
}
if (!isset($params['nonce']) && $this->getValidateAuthNonce()) {
$params['nonce'] = $this->getState('authNonce');
}
return parent::fetchAccessToken($authCode, $params);
}
Generates the auth nonce value.
| protected string generateAuthNonce ( ) | ||
| return | string |
Auth nonce value. |
|---|---|---|
protected function generateAuthNonce()
{
return Yii::$app->security->generateRandomString();
}
Defined in: yii\authclient\OAuth2::generateAuthState()
Generates the auth state value.
| protected string generateAuthState ( ) | ||
| return | string |
Auth state value. |
|---|---|---|
protected function generateAuthState()
{
$baseString = get_class($this) . '-' . time();
if (Yii::$app->has('session')) {
$baseString .= '-' . Yii::$app->session->getId();
}
return hash('sha256', uniqid($baseString, true));
}
Defined in: yii\authclient\BaseOAuth::getAccessToken()
| public yii\authclient\OAuthToken getAccessToken ( ) | ||
| return | yii\authclient\OAuthToken |
Auth token instance. |
|---|---|---|
public function getAccessToken()
{
if (!is_object($this->_accessToken)) {
$this->_accessToken = $this->restoreAccessToken();
}
return $this->_accessToken;
}
| public \yii\caching\Cache|null getCache ( ) | ||
| return | \yii\caching\Cache|null |
The cache object, |
|---|---|---|
public function getCache()
{
if ($this->_cache !== null && !is_object($this->_cache)) {
$this->_cache = Instance::ensure($this->_cache, Cache::className());
}
return $this->_cache;
}
Returns particular configuration parameter value.
| public mixed getConfigParam ( $name, $default = null ) | ||
| $name | string |
Configuration parameter name. |
| $default | mixed |
Value to be returned if the configuration parameter isn't set. |
| return | mixed |
Configuration parameter value. |
|---|---|---|
public function getConfigParam($name, $default = null)
{
$params = $this->getConfigParams();
return array_key_exists($name, $params) ? $params[$name] : $default;
}
| public array getConfigParams ( ) | ||
| return | array |
OpenID provider configuration parameters. |
|---|---|---|
public function getConfigParams()
{
if ($this->_configParams === null) {
$cache = $this->getCache();
$cacheKey = $this->configParamsCacheKeyPrefix . $this->getId();
if ($cache === null || ($configParams = $cache->get($cacheKey)) === false) {
$configParams = $this->discoverConfig();
if ($cache !== null) {
$cache->set($cacheKey, $configParams, $this->cacheDuration);
}
}
$this->_configParams = $configParams;
}
return $this->_configParams;
}
Defined in: yii\authclient\BaseClient::getHttpClient()
Returns HTTP client.
| public \yii\httpclient\Client getHttpClient ( ) | ||
| return | \yii\httpclient\Client |
Internal HTTP client. |
|---|---|---|
public function getHttpClient()
{
if (!is_object($this->_httpClient)) {
$this->_httpClient = $this->createHttpClient($this->_httpClient);
}
return $this->_httpClient;
}
Defined in: yii\authclient\BaseClient::getId()
| public string getId ( ) | ||
| return | string |
Service id |
|---|---|---|
public function getId()
{
if (empty($this->_id)) {
$this->_id = $this->getName();
}
return $this->_id;
}
Return JwkSet, returning related data.
| protected \yii\authclient\JWKSet getJwkSet ( ) | ||
| return | \yii\authclient\JWKSet |
Object represents a key set. |
|---|---|---|
| throws | yii\authclient\InvalidResponseException |
on failure. |
protected function getJwkSet()
{
if ($this->_jwkSet === null) {
$cache = $this->getCache();
$cacheKey = $this->configParamsCacheKeyPrefix . '_jwkSet';
if ($cache === null || ($jwkSet = $cache->get($cacheKey)) === false) {
$request = $this->createRequest()
->setMethod('GET')
->setUrl($this->getConfigParam('jwks_uri'));
$response = $this->sendRequest($request);
$jwkSet = JWKFactory::createFromValues($response);
if ($cache !== null) {
$cache->set($cacheKey, $jwkSet, $this->cacheDuration);
}
}
$this->_jwkSet = $jwkSet;
}
return $this->_jwkSet;
}
Return JWSLoader that validate the JWS token.
| protected \Jose\Component\Signature\JWSLoader getJwsLoader ( ) | ||
| return | \Jose\Component\Signature\JWSLoader |
To do token validation. |
|---|---|---|
| throws | \yii\base\InvalidConfigException |
on invalid algorithm provide in configuration. |
protected function getJwsLoader()
{
if ($this->_jwsLoader === null) {
$algorithms = [];
foreach ($this->allowedJwsAlgorithms as $algorithm)
{
$class = '\Jose\Component\Signature\Algorithm\\' . $algorithm;
if (!class_exists($class))
{
throw new InvalidConfigException("Alogrithm class $class doesn't exist");
}
$algorithms[] = new $class();
}
$this->_jwsLoader = new JWSLoader(
new JWSSerializerManager([ new CompactSerializer() ]),
new JWSVerifier(new AlgorithmManager($algorithms)),
new HeaderCheckerManager(
[ new AlgorithmChecker($this->allowedJwsAlgorithms) ],
[ new JWSTokenSupport() ]
)
);
}
return $this->_jwsLoader;
}
Defined in: yii\authclient\BaseClient::getName()
| public string getName ( ) | ||
| return | string |
Service name. |
|---|---|---|
public function getName()
{
if ($this->_name === null) {
$this->_name = $this->defaultName();
}
return $this->_name;
}
| public array getNormalizeUserAttributeMap ( ) | ||
| return | array |
Normalize user attribute map. |
|---|---|---|
public function getNormalizeUserAttributeMap()
{
if ($this->_normalizeUserAttributeMap === null) {
$this->_normalizeUserAttributeMap = $this->defaultNormalizeUserAttributeMap();
}
return $this->_normalizeUserAttributeMap;
}
Defined in: yii\authclient\BaseClient::getRequestOptions()
| public array getRequestOptions ( ) | ||
| return | array |
HTTP request options. |
|---|---|---|
public function getRequestOptions()
{
return $this->_requestOptions;
}
Defined in: yii\authclient\BaseOAuth::getReturnUrl()
| public string getReturnUrl ( ) | ||
| return | string |
Return URL. |
|---|---|---|
public function getReturnUrl()
{
if ($this->_returnUrl === null) {
$this->_returnUrl = $this->defaultReturnUrl();
}
return $this->_returnUrl;
}
Defined in: yii\authclient\BaseOAuth::getSignatureMethod()
| public yii\authclient\signature\BaseMethod getSignatureMethod ( ) | ||
| return | yii\authclient\signature\BaseMethod |
Signature method instance. |
|---|---|---|
public function getSignatureMethod()
{
if (!is_object($this->_signatureMethod)) {
$this->_signatureMethod = $this->createSignatureMethod($this->_signatureMethod);
}
return $this->_signatureMethod;
}
Defined in: yii\authclient\BaseClient::getState()
Returns persistent state value.
| protected mixed getState ( $key ) | ||
| $key | string |
State key. |
| return | mixed |
State value. |
|---|---|---|
protected function getState($key)
{
return $this->getStateStorage()->get($this->getStateKeyPrefix() . $key);
}
Defined in: yii\authclient\BaseClient::getStateKeyPrefix()
Returns session key prefix, which is used to store internal states.
| protected string getStateKeyPrefix ( ) | ||
| return | string |
Session key prefix. |
|---|---|---|
protected function getStateKeyPrefix()
{
return get_class($this) . '_' . $this->getId() . '_';
}
Defined in: yii\authclient\BaseClient::getStateStorage()
| public yii\authclient\StateStorageInterface getStateStorage ( ) | ||
| return | yii\authclient\StateStorageInterface |
Stage storage. |
|---|---|---|
public function getStateStorage()
{
if (!is_object($this->_stateStorage)) {
$this->_stateStorage = Yii::createObject($this->_stateStorage);
}
return $this->_stateStorage;
}
Defined in: yii\authclient\BaseClient::getTitle()
| public string getTitle ( ) | ||
| return | string |
Service title. |
|---|---|---|
public function getTitle()
{
if ($this->_title === null) {
$this->_title = $this->defaultTitle();
}
return $this->_title;
}
Defined in: yii\authclient\BaseClient::getUserAttributes()
| public array getUserAttributes ( ) | ||
| return | array |
List of user attributes |
|---|---|---|
public function getUserAttributes()
{
if ($this->_userAttributes === null) {
$this->_userAttributes = $this->normalizeUserAttributes($this->initUserAttributes());
}
return $this->_userAttributes;
}
| public boolean getValidateAuthNonce ( ) | ||
| return | boolean |
Whether to use and validate auth 'nonce' parameter in authentication flow. |
|---|---|---|
public function getValidateAuthNonce()
{
if ($this->_validateAuthNonce === null) {
$this->_validateAuthNonce = $this->validateJws && in_array('nonce', $this->getConfigParam('claims_supported'));
}
return $this->_validateAuthNonce;
}
Defined in: yii\authclient\BaseClient::getViewOptions()
| public array getViewOptions ( ) | ||
| return | array |
View options in format: optionName => optionValue |
|---|---|---|
public function getViewOptions()
{
if ($this->_viewOptions === null) {
$this->_viewOptions = $this->defaultViewOptions();
}
return $this->_viewOptions;
}
Initializes authenticated user attributes.
| protected array initUserAttributes ( ) | ||
| return | array |
Auth user attributes. |
|---|---|---|
protected function initUserAttributes()
{
// Use 'userinfo_endpoint' config if available,
// try to extract user claims from access token's 'id_token' claim otherwise.
$userinfoEndpoint = $this->getConfigParam('userinfo_endpoint');
if (!empty($userinfoEndpoint)) {
$userInfo = $this->api($userinfoEndpoint, 'GET');
// The userinfo endpoint can return a JSON object (which will be converted to an array) or a JWT.
if (is_array($userInfo)) {
return $userInfo;
} else {
// Use the userInfo endpoint as id_token and parse it as JWT below
$idToken = $userInfo;
}
} else {
$accessToken = $this->accessToken;
$idToken = $accessToken->getParam('id_token');
}
$idTokenData = [];
if (!empty($idToken)) {
if ($this->validateJws) {
$idTokenClaims = $this->loadJws($idToken);
} else {
$idTokenClaims = Json::decode(StringHelper::base64UrlDecode(explode('.', $idToken)[1]));
}
$metaDataFields = array_flip($this->defaultIdTokenClaims);
unset($metaDataFields['sub']); // "Subject Identifier" is not meta data
$idTokenData = array_diff_key($idTokenClaims, $metaDataFields);
}
return $idTokenData;
}
Decrypts/validates JWS, returning related data.
| protected array loadJws ( $jws ) | ||
| $jws | string |
Raw JWS input. |
| return | array |
JWS underlying data. |
|---|---|---|
| throws | \yii\web\HttpException |
on invalid JWS signature. |
protected function loadJws($jws)
{
try {
$jwsLoader = $this->getJwsLoader();
$signature = null;
$jwsVerified = $jwsLoader->loadAndVerifyWithKeySet($jws, $this->getJwkSet(), $signature);
return Json::decode($jwsVerified->getPayload());
} catch (\Exception $e) {
$message = YII_DEBUG ? 'Unable to verify JWS: ' . $e->getMessage() : 'Invalid JWS';
throw new HttpException(400, $message, $e->getCode(), $e);
}
}
Defined in: yii\authclient\BaseClient::normalizeUserAttributes()
Normalize given user attributes according to $normalizeUserAttributeMap.
| protected array normalizeUserAttributes ( $attributes ) | ||
| $attributes | array |
Raw attributes. |
| return | array |
Normalized attributes. |
|---|---|---|
| throws | \yii\base\InvalidConfigException |
on incorrect normalize attribute map. |
protected function normalizeUserAttributes($attributes)
{
foreach ($this->getNormalizeUserAttributeMap() as $normalizedName => $actualName) {
if (is_scalar($actualName)) {
if (array_key_exists($actualName, $attributes)) {
$attributes[$normalizedName] = $attributes[$actualName];
}
} else {
if (is_callable($actualName)) {
$attributes[$normalizedName] = call_user_func($actualName, $attributes);
} elseif (is_array($actualName)) {
$haystack = $attributes;
$searchKeys = $actualName;
$isFound = true;
while (($key = array_shift($searchKeys)) !== null) {
if (is_array($haystack) && array_key_exists($key, $haystack)) {
$haystack = $haystack[$key];
} else {
$isFound = false;
break;
}
}
if ($isFound) {
$attributes[$normalizedName] = $haystack;
}
} else {
throw new InvalidConfigException('Invalid actual name "' . gettype($actualName) . '" specified at "' . get_class($this) . '::normalizeUserAttributeMap"');
}
}
}
return $attributes;
}
Gets new auth token to replace expired one.
| public yii\authclient\OAuthToken refreshAccessToken ( yii\authclient\OAuthToken $token ) | ||
| $token | yii\authclient\OAuthToken |
Expired auth token. |
| return | yii\authclient\OAuthToken |
New auth token. |
|---|---|---|
public function refreshAccessToken(OAuthToken $token)
{
if ($this->tokenUrl === null) {
$this->tokenUrl = $this->getConfigParam('token_endpoint');
}
if ($this->getValidateAuthNonce()) {
$nonce = $this->generateAuthNonce();
$this->setState('authNonce', $nonce);
$token->setParam('nonce', $nonce);
}
return parent::refreshAccessToken($token);
}
Defined in: yii\authclient\BaseClient::removeState()
Removes persistent state value.
| protected boolean removeState ( $key ) | ||
| $key | string |
State key. |
| return | boolean |
Success. |
|---|---|---|
protected function removeState($key)
{
return $this->getStateStorage()->remove($this->getStateKeyPrefix() . $key);
}
Defined in: yii\authclient\BaseOAuth::restoreAccessToken()
Restores access token.
| protected yii\authclient\OAuthToken restoreAccessToken ( ) | ||
| return | yii\authclient\OAuthToken |
Auth token. |
|---|---|---|
protected function restoreAccessToken()
{
$token = $this->getState('token');
if (is_object($token)) {
/* @var $token OAuthToken */
if ($token->getIsExpired() && $this->autoRefreshAccessToken) {
$token = $this->refreshAccessToken($token);
}
}
return $token;
}
Defined in: yii\authclient\BaseOAuth::saveAccessToken()
Saves token as persistent state.
| protected $this saveAccessToken ( $token ) | ||
| $token | yii\authclient\OAuthToken|null |
Auth token to be saved. |
| return | $this |
The object itself. |
|---|---|---|
protected function saveAccessToken($token)
{
return $this->setState('token', $token);
}
Defined in: yii\authclient\BaseOAuth::sendRequest()
Sends the given HTTP request, returning response data.
| protected array|string|null sendRequest ( $request ) | ||
| $request | \yii\httpclient\Request |
HTTP request to be sent. |
| return | array|string|null |
Response data. |
|---|---|---|
| throws | yii\authclient\ClientErrorResponseException |
on client error response codes. |
| throws | yii\authclient\InvalidResponseException |
on non-successful (other than client error) response codes. |
| throws | \yii\httpclient\Exception | |
protected function sendRequest($request)
{
$response = $request->send();
if (!$response->getIsOk()) {
$statusCode = (int)$response->getStatusCode();
if ($statusCode >= 400 && $statusCode < 500) {
$exceptionClass = 'yii\\authclient\\ClientErrorResponseException';
} else {
$exceptionClass = 'yii\\authclient\\InvalidResponseException';
}
throw new $exceptionClass(
$response,
'Request failed with code: ' . $statusCode . ', message: ' . $response->getContent(),
$statusCode
);
}
if (stripos($response->headers->get('content-type', ''), 'application/jwt') !== false) {
return $response->getContent();
} else {
return $response->getData();
}
}
Defined in: yii\authclient\BaseOAuth::setAccessToken()
Sets access token to be used.
| public void setAccessToken ( $token ) | ||
| $token | array|yii\authclient\OAuthToken|null |
Access token or its configuration. Set to null to restore token from token store. |
public function setAccessToken($token)
{
if (!is_object($token) && $token !== null) {
$token = $this->createToken($token);
}
$this->_accessToken = $token;
$this->saveAccessToken($token);
}
Sets up a component to be used for caching.
This can be one of the following:
- an application component ID (e.g.
cache) - a configuration array
- a \yii\caching\Cache object
When null is passed, it means caching is not enabled.
| public void setCache ( $cache ) | ||
| $cache | \yii\caching\Cache|array|string|null |
The cache object or the ID of the cache application component. |
public function setCache($cache)
{
$this->_cache = $cache;
}
Set the OpenID provider configuration manually, this will bypass the automatic discovery via the /.well-known/openid-configuration endpoint.
| public void setConfigParams ( $configParams ) | ||
| $configParams | array |
OpenID provider configuration parameters. |
public function setConfigParams($configParams)
{
$this->_configParams = $configParams;
}
Defined in: yii\authclient\BaseOAuth::setHttpClient()
Sets HTTP client to be used.
| public void setHttpClient ( $httpClient ) | ||
| $httpClient | array|\yii\httpclient\Client |
Internal HTTP client. |
public function setHttpClient($httpClient)
{
if (is_object($httpClient)) {
$httpClient = clone $httpClient;
$httpClient->baseUrl = $this->apiBaseUrl;
}
parent::setHttpClient($httpClient);
}
Defined in: yii\authclient\BaseClient::setId()
| public void setId ( $id ) | ||
| $id | string |
Service id. |
public function setId($id)
{
$this->_id = $id;
}
Defined in: yii\authclient\BaseClient::setName()
| public void setName ( $name ) | ||
| $name | string |
Service name. |
public function setName($name)
{
$this->_name = $name;
}
| public void setNormalizeUserAttributeMap ( $normalizeUserAttributeMap ) | ||
| $normalizeUserAttributeMap | array |
Normalize user attribute map. |
public function setNormalizeUserAttributeMap($normalizeUserAttributeMap)
{
$this->_normalizeUserAttributeMap = $normalizeUserAttributeMap;
}
Defined in: yii\authclient\BaseClient::setRequestOptions()
| public void setRequestOptions ( array $options ) | ||
| $options | array |
HTTP request options. |
public function setRequestOptions(array $options)
{
$this->_requestOptions = $options;
}
Defined in: yii\authclient\BaseOAuth::setReturnUrl()
| public void setReturnUrl ( $returnUrl ) | ||
| $returnUrl | string |
Return URL |
public function setReturnUrl($returnUrl)
{
$this->_returnUrl = $returnUrl;
}
Defined in: yii\authclient\BaseOAuth::setSignatureMethod()
Set signature method to be used.
| public void setSignatureMethod ( $signatureMethod ) | ||
| $signatureMethod | array|yii\authclient\signature\BaseMethod |
Signature method instance or its array configuration. |
| throws | \yii\base\InvalidArgumentException |
on wrong argument. |
|---|---|---|
public function setSignatureMethod($signatureMethod)
{
if (!is_object($signatureMethod) && !is_array($signatureMethod)) {
throw new InvalidArgumentException('"' . get_class($this) . '::signatureMethod" should be instance of "\yii\autclient\signature\BaseMethod" or its array configuration. "' . gettype($signatureMethod) . '" has been given.');
}
$this->_signatureMethod = $signatureMethod;
}
Defined in: yii\authclient\BaseClient::setState()
Sets persistent state.
| protected $this setState ( $key, $value ) | ||
| $key | string |
State key. |
| $value | mixed |
State value |
| return | $this |
The object itself |
|---|---|---|
protected function setState($key, $value)
{
$this->getStateStorage()->set($this->getStateKeyPrefix() . $key, $value);
return $this;
}
Defined in: yii\authclient\BaseClient::setStateStorage()
| public void setStateStorage ( $stateStorage ) | ||
| $stateStorage | yii\authclient\StateStorageInterface|array|string |
Stage storage to be used. |
public function setStateStorage($stateStorage)
{
$this->_stateStorage = $stateStorage;
}
Defined in: yii\authclient\BaseClient::setTitle()
| public void setTitle ( $title ) | ||
| $title | string |
Service title. |
public function setTitle($title)
{
$this->_title = $title;
}
Defined in: yii\authclient\BaseClient::setUserAttributes()
| public void setUserAttributes ( $userAttributes ) | ||
| $userAttributes | array |
List of user attributes |
public function setUserAttributes($userAttributes)
{
$this->_userAttributes = $this->normalizeUserAttributes($userAttributes);
}
| public void setValidateAuthNonce ( $validateAuthNonce ) | ||
| $validateAuthNonce | boolean |
Whether to use and validate auth 'nonce' parameter in authentication flow. |
public function setValidateAuthNonce($validateAuthNonce)
{
$this->_validateAuthNonce = $validateAuthNonce;
}
Defined in: yii\authclient\BaseClient::setViewOptions()
| public void setViewOptions ( $viewOptions ) | ||
| $viewOptions | array |
View options in format: optionName => optionValue |
public function setViewOptions($viewOptions)
{
$this->_viewOptions = $viewOptions;
}
Validates the claims data received from OpenID provider.
| protected void validateClaims ( array $claims ) | ||
| $claims | array |
Claims data. |
| throws | \yii\web\HttpException |
on invalid claims. |
|---|---|---|
protected function validateClaims(array $claims)
{
$expectedIssuer = $this->getConfigParam('issuer', $this->issuerUrl);
if (!isset($claims['iss']) || (strcmp(rtrim($claims['iss'], '/'), rtrim($expectedIssuer, '/')) !== 0)) {
throw new HttpException(400, 'Invalid "iss"');
}
if (!isset($claims['aud'])
|| (!is_string($claims['aud']) && !is_array($claims['aud']))
|| (is_string($claims['aud']) && strcmp($claims['aud'], $this->clientId) !== 0)
|| (is_array($claims['aud']) && !in_array($this->clientId, $claims['aud']))
) {
throw new HttpException(400, 'Invalid "aud"');
}
}