Skip to content

Add OpenID Connect#1447

Open
adrum wants to merge 7 commits into
SocialiteProviders:masterfrom
adrum:feature/open-id-connect
Open

Add OpenID Connect#1447
adrum wants to merge 7 commits into
SocialiteProviders:masterfrom
adrum:feature/open-id-connect

Conversation

@adrum

@adrum adrum commented Apr 23, 2026

Copy link
Copy Markdown

This adds an OpenID Connect provider to make it easier to integrate a wide range of supported providers. It implements the Authorization Code Flow with PKCE by default, auto-discovery via .well-known/openid-configuration (which is cached by default with configurable TTL), JWKS signature verification with kid-miss invalidation for real-time key rotation, configurable signing algorithms, and full spec-level validation of iss, aud, azp, at_hash, nonce, and exp/nbf/iat (with configurable clock-skew leeway) in both verified and unverified paths.

I also provided convenient ways to handle logout() for RP-Initiated Logout, revoke() for RFC 7009 token revocation, and verifyLogoutToken() for Back-Channel Logout 1.0 with complete claim validation.

The README documents setup, every config key, and working examples for session- and database-backed token storage plus a sid → Laravel session ID mapping table so we can individually clear the correct session.

Completes this stale closed issue: #823

adrum added 7 commits April 20, 2026 00:48
Expose a cache_ttl config key (default 3600s) covering both the
discovery document and JWKS caches. On JWT verification, peek at the
id_token's kid; if it is not present in the cached JWKS, flush and
refetch once so IdP key rotations are picked up without waiting for
the TTL to expire.
…imeouts

- Validate exp/nbf/iat in both the verified and unverified decode paths
  so an expired id_token is never accepted, even when verify_jwt is off.
- Add a clock_skew config key that applies leeway to the manual time-claim
  checks and to firebase/php-jwt's own checks.
- Handle IdP error responses on the callback (?error=...) and a missing
  authorization code with clear exceptions instead of blowing up inside
  the token exchange.
- Set Guzzle connect/read timeouts (5s/10s defaults) so a slow IdP does
  not tie up PHP workers. Both are configurable.
Add revoke($token, $tokenTypeHint) which posts to the IdP's
revocation_endpoint using the configured client authentication method.
Pair with the existing logout() helper to invalidate refresh tokens
server-side instead of waiting for them to expire.
Add verifyLogoutToken($logoutToken) which verifies a back-channel
logout token per the OIDC Back-Channel Logout 1.0 spec: signature,
iss, aud, iat/exp, jti presence, the required events claim, absence
of nonce, and presence of sub and/or sid. Returns the decoded claims
so the caller can de-dupe by jti and invalidate matching sessions.
Extend the revocation section with a session-based example showing how
to stash both id_token and refresh_token at login, and add a separate
"Storing tokens persistently" subsection with a database-backed
example (encrypted cast, updateOrCreate on login, revoke + clear on
logout) for apps that need refresh tokens to outlive the session.
Expand the back-channel logout section to explain that the IdP
identifies the session by a sid claim it mints itself, and that the
RP is responsible for storing a sid -> Laravel session id mapping at
login and consulting it at logout. Include a migration, the
updateOrInsert at login, and a route handler that prefers sid (per
session) and falls back to sub (all sessions for the user) when the
IdP does not support sid.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant