Add OpenID Connect#1447
Open
adrum wants to merge 7 commits into
Open
Conversation
Expose a cache_ttl config key (default 3600s) covering both the discovery document and JWKS caches. On JWT verification, peek at the id_token's kid; if it is not present in the cached JWKS, flush and refetch once so IdP key rotations are picked up without waiting for the TTL to expire.
…imeouts - Validate exp/nbf/iat in both the verified and unverified decode paths so an expired id_token is never accepted, even when verify_jwt is off. - Add a clock_skew config key that applies leeway to the manual time-claim checks and to firebase/php-jwt's own checks. - Handle IdP error responses on the callback (?error=...) and a missing authorization code with clear exceptions instead of blowing up inside the token exchange. - Set Guzzle connect/read timeouts (5s/10s defaults) so a slow IdP does not tie up PHP workers. Both are configurable.
Add revoke($token, $tokenTypeHint) which posts to the IdP's revocation_endpoint using the configured client authentication method. Pair with the existing logout() helper to invalidate refresh tokens server-side instead of waiting for them to expire.
Add verifyLogoutToken($logoutToken) which verifies a back-channel logout token per the OIDC Back-Channel Logout 1.0 spec: signature, iss, aud, iat/exp, jti presence, the required events claim, absence of nonce, and presence of sub and/or sid. Returns the decoded claims so the caller can de-dupe by jti and invalidate matching sessions.
Extend the revocation section with a session-based example showing how to stash both id_token and refresh_token at login, and add a separate "Storing tokens persistently" subsection with a database-backed example (encrypted cast, updateOrCreate on login, revoke + clear on logout) for apps that need refresh tokens to outlive the session.
Expand the back-channel logout section to explain that the IdP identifies the session by a sid claim it mints itself, and that the RP is responsible for storing a sid -> Laravel session id mapping at login and consulting it at logout. Include a migration, the updateOrInsert at login, and a route handler that prefers sid (per session) and falls back to sub (all sessions for the user) when the IdP does not support sid.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds an OpenID Connect provider to make it easier to integrate a wide range of supported providers. It implements the Authorization Code Flow with PKCE by default, auto-discovery via .well-known/openid-configuration (which is cached by default with configurable TTL), JWKS signature verification with kid-miss invalidation for real-time key rotation, configurable signing algorithms, and full spec-level validation of iss, aud, azp, at_hash, nonce, and exp/nbf/iat (with configurable clock-skew leeway) in both verified and unverified paths.
I also provided convenient ways to handle logout() for RP-Initiated Logout, revoke() for RFC 7009 token revocation, and verifyLogoutToken() for Back-Channel Logout 1.0 with complete claim validation.
The README documents setup, every config key, and working examples for session- and database-backed token storage plus a sid → Laravel session ID mapping table so we can individually clear the correct session.
Completes this stale closed issue: #823