Accueil > OpenID Connect OAuth Server dedicated > Link a client application to the OAuthSD server

Link a client application to the OAuthSD server

This article is for a developer.

It describes how to adapt an application to make it an OpenID Connect client and how to register it on OAuth Server byDnC.

This assumes that the developer or his organization is registered on the server as an Application Administrator.

The process has two aspects :

- on the OAuthSD server side, register the application,
- on the side of the client application, insert the necessary code to ensure the link with the OAuth server.

1. Register as an Application Administrator

Registration is here : Registration form.

Carefully fill out your Application Administrator form, as most of this information is communicated to the end users you need to gain trust.

Warning : do not confuse the registration as an Application Administrator (a developer who registers his client application so that he can delegate authentication to OAuthSD) with the registration of a user as an end user of client applications, which is done here : I’m signing on.

Notes :
- The term "Application Administrator" distinguishes the developer or owner of a client application that registers on this server, the end user, who must also register, but otherwise. In the underlying data model, it is also the editorial object of SPIP (the authors table), while the end user is a separate table.

2. Register the client application on the OAuthSD server

In the Manage section, go to Add (Register) a client application and fill out the form :

- Client Id (required) : String identifying the application in a unique way. Enter a short name with no spaces or special characters other than ’_’. This identifier must be unique for all administrators of applications registered on the server. It is visible to the public and should therefore be representative of the application and your business.

- Secret Client (required) : a short string that can be likened to a strong password. This code must remain secret. It has to be provided by the client application when requesting the token.

- Redirect uri (required) : URI back to the client application. This is the address at which the OAuth server returns to the client with the result of the authentication. OpenID Connect allows multiple URIs to be mentionned.

- Grant Type (required) : Except special case, select at least "Authorization Code". For Hybrid feeds, select "Authorization Code" and "Implicit". See OpenID Connect et OAuth 2.0 : Synthèse des flux d’autorisation (Grant Type).

- Scopes (required) : List of Scopes allowed for the application, separated by a space. The ’openid’ scope is mandatory. The standard scopes of OpenID Connect are : profile, email, address, phone. See the section : Réponse UserInfo. The ’offline_access’ scope is used to obtain a refresh token. In addition to these scopes, particular scopes can be defined for a given application. Example : "openid profile email administrator".

- User id If a user name (username) is registered here, only this user will be able to login, this identifier being fixed in the authentication form. In the general case this field will be empty.

Check your entries and press the "Save" button.

Finally, navigate to https://oa.dnc.global/keys to create the entry for the new public / private key pair.

You will be able to find the application and modify it in the section All your client applications.

Notes :
- OAuthSD creates a public / private key pair for the client application. If you want to change it, go to All your client applications and select the "keys" action corresponding to the application.

3. Insert the necessary code in the application

Although OpenID Connect is built on OAuth 2.0, do not expect to reuse the code written for this protocol. Indeed, OpenID Connect is a higher level abstraction layer, involving different exchanges and endpoints, which requires the code to be rewritten. Also note that OpenID is not the same as OpenID Connect.

If the client application is designed to delegate its authentications to a server with the OpenID Connect standard, there is nothing more to do.

If the application on which the client application is built offers an OpenID Connect plugin, all you need to do is install it. We offer some plugins here : Resources for developers.

Otherwise, it’s a developer business. There are two adaptations to make :

- Write the code located at the Return URI to the client application (Endpoint Redirection). This involves requesting the OAuthSD server an access token and an identification token for the application, from the Authorization code returned by the server.

- Write the authentication procedure adapted to the technique of the client application. Generally, it will be an additional authentication module, or a re-writing of the authentication code. See : Plugin OpenID Connect Client pour SPIP, Extension OpenID Connect pour phpBB, "OpenID Connect Generic Client" extension for WordPress.

Optionally, we can also :
- View the status of the OIDC session and manage it (Monitoring).

A simple case

Consuming a protected HTTP REST API is extremely simple. Here is a basic example, just to test the operation, combining in a single script the authorization and consumption of UserInfo :
PHP

  1. <?php
  2. /*
  3. testopenid2.php
  4.  
  5. OpenID Connect test :
  6. Register on this server a test application,
  7. Fill in the constants below accordingly,
  8. Launch this script: http://oa.dnc.global/oidc/testopenid2.php
  9.  
  10. Author :
  11. Bertrand Degoy https://degoy.com
  12. Credits :
  13. bschaffer https://github.com/bshaffer/oauth2-server-php
  14.  
  15. Licence : MIT licence
  16. Copyright (c) 2016 - DnC
  17.  
  18.  
  19. */
  20.  
  21. ini_set('display_errors', 1);
  22.  
  23. $client_id = 'testopenid';
  24. $client_secret = 'thesecret';
  25. //$redirect_uri = '';
  26.  
  27. $authorization_endpoint = 'http://oa.dnc.global/authorize';
  28. $token_endpoint = 'http://oa.dnc.global/token';
  29. $userinfo_endpoint = 'http://oa.dnc.global/userinfo';
  30.  
  31.  
  32. if (isset($_GET['error']))
  33. {
  34.     exit("Error: {$_GET['error']}. Description: {$_GET['error_description']}");
  35. }
  36. else if (isset($_GET['code']) && isset($_GET['state']))
  37. {
  38.     // Step 2. Token request
  39.  
  40.     $code = $_GET['code'];
  41.     echo "Authorization Code is {$code}\n\n";
  42.  
  43.     $data = array(
  44.         'grant_type' => 'authorization_code',
  45.         'code' => $code,
  46.     );
  47.  
  48.     $h = curl_init($token_endpoint);
  49.     curl_setopt($h, CURLOPT_RETURNTRANSFER, true);
  50.     curl_setopt($h, CURLOPT_TIMEOUT, 10);
  51.     curl_setopt($h, CURLOPT_USERPWD, "{$client_id}:{$client_secret}");
  52.     curl_setopt($h, CURLOPT_POST, true);
  53.     curl_setopt($h, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
  54.     curl_setopt($h, CURLOPT_POSTFIELDS, http_build_query($data));
  55.     //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false);
  56.  
  57.     $res = curl_exec($h);
  58.     if (!$res)
  59.         exit(curl_error($h));
  60.  
  61.     curl_close($h);
  62.     $res = json_decode($res, true);
  63.  
  64.     echo "Token Response:\n";
  65.     print_r($res);
  66.     echo "\n";
  67.  
  68.     // Here you should decode JWT token and check sign using server's public key
  69.     // $payload = Jwt::decode($response['id_token'], $this->serverPublicKey);
  70.  
  71.     // If Token Response is valid goto step 3
  72.     // Step 3. Get UserInfo
  73.     $access_token = $res['access_token'];
  74.  
  75.     $h = curl_init($userinfo_endpoint);
  76.     curl_setopt($h, CURLOPT_RETURNTRANSFER, true);
  77.     curl_setopt($h, CURLOPT_TIMEOUT, 10);
  78.     curl_setopt($h, CURLOPT_HTTPHEADER, array('Authorization: Bearer ' . $access_token));
  79.     //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false);
  80.  
  81.     $res = curl_exec($h);
  82.     if (!$res)
  83.         exit(curl_error($h));
  84.  
  85.     curl_close($h);
  86.     $res = json_decode($res, true);
  87.  
  88.     echo "UserInfo Response:\n";
  89.     print_r($res);
  90. }
  91. else
  92. {
  93.     // Step 1. Authorization Code request
  94.  
  95.     $data = array(
  96.         'response_type' => 'code',
  97.         'client_id' => $client_id,
  98.         'state' => 'xyz',
  99.         'scope' => 'openid profile',    
  100.     );
  101.  
  102.     $authorization_endpoint .= '?' . http_build_query($data);
  103.     header('Location: ' . $authorization_endpoint);
  104.     exit();
  105. }
  106. ?>

Télécharger

Run the script :https://oa.dnc.global/oidc/tests/te...

On the OAuthSD server, you can login with login = bebert and password = 012345678

A rigorous and therefore more complete version is given here : OpenID Connect : Exemples complets du flux d’Autorisation via un code puis requête UserInfo.