working with openAM

OpenIDConnectClient.php5

@@ -89,6 +89,11 @@ class OpenIDConnectClient
      */
     private $accessToken;
 
+		/**
+		 *	@var string needed for logout
+		 */
+		private $id_token;
+
     /**
      * @var array holds scopes
      */
@@ -99,6 +104,13 @@ class OpenIDConnectClient
      */
     private $userInfo = array();
 
+		/**
+		 * the logout url
+		 */
+		public function getLogOutURL() {
+			return $this->getProviderConfigValue('end_session_endpoint');
+		}
+
     /**
      * @param $provider_url string optional
      *
@@ -119,6 +131,14 @@ class OpenIDConnectClient
         $this->providerConfig['issuer'] = $provider_url;
     }
 
+		public function getAccessToken() {
+			return $this->accessToken;
+		}
+
+		public function getIdToken() {
+			return $this->id_token;
+		}
+
     /**
      * @return bool
      * @throws OpenIDConnectClientException
@@ -157,6 +177,9 @@ class OpenIDConnectClient
                 // Save the access token
                 $this->accessToken = $token_json->access_token;
 
+								// Save the id_token, needed for logout
+								$this->id_token = $token_json->id_token;
+
                 // Success!
                 return true;
 
@@ -190,8 +213,8 @@ class OpenIDConnectClient
         // If the configuration value is not available, attempt to fetch it from a well known config endpoint
         // This is also known as auto "discovery"
         if (!isset($this->providerConfig[$param])) {
-            $well_known_config_url = rtrim(self::getProviderURL(),"/") . "/.well-known/openid-configuration";
-            $value = json_decode(self::fetchURL($well_known_config_url))->{$param};
+            $well_known_config_url = rtrim(self::getProviderURL(),'/') . "/.well-known/openid-configuration";
+            $value = json_decode(self::fetchURL($well_known_config_url))->{$param}; 
 
             if ($value) {
                 $this->providerConfig[$param] = $value;
@@ -280,27 +303,49 @@ class OpenIDConnectClient
      * @param $code
      * @return mixed
      */
-    private function requestTokens($code) {
+		private function requestTokens($code) {
 
+			$token_endpoint = self::getProviderConfigValue("token_endpoint");
+			$ch = curl_init($token_endpoint);
 
-        $token_endpoint = self::getProviderConfigValue("token_endpoint");
+			$grant_type = "authorization_code";
+			$token_params = array(
+					'grant_type' => $grant_type,
+					'code' => $code,
+					'redirect_uri' => self::getRedirectURL()
+					);
 
-        $grant_type = "authorization_code";
 
-        $token_params = array(
-            'grant_type' => $grant_type,
-            'code' => $code,
-            'redirect_uri' => self::getRedirectURL(),
-            'client_id' => $this->clientID,
-            'client_secret' => $this->clientSecret
-        );
+			// Convert token params to string format
+			$token_params = http_build_query($token_params, null, '&');
 
-        // Convert token params to string format
-        $token_params = http_build_query($token_params, null, '&');
+			curl_setopt($ch, CURLOPT_POST, 1);
+			curl_setopt($ch, CURLOPT_POSTFIELDS, $token_params);
+			$content_type = 'application/x-www-form-urlencoded';
+			if (is_object(json_decode($token_params))) {
+				$content_type = 'application/json';
+			}
+			$headers = array(
+						"Content-Type: {$content_type}",
+						'Content-Length: ' . strlen($token_params)
+						);
+			curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+			curl_setopt($ch, CURLOPT_HEADER, 1);
+			curl_setopt($ch, CURLOPT_USERPWD,  $this->clientID . ":" . $this->clientSecret);
+			curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
+			curl_setopt($ch, CURLOPT_HEADER, 0);
 
-        return json_decode(self::fetchURL($token_endpoint, $token_params));
+			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+			curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); 
 
-    }
+			$response = curl_exec($ch);
+
+			if (curl_errno($ch)) {
+      	throw new OpenIDConnectClientException('Curl error: ' . curl_error($ch));
+      }
+
+			return json_decode($response);
+		}
 
     /**
      * @param object $claims
@@ -360,12 +405,9 @@ class OpenIDConnectClient
         }
 
         $user_info_endpoint = self::getProviderConfigValue("userinfo_endpoint");
-        $schema = 'openid';
-
-        $user_info_endpoint .= "?schema=" . $schema
-            . "&access_token=" . $this->accessToken;
 
-        $user_json = json_decode(self::fetchURL($user_info_endpoint));
+				$headers = array("Authorization: Bearer $this->accessToken");
+        $user_json = json_decode(self::fetchURL($user_info_endpoint,null,$headers));
 
         $this->userInfo = $user_json;
 
@@ -384,12 +426,13 @@ class OpenIDConnectClient
      * @throws OpenIDConnectClientException
      * @return mixed
      */
-    private function fetchURL($url, $post_body = null) {
-
+    private function fetchURL($url, $post_body = null, $extra_headers = null) {
 
         // OK cool - then let's create a new cURL resource handle
         $ch = curl_init();
 
+				$headers = array();
+
         // Determine whether this is a GET or POST
         if ($post_body != null) {
             curl_setopt($ch, CURLOPT_POST, 1);
@@ -403,13 +446,19 @@ class OpenIDConnectClient
                 $content_type = 'application/json';
             }
 
-            curl_setopt($ch, CURLOPT_HTTPHEADER, array(
+						$headers = array_merge($headers, array(
                     "Content-Type: {$content_type}",
                     'Content-Length: ' . strlen($post_body)
             ));
-
         }
 
+				// Extra headers are needed for authorization
+				if( $extra_headers )
+					$headers = array_merge($headers, $extra_headers);
+
+				// Adds any extra headers required in the request
+        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+
         // Set URL to download
         curl_setopt($ch, CURLOPT_URL, $url);
 
@@ -430,6 +479,7 @@ class OpenIDConnectClient
             curl_setopt($ch, CURLOPT_CAINFO, $this->certPath);
         } else {
             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+						curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); 
         }
 
         // Should cURL return or print out the data? (true = return, false = print)
@@ -456,7 +506,7 @@ class OpenIDConnectClient
      * @throws OpenIDConnectClientException
      */
     public function getProviderURL() {
-
+				
         if (!isset($this->providerConfig['issuer'])) {
             throw new OpenIDConnectClientException("The provider URL has not been set");
         } else {

client_example/auth.php

@@ -0,0 +1,25 @@
+<?php
+	session_start();
+
+	require_once "OpenIDConnectClient.php5";
+
+	try {
+		$oidc = new OpenIDConnectClient('url',
+                                  'test',
+                                  'test');
+		$oidc->addScope('openid');
+		$oidc->addScope('profile');
+		$oidc->authenticate();
+		$name = $oidc->requestUserInfo('given_name');
+		$logout = $oidc->getLogOutURL();
+
+		$_SESSION['user'] = $name;
+		$_SESSION['openid_id_token'] = $oidc->getIdToken();
+		$_SESSION['openid_logout_url'] = $logout;
+	}
+	catch(Exception $e) {
+		$_SESSION['login_error'] = "OpenAM failed to authorise you. $e->getMessage()";
+	}
+
+	header('Location: ./');
+?>

client_example/index.php

@@ -0,0 +1,26 @@
+<?php
+	session_start();
+
+	if(isset($_SESSION['login_error'])) {
+		$error = $_SESSION['login_error'];
+		unset($_SESSION['login_error']);
+?>
+<div class='error'>
+<?php echo $error;  ?>
+</div>
+<?php
+	}
+
+	if(!isset($_SESSION['user'])) {
+?>
+<a href='auth.php'>Click here to login</a>
+<?php
+	}
+	else {
+		$user = $_SESSION['user'];
+		echo "Welcome $user<br/>";
+		echo "$_SESSION[openid_id_token]<br/>";
+		echo "$_SESSION[openid_logout_url]<br/>";
+		echo "<a href='logout.php'>Logout</a>";
+	}
+?>

client_example/logout.php

@@ -0,0 +1,20 @@
+<?php
+	session_start();
+
+	$id_token = $_SESSION['openid_id_token'];
+	$logout_url = $_SESSION['openid_logout_url'];
+
+	session_destroy();
+
+#	header("Location: $logout_url?id_token_hint=$id_token");
+?>
+<script>
+function logout() {
+document.getElementById('logout_form').submit();
+}
+</script>
+<body onload='logout();'>
+<form id='logout_form' action='<?php echo $logout_url; ?>' method='POST'>
+<input type='text' name='id_token' value='<?php echo $id_token; ?>'/>
+</form>
+</body>