Environment
Custom-written PHP application, AFS virtual host
Issue
How to configure OpenID Connect (OIDC) client for a custom-written PHP application in an AFS-based virtual host.
IMPORTANT NOTE: These instructions describe how to use an OpenID Connect library to add OIDC authentication to a PHP web application that you have written and maintain yourself. If you are running a widely-used PHP web application, that application may already support OIDC authentication using its own plugin or module that you can install and configure with only a few clicks. For instructions on how to configure WordPress and Drupal for OIDC authentication, please see the ITS website.
Before You Begin
- You will need to obtain OIDC credentials for your site
- These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
- Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials
Note #1: You will need to determine what the "Redirect URI" for your PHP site(s) will be and provide that at the time you self-provision the service client credentials.
Note #2: The OPaM tool does not currently support choosing a Client Authentication method and will default to client_secret_post. If you have an OIDC client that needs something other than client_secret_post, there are a couple of options to choose from:
- Request OIDC service client credentials via the manual (ticket) process described in this ITS Documentation
- Self-provision the OIDC service client credentials via the OPaM tool and then submit a ticket request to have the Client Authentication method manually changed to your preferred method
Resolution
Integrate OpenID Connect library in your application
The jumbojett/OpenID-Connect-PHP library is a popular PHP library used for integration of the OpenID Connect authentication and authorization flow. You may choose to integrate this library into your PHP application, although there may be other options to consider as well depending on the specific needs for your application.
More details and step-by-step instructions for how to deploy a simple application to demonstrate the use of jumbojett is available in the following repository on GitLab:
https://github.com/umich-iam/sso-examples-oidc-php-oidc
By default, jumbojett supports the Client Authentication method client_secret_basic. As noted above, the OPaM tool defaults to client_secret_post and does not yet allow the option of selecting another method when provisioning OIDC service client credentials.
You can use the jumbojett library by explicitly setting the Client Authentication method in your code like this:
$oidc->setTokenEndpointAuthMethodsSupported(['client_secret_post']);
Additional Information
Need additional information or assistance? Contact the ITS Service Center.