php-auth-client/examples/web-app-callback.php at master · stromcom/php-auth-client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<?php
declare(strict_types=1);

/**
 * Authorization Code + PKCE — end-to-end web app integration.
 *
 * Single-file PHP that serves:
 *   GET  /login    → redirect user to auth.stromcom.cz
 *   GET  /callback → exchange code for tokens, set cookies, redirect to /api
 *   GET  /api      → verify Bearer JWT via JWKS, print user info
 *   GET  /logout   → clear local cookies, redirect to end_session_endpoint
 *
 * Run with:
 *   AUTH_ISSUER=http://localhost:8003 \
 *   AUTH_CLIENT_ID=cli_xxx AUTH_CLIENT_SECRET=... \
 *   php -S localhost:9000 examples/web-app-callback.php
 *
 * Register a client first with redirect URI http://localhost:9000/callback.
 */

require __DIR__ . '/../vendor/autoload.php';

use Stromcom\AuthClient\Client;
use Stromcom\AuthClient\Configuration;
use Stromcom\AuthClient\Exception\OAuthServerException;
use Stromcom\AuthClient\Exception\TokenVerificationException;
use Stromcom\AuthClient\Jwks\FileJwksCache;

session_start();

$auth = new Client(
  new Configuration(
    clientId:     getenv('AUTH_CLIENT_ID') ?: 'cli_xxxxxxxxxxxxxxxx',
    clientSecret: getenv('AUTH_CLIENT_SECRET') ?: null,
    redirectUri:  'http://localhost:9000/callback',
    issuer:       getenv('AUTH_ISSUER') ?: 'http://localhost:8003',
  ),
  jwksCache: new FileJwksCache(sys_get_temp_dir() . '/stromcom-auth-jwks'),
);

$path = parse_url((string) $_SERVER['REQUEST_URI'], PHP_URL_PATH) ?: '/';

if ($path === '/login') {
  [$url, $pkce, $state, $nonce] = $auth->beginAuthorization();
  $_SESSION['oauth_verifier'] = $pkce->verifier;
  $_SESSION['oauth_state']    = $state;
  $_SESSION['oauth_nonce']    = $nonce;
  header('Location: ' . $url);
  exit;
}

if ($path === '/callback') {
  $code  = $_GET['code']  ?? null;
  $state = $_GET['state'] ?? null;

  if (!is_string($code) || !is_string($state) || !hash_equals((string) ($_SESSION['oauth_state'] ?? ''), $state)) {
    http_response_code(400);
    exit('Invalid state — possible CSRF.');
  }

  try {
    $tokens = $auth->exchangeCode($code, (string) ($_SESSION['oauth_verifier'] ?? ''));
  } catch (OAuthServerException $e) {
    http_response_code(401);
    exit('OAuth error: ' . $e->errorCode);
  }

  $nonce = (string) ($_SESSION['oauth_nonce'] ?? '');
  if ($tokens->idToken !== null && $nonce !== '') {
    try {
      $auth->verifyIdToken($tokens->idToken, $nonce);
    } catch (TokenVerificationException $e) {
      http_response_code(401);
      exit('id_token verification failed: ' . $e->getMessage());
    }
  }

  unset($_SESSION['oauth_verifier'], $_SESSION['oauth_state'], $_SESSION['oauth_nonce']);

  setcookie('access_token', $tokens->accessToken, [
    'expires'  => $tokens->expiresAt,
    'path'     => '/',
    'secure'   => !empty($_SERVER['HTTPS']),
    'httponly' => true,
    'samesite' => 'Lax',
  ]);
  if ($tokens->refreshToken !== null) {
    setcookie('refresh_token', $tokens->refreshToken, [
      'expires'  => time() + 14 * 24 * 3600,
      'path'     => '/',
      'secure'   => !empty($_SERVER['HTTPS']),
      'httponly' => true,
      'samesite' => 'Strict',
    ]);
  }

  header('Location: /api');
  exit;
}

if ($path === '/api') {
  $accessToken = $_COOKIE['access_token'] ?? null;
  if (!is_string($accessToken)) {
    header('Location: /login');
    exit;
  }

  try {
    $claims = $auth->verify($accessToken, $auth->configuration->clientId);
  } catch (TokenVerificationException) {
    header('Location: /login');
    exit;
  }

  header('Content-Type: application/json');
  echo json_encode([
    'sub'       => $claims->subject,
    'email'     => $claims->email,
    'name'      => $claims->name,
    'groups'    => $claims->groups,
    'roles'     => $claims->roles,
    'is_admin'  => $claims->isAdmin,
    'token_use' => $claims->tokenUse,
  ], JSON_PRETTY_PRINT);
  exit;
}

if ($path === '/logout') {
  setcookie('access_token',  '', ['expires' => 1, 'path' => '/']);
  setcookie('refresh_token', '', ['expires' => 1, 'path' => '/']);
  session_destroy();
  header('Location: ' . $auth->logoutUrl('http://localhost:9000/'));
  exit;
}

echo '<a href="/login">Login</a>';