{"id":29996724,"url":"https://github.com/fleetbase/solid-oidc-client","last_synced_at":"2025-08-05T02:54:22.928Z","repository":{"id":304801495,"uuid":"1020022245","full_name":"fleetbase/solid-oidc-client","owner":"fleetbase","description":"A PHP library for authenticating with CommunitySolidServer using OpenID Connect (OIDC) with Demonstrating Proof-of-Possession (DPoP) support.","archived":false,"fork":false,"pushed_at":"2025-07-15T08:23:56.000Z","size":47,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-30T14:32:04.381Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fleetbase.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-15T08:15:40.000Z","updated_at":"2025-07-15T08:23:59.000Z","dependencies_parsed_at":"2025-07-15T20:09:45.674Z","dependency_job_id":"f5d050d7-47cd-4658-85da-c75eaceb6855","html_url":"https://github.com/fleetbase/solid-oidc-client","commit_stats":null,"previous_names":["fleetbase/solid-oidc-client"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fleetbase/solid-oidc-client","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetbase%2Fsolid-oidc-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetbase%2Fsolid-oidc-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetbase%2Fsolid-oidc-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetbase%2Fsolid-oidc-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fleetbase","download_url":"https://codeload.github.com/fleetbase/solid-oidc-client/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetbase%2Fsolid-oidc-client/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268825593,"owners_count":24313266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-05T02:00:12.334Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-05T02:54:19.558Z","updated_at":"2025-08-05T02:54:22.894Z","avatar_url":"https://github.com/fleetbase.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Solid OIDC Client for PHP\n\nA PHP library for authenticating with CommunitySolidServer using OpenID Connect (OIDC) with Demonstrating Proof-of-Possession (DPoP) support.\n\n## Features\n\n- Full OpenID Connect Authorization Code Flow implementation\n- Demonstrating Proof-of-Possession (DPoP) support for enhanced security\n- Automatic OIDC discovery\n- ID Token validation with JWKS\n- Comprehensive error handling with custom exceptions\n- Support for custom scopes and claims\n- Compatible with CommunitySolidServer and other Solid-OIDC providers\n\n## Requirements\n\n- PHP 8.1 or higher\n- cURL extension\n- JSON extension\n- OpenSSL extension\n- Composer for dependency management\n\n## Installation\n\n1. Clone or download this library\n2. Install dependencies using Composer:\n\n```bash\ncomposer install\n```\n\n## Quick Start\n\n### Basic Authentication Flow\n\n```php\n\u003c?php\nrequire_once 'vendor/autoload.php';\n\nuse SolidOidc\\SolidOidcClient;\nuse SolidOidc\\SolidOidcException;\n\n// Initialize the client\n$client = new SolidOidcClient(\n    'https://solidcommunity.net',        // Issuer URL\n    'your-client-id',                    // Client ID\n    'your-client-secret',                // Client Secret\n    'http://localhost:8080/callback'     // Redirect URI\n);\n\ntry {\n    // Perform OIDC discovery\n    $client-\u003ediscover();\n    \n    // Generate authorization URL\n    $state = bin2hex(random_bytes(16));\n    $authUrl = $client-\u003egetAuthorizationUrl($state, ['openid', 'profile']);\n    \n    // Redirect user to authorization URL\n    header('Location: ' . $authUrl);\n    \n} catch (SolidOidcException $e) {\n    echo \"Error: \" . $e-\u003egetMessage();\n}\n```\n\n### Handling the Callback\n\n```php\n\u003c?php\n// In your callback handler (e.g., callback.php)\n\nif (isset($_GET['code']) \u0026\u0026 isset($_GET['state'])) {\n    try {\n        // Exchange code for tokens\n        $tokens = $client-\u003ehandleAuthorizationResponse($_GET['code'], $_GET['state']);\n        \n        // Access the tokens\n        $accessToken = $tokens['access_token'];\n        $idToken = $tokens['id_token'];\n        $idTokenClaims = $tokens['id_token_claims'];\n        \n        // Get user information\n        $userInfo = $client-\u003egetUserInfo($accessToken);\n        \n        // Store tokens securely (session, database, etc.)\n        $_SESSION['access_token'] = $accessToken;\n        $_SESSION['user_info'] = $userInfo;\n        \n    } catch (SolidOidcException $e) {\n        echo \"Authentication failed: \" . $e-\u003egetMessage();\n    }\n}\n```\n\n## Configuration\n\n### Client Registration\n\nBefore using this library, you need to register your application with the Solid OIDC provider:\n\n1. **For CommunitySolidServer**: Visit your pod's settings or use the registration endpoint\n2. **For SolidCommunity.net**: Use their client registration interface\n3. **For custom instances**: Follow the provider's client registration process\n\nYou'll need to provide:\n- **Client Name**: A human-readable name for your application\n- **Redirect URIs**: The callback URLs where users will be redirected after authentication\n- **Scopes**: The permissions your application requires (e.g., `openid`, `profile`, `email`)\n\n### Required Configuration Parameters\n\n```php\n$config = [\n    'issuer_url' =\u003e 'https://your-solid-server.example.com',\n    'client_id' =\u003e 'your-registered-client-id',\n    'client_secret' =\u003e 'your-client-secret',\n    'redirect_uri' =\u003e 'https://your-app.example.com/callback'\n];\n```\n\n## API Reference\n\n### SolidOidcClient Class\n\n#### Constructor\n\n```php\npublic function __construct(\n    string $issuerUrl,\n    string $clientId,\n    string $clientSecret,\n    string $redirectUri\n)\n```\n\n**Parameters:**\n- `$issuerUrl`: The base URL of the OIDC issuer (e.g., `https://solidcommunity.net`)\n- `$clientId`: Your registered client identifier\n- `$clientSecret`: Your client secret (for confidential clients)\n- `$redirectUri`: The callback URL registered with the provider\n\n#### Methods\n\n##### `discover(): void`\n\nFetches and parses the OIDC discovery document from the provider's well-known endpoint.\n\n**Throws:** `SolidOidcException` if discovery fails\n\n##### `getAuthorizationUrl(string $state, array $scopes = ['openid', 'profile']): string`\n\nGenerates the authorization URL for redirecting users to the OIDC provider.\n\n**Parameters:**\n- `$state`: A unique, unguessable string for CSRF protection\n- `$scopes`: Array of requested OAuth 2.0 scopes\n\n**Returns:** The complete authorization URL\n\n**Throws:** `SolidOidcException` if discovery hasn't been performed\n\n##### `handleAuthorizationResponse(string $code, string $state): array`\n\nExchanges the authorization code for tokens and validates the ID token.\n\n**Parameters:**\n- `$code`: The authorization code from the callback\n- `$state`: The state parameter from the callback\n\n**Returns:** Array containing:\n- `access_token`: The access token for API requests\n- `id_token`: The ID token (JWT) containing user identity claims\n- `refresh_token`: The refresh token (if available)\n- `token_type`: Token type (usually \"Bearer\")\n- `expires_in`: Token lifetime in seconds\n- `id_token_claims`: Decoded and validated ID token claims\n\n**Throws:** `SolidOidcException` for authentication or validation failures\n\n##### `getUserInfo(string $accessToken): array`\n\nRetrieves user profile information from the userinfo endpoint.\n\n**Parameters:**\n- `$accessToken`: A valid access token\n\n**Returns:** Array of user profile information\n\n**Throws:** `SolidOidcException` if the request fails\n\n### Exception Handling\n\nThe library uses custom exceptions for better error handling:\n\n```php\nuse SolidOidc\\SolidOidcException;\n\ntry {\n    // Your OIDC operations\n} catch (SolidOidcException $e) {\n    echo \"Error: \" . $e-\u003egetMessage();\n    echo \"Code: \" . $e-\u003egetErrorCode();\n    \n    // Get additional context\n    $context = $e-\u003egetContext();\n    if ($context) {\n        print_r($context);\n    }\n}\n```\n\n#### Exception Types\n\n- `DISCOVERY_FAILED`: Issues with fetching or parsing the discovery document\n- `AUTHENTICATION_FAILED`: Problems during the authentication flow\n- `TOKEN_VALIDATION_FAILED`: ID token validation errors\n- `DPOP_FAILED`: DPoP-related failures\n- `HTTP_REQUEST_FAILED`: Network or HTTP errors\n\n## Security Considerations\n\n### State Parameter\n\nAlways use a cryptographically secure random state parameter:\n\n```php\n$state = bin2hex(random_bytes(16));\n// Store $state in session for validation\n$_SESSION['oauth_state'] = $state;\n```\n\nValidate the state parameter in your callback:\n\n```php\nif ($_GET['state'] !== $_SESSION['oauth_state']) {\n    throw new Exception('Invalid state parameter - possible CSRF attack');\n}\n```\n\n### Token Storage\n\n- **Never store tokens in client-side storage** (localStorage, cookies without HttpOnly flag)\n- **Use secure session storage** or encrypted database storage\n- **Implement token expiration handling**\n- **Consider using refresh tokens** for long-lived sessions\n\n### HTTPS Requirements\n\n- **All communication must use HTTPS** in production\n- **Redirect URIs must use HTTPS** (except for localhost during development)\n- **Validate SSL certificates** (don't disable SSL verification)\n\n### DPoP Security\n\nThis library automatically handles DPoP (Demonstrating Proof-of-Possession) which:\n- Binds access tokens to the client\n- Prevents token replay attacks\n- Provides cryptographic proof of token possession\n\n## Examples\n\n### Complete Authentication Flow\n\nSee `examples/simple_auth.php` for a complete working example.\n\n### Advanced Usage\n\nSee `examples/advanced_auth.php` for advanced features including:\n- Custom scopes\n- Resource access\n- Error handling\n- Token information display\n\n## Troubleshooting\n\n### Common Issues\n\n#### Discovery Fails\n- Verify the issuer URL is correct and accessible\n- Check that the server supports OIDC discovery\n- Ensure network connectivity and SSL certificates are valid\n\n#### Authentication Fails\n- Verify client ID and secret are correct\n- Check that redirect URI matches exactly what's registered\n- Ensure the authorization code hasn't expired\n\n#### Token Validation Fails\n- Check system clock synchronization\n- Verify JWKS endpoint is accessible\n- Ensure ID token hasn't expired\n\n#### DPoP Errors\n- Verify OpenSSL extension is installed and working\n- Check that the server supports DPoP\n- Ensure proper key generation and signing\n\n### Debug Mode\n\nEnable verbose error reporting for debugging:\n\n```php\n// Enable all error reporting\nerror_reporting(E_ALL);\nini_set('display_errors', 1);\n\n// Use try-catch blocks to capture detailed error information\ntry {\n    $client-\u003ediscover();\n} catch (SolidOidcException $e) {\n    echo \"Detailed error: \" . $e-\u003egetMessage() . \"\\n\";\n    echo \"Error code: \" . $e-\u003egetErrorCode() . \"\\n\";\n    echo \"Context: \" . json_encode($e-\u003egetContext(), JSON_PRETTY_PRINT) . \"\\n\";\n}\n```\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Make your changes\n4. Add tests if applicable\n5. Submit a pull request\n\n## License\n\nThis project is open source. Please check the LICENSE file for details.\n\n## Support\n\nFor issues and questions:\n1. Check the troubleshooting section above\n2. Review the examples for proper usage\n3. Create an issue with detailed error information and context\n\n## Changelog\n\n### Version 1.0.0\n- Initial release\n- Full OIDC Authorization Code Flow support\n- DPoP implementation\n- Comprehensive error handling\n- Examples and documentation\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffleetbase%2Fsolid-oidc-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffleetbase%2Fsolid-oidc-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffleetbase%2Fsolid-oidc-client/lists"}