-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathweb-app-callback.php
More file actions
125 lines (107 loc) · 3.59 KB
/
web-app-callback.php
File metadata and controls
125 lines (107 loc) · 3.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
<?php
declare(strict_types=1);
/**
* Authorization Code + PKCE — end-to-end web app integration.
*
* Single-file PHP that serves:
* GET /login → redirect user to auth.stromcom.cz
* GET /callback → exchange code for tokens, set cookies, redirect to /api
* GET /api → verify Bearer JWT via JWKS, print user info
* GET /logout → clear local cookies, redirect to end_session_endpoint
*
* Run with:
* AUTH_ISSUER=http://localhost:8003 \
* AUTH_CLIENT_ID=cli_xxx AUTH_CLIENT_SECRET=... \
* php -S localhost:9000 examples/web-app-callback.php
*
* Register a client first with redirect URI http://localhost:9000/callback.
*/
require __DIR__ . '/../vendor/autoload.php';
use Stromcom\AuthClient\Client;
use Stromcom\AuthClient\Configuration;
use Stromcom\AuthClient\Exception\OAuthServerException;
use Stromcom\AuthClient\Exception\TokenVerificationException;
use Stromcom\AuthClient\Jwks\FileJwksCache;
session_start();
$auth = new Client(
new Configuration(
clientId: getenv('AUTH_CLIENT_ID') ?: 'cli_xxxxxxxxxxxxxxxx',
clientSecret: getenv('AUTH_CLIENT_SECRET') ?: null,
redirectUri: 'http://localhost:9000/callback',
issuer: getenv('AUTH_ISSUER') ?: 'http://localhost:8003',
),
jwksCache: new FileJwksCache(sys_get_temp_dir() . '/stromcom-auth-jwks'),
);
$path = parse_url((string) $_SERVER['REQUEST_URI'], PHP_URL_PATH) ?: '/';
if ($path === '/login') {
[$url, $pkce, $state] = $auth->beginAuthorization();
$_SESSION['oauth_verifier'] = $pkce->verifier;
$_SESSION['oauth_state'] = $state;
header('Location: ' . $url);
exit;
}
if ($path === '/callback') {
$code = $_GET['code'] ?? null;
$state = $_GET['state'] ?? null;
if (!is_string($code) || !is_string($state) || !hash_equals((string) ($_SESSION['oauth_state'] ?? ''), $state)) {
http_response_code(400);
exit('Invalid state — possible CSRF.');
}
try {
$tokens = $auth->exchangeCode($code, (string) ($_SESSION['oauth_verifier'] ?? ''));
} catch (OAuthServerException $e) {
http_response_code(401);
exit('OAuth error: ' . $e->errorCode);
}
unset($_SESSION['oauth_verifier'], $_SESSION['oauth_state']);
setcookie('access_token', $tokens->accessToken, [
'expires' => $tokens->expiresAt,
'path' => '/',
'secure' => !empty($_SERVER['HTTPS']),
'httponly' => true,
'samesite' => 'Lax',
]);
if ($tokens->refreshToken !== null) {
setcookie('refresh_token', $tokens->refreshToken, [
'expires' => time() + 14 * 24 * 3600,
'path' => '/',
'secure' => !empty($_SERVER['HTTPS']),
'httponly' => true,
'samesite' => 'Strict',
]);
}
header('Location: /api');
exit;
}
if ($path === '/api') {
$accessToken = $_COOKIE['access_token'] ?? null;
if (!is_string($accessToken)) {
header('Location: /login');
exit;
}
try {
$claims = $auth->verify($accessToken);
} catch (TokenVerificationException) {
header('Location: /login');
exit;
}
header('Content-Type: application/json');
echo json_encode([
'sub' => $claims->subject,
'email' => $claims->email,
'name' => $claims->name,
'groups' => $claims->groups,
'roles' => $claims->roles,
'is_admin' => $claims->isAdmin,
'token_use' => $claims->tokenUse,
], JSON_PRETTY_PRINT);
exit;
}
if ($path === '/logout') {
setcookie('access_token', '', ['expires' => 1, 'path' => '/']);
setcookie('refresh_token', '', ['expires' => 1, 'path' => '/']);
session_destroy();
header('Location: ' . $auth->logoutUrl('http://localhost:9000/'));
exit;
}
echo '<a href="/login">Login</a>';