fkooman/php-openid-op
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
PHP OpenID Provider
405 commits 2 branches 0 tags 526 KiB
Find a file
Exact
François Kooman 4fb21d8f30 handle changes for end session
2025-07-29 15:24:07 +02:00
.forgejo/workflows run CI 2025-01-29 13:54:06 +01:00
bin simply reject passwords > 72 bytes 2025-05-02 08:43:30 +02:00
config LDAP cleanup 2025-03-31 14:46:28 +02:00
dev source formatting 2025-04-01 08:56:15 +02:00
libexec simply reject passwords > 72 bytes 2025-05-02 08:43:30 +02:00
schema update DB schema for fkooman/oauth2-server update 2025-07-25 11:01:18 +02:00
src handle changes for end session 2025-07-29 15:24:07 +02:00
tests simply reject passwords > 72 bytes 2025-05-02 08:43:30 +02:00
tpl handle changes for end session 2025-07-29 15:24:07 +02:00
web update for v9 branch of fkooman/oauth2-server 2025-07-25 10:11:54 +02:00
.gitignore making progress! 2025-01-09 00:25:12 +01:00
.php-cs-fixer.dist.php source formatting 2025-04-01 08:56:15 +02:00
composer.json update for v9 branch of fkooman/oauth2-server 2025-07-25 10:11:54 +02:00
composer.lock handle changes for end session 2025-07-29 15:24:07 +02:00
LDAP.md add LDAP.md 2025-04-04 12:25:58 +02:00
LICENSE add LICENSE 2024-05-06 21:52:29 +02:00
Makefile update Makefile 2025-04-04 23:40:55 +02:00
phpunit.xml.dist implement safe bcrypt 2025-05-01 23:06:19 +02:00
psalm.xml.dist enable psalm phpunit plugin, fix issues 2025-04-21 10:05:51 +02:00
README.md update README 2025-06-24 13:37:50 +02:00

README.md

OpenID Connect Provider

A simple OpenID Connect Provider.

Why

Because everything is so extremely complicated to install, keep up to date and configure. We wanted to offer something simple for small/medium size organizations that want to run their own IdM, but not want to or can't deal with "cloud offerings". Hosting yourself became practically impossible due to complexity and constant security issues, so therefore we went back to basics and offer something that is easy to install, update, configure and use while still offering all possible features to integrate with OpenID Connect enabled applications.

Goals

  • Easy to install
    • RPM packages (Fedora, EL >= 10)
    • DEB packages (Debian >= 13)
  • Easy to configure
  • Easy to keep up to date
  • Convention over configuration as much as possible

Features

  • Authorization Code Flow
  • Signed ID Token
  • Common Claims/Scopes
  • UserInfo Endpoint
  • PKCE
  • Authentication Backends
    • LDAP
    • SQL Database
  • Multi Factor Authentication
    • TOTP
    • YubiKey OTP
    • ACS/AMR support
  • OpenID Connect RP-Initiated Logout
  • Web UI to manage
    • Users
    • Groups
    • RPs

Installation

We provide an RPM package to make it easy to install PHP OpenID OP. On a clean system, first perform these steps:

$ sudo dnf -y install httpd php-fpm mod_ssl certbot php-cli

Configure TLS:

$ sudo systemctl start httpd
$ sudo certbot certonly --webroot --webroot-path /var/www/html -d op.example.org
$ cat << EOF | sudo tee /etc/letsencrypt/renewal-hooks/post/reload_apache.sh
#!/bin/sh
systemctl reload httpd
EOF
$ sudo chmod +x /etc/letsencrypt/renewal-hooks/post/reload_apache.sh
$ sudo systemctl enable --now certbot-renew.timer

Modify /etc/httpd/conf.d/ssl.conf and set SSLCertificateFile and SSLCertificateKeyFile to the fullchain.pem and privkey.pem respectively as shown in the certbot output. Also add the Alias line:

Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/

Restart Apache:

$ sudo systemctl restart httpd

Make sure you can visit your site now from your brower at https://op.example.org.

Then, enable the repository:

$ cat << 'EOF' | sudo tee /etc/yum.repos.d/php-openid-op_v1-dev.repo
[php-openid-op_v1-dev]
name=Repository for PHP OpenID OP (Fedora $releasever)
baseurl=https://repo.tuxed.net/php-openid-op/v1-dev/rpm/fedora-$releasever-$basearch
gpgkey=https://repo.tuxed.net/php-openid-op/v1-dev/rpm/php-openid-op+v1-dev@repo.tuxed.net.asc
gpgcheck=1
enabled=1
EOF

NOTE: for AlmaLinux 10 you need to replace fedora-$releasever-$basearch with alma+epel-$releasever-$basearch.

Install the package:

$ sudo dnf -y install php-openid-op

Start and enable (on boot) the web server and PHP:

$ sudo systemctl enable httpd
$ sudo systemctl restart httpd
$ sudo systemctl enable --now php-fpm

Do not forget SELinux to allow connecting to LDAP, and to allow sending HTTP request for YubiKey OTP verification:

$ sudo setsebool -P httpd_can_connect_ldap=1
$ sudo setsebool -P httpd_can_network_connect=1

Configuration

Modify /etc/php-openid-op/config.json and modify as desired. The admin_user_list option contains a list of user IDs that will obtain admin privileges on the service, e.g.:

{
    "admin_user_list": [
        "foo",
        "bar"
    ],
    "auth_module": "local",
    "message_of_the_day": "⚠️ In case your account no longer works, please contact support@example.org to reset your password!",
    "service_name": "MyOP"
}

NOTE: the values listed in admin_user_list MUST be the value of the of the "User ID" as shown on the "Profile" page, it is typically NOT the name with which the user authenticates, but a "UUID".

LDAP

See LDAP on how to set up OpenLDAP and configure the software to use it.

Relying Parties

You can configure your clients/RPs via the web interface when your account is an admin account.

Use

Your RPs can access http://op.example.org/.well-known/openid-configuration to obtain more information about the OP, including the JWKs.

For example, in order to configure mod_auth_openidc you can use the following module specific configuration:

OIDCProviderMetadataURL https://op.example.org/.well-known/openid-configuration
OIDCClientID LGBwQYcfT0IUvDCR22eiAdIVzU22NEWf
OIDCClientSecret 82jBXrsiZh4eCGRI9rygAi7Dk8AFjhWg
OIDCRedirectURI https://service.example.org/openid/callback
OIDCCryptoPassphrase REPLACE_ME_SEE_DOCS
# @see https://github.com/OpenIDC/mod_auth_openidc/commit/e5fba2370e5015b89d208f6ab283e6d81556e2ab
OIDCProviderTokenEndpointAuth client_secret_post