PHPackages egroupware/openid - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. egroupware/openid ActiveEgroupware-app[Authentication & Authorization](/categories/authentication) egroupware/openid ================= EGroupware OpenID Connect / OAuth2 server 26.3.20260316(3mo ago)1226.8k31GPL-2.0-or-laterPHP Since Jul 16Pushed 2mo ago2 watchersCompare [ Source](https://github.com/EGroupware/openid)[ Packagist](https://packagist.org/packages/egroupware/openid)[ Docs](https://www.egroupware.org/)[ RSS](/packages/egroupware-openid/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (22)Versions (119)Used By (1) OpenID Connect and OAuth2 server for EGroupware =============================================== [](#openid-connect-and-oauth2-server-for-egroupware) Supported endpoints and token issuer ------------------------------------ [](#supported-endpoints-and-token-issuer) - Authorization: - Token: [https://example.org/egroupware/openid/endpoint.php/access\_token](https://example.org/egroupware/openid/endpoint.php/access_token) - Token Introspection: - User information: - Public key: - Configuration: - Issuer: > Replace example.org with the full qualified domain-name your EGroupware server uses. Supported Grants: ----------------- [](#supported-grants) - Authorization Code: user authorized access and get auth-code, server requests access-token via backchannel - Refresh Token: token to refresh access-token after it's expired - Client Credentials: server requests access-token without further authorization - Implicit: user authorized access and get access-token and auth-code, server requests own access-token via backchannel - Password Credential: other server checks username/password of EGroupware user (not recommended any more, as other server gets the password!) Client configuration in EGroupware ---------------------------------- [](#client-configuration-in-egroupware) > Go to: Admin > Applications > OpenID / OAuth2 server > Clients More useful resources --------------------- [](#more-useful-resources) - [Integration with various clients](https://github.com/EGroupware/egroupware/wiki/OpenID-Connect----OAuth2) - [OpenID Connect Core 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-core-1_0.html) - [OpenID Connect Discovery 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-discovery-1_0.html) - [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-registration-1_0.html) - [The PHP League OAuth 2.0 Server](https://github.com/thephpleague/oauth2-server) - [OpenID Connect Server plugin for The PHP League's OAuth2 Server](https://github.com/steverhoades/oauth2-openid-connect-server) - [Diagrams of All The OpenID Connect Flows](https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660) - [Identity, Claims, & Tokens – An OpenID Connect Primer](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1) in 3 parts Open tasks: ----------- [](#open-tasks) - PHP 8.0 compatibility: temporary fix implemented using iii. until we're ready to update steverhoades/oauth2-openid-connect-server 1. [steverhoades/oauth2-openid-connect-server#33](https://github.com/steverhoades/oauth2-openid-connect-server/pull/33) Support for lcobucci/jwt:4.0 2. 3. lcobucci/jwt:4.0 support PHP 8 [PHP 8 for 3.4](https://github.com/lcobucci/jwt/pull/592/files) - password grant: record and check failed login attempts like login page (see [user.authentication.failed](https://oauth2.thephpleague.com/authorization-server/events/)) - wrong password on login looses oath request in session and therefore fails after correct password was entered - test with more clients, e.g. [Dovecot](https://wiki2.dovecot.org/PasswordDatabase/oauth2) - token endpoint must support response\_type=code+id\_token - allow users to create personal clients - implement full [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) - /.well-known/openid-configuration is supported now - token endpoint must return nonce of authorization request as claim in id\_token - fix League OAuth2 server to support multiple response\_type(s), currently it neither [splits response\_type by space](https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/ImplicitGrant.php#L109), nor does it send responses for more then one grant, [see response in this ticket](https://github.com/thephpleague/oauth2-server/issues/903#issuecomment-423891504) - support response\_type "id\_token" or "token id\_token" containing just an id\_token (JWT) or additional to access\_token an id\_token - support hyprid flow / response\_type contains additional "code" to also return an auth\_code - allow to create clients, which behave like an EGroupware App: - added to egw\_applications - authentication for them works only if user has run-rights for that application - an extra defined index-url get's opened as iframe inside EGroupware framework - UI to view and revoke access- and refresh-tokens - UI to add clients as admin for all users - move to a single endpoint.php instead (implicit|auth\_code|client\_credentials|password).php - add additional [OpenID Connect standard scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims): profile, address, phone - implement [OpenID Connect /userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - test with Rocket.Chat, see below for Rocket.Chat custom OAuth configuration - add [oauth2-server pull request #925](https://github.com/thephpleague/oauth2-server/pull/925) to implement [RFC7662 OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) to allow clients to validate tokens - automatic generation of public key pair and encryption key on first use - limit clients to certain grant types and scopes (database schema supports that) Installation ------------ [](#installation) 1. EGroupware master and 19.1 install this app by default: composer install or install-cli.php 2. Install openid app via EGroupware setup Testing available grants ------------------------ [](#testing-available-grants) A grant is a method of acquiring an access token. Deciding which grants to use depends on the type of client the end user will be using, and the experience you want for your users. All examples require to create a client under Admin >> OpenID / OAuth2 server >> Clients with ALL grants first: ``` Name: oidcdebugger.com Identifier: oidcdebugger.com Secret: secret Redirect URI: https://oidcdebugger.com/debug Allowed Grants: select all available ones Limit Scopes: don't select one Status: Active ``` The following test assume your EGroupware installation is reachable under Testing the client credentials grant ------------------------------------ [](#testing-the-client-credentials-grant) Send the following cURL request: ``` curl -X "POST" "http://example.org/egroupware/openid/endpoint.php/access_token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Accept: 1.0" \ --data-urlencode "grant_type=client_credentials" \ --data-urlencode "client_id=oidcdebugger.com" \ --data-urlencode "client_secret=secret" \ --data-urlencode "scope=openid email" ``` Testing the password grant -------------------------- [](#testing-the-password-grant) Send the following cURL request (replacing <username>/<password> with one valid for your EGroupware!): ``` curl -X "POST" "http://example.org/egroupware/openid/endpoint.php/access_token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Accept: 1.0" \ --data-urlencode "grant_type=password" \ --data-urlencode "client_id=oidcdebugger.com" \ --data-urlencode "client_secret=secret" \ --data-urlencode "username=" \ --data-urlencode "password=" \ --data-urlencode "scope=openid email" ``` Testing the implicit grant -------------------------- [](#testing-the-implicit-grant) Here we use the OpenID Connect Debugger site, so head to and add the following data: ``` Authorize URI: http://example.com/egroupware/openid/endpoint.php/authorize Redirect URI: https://oidcdebugger.com/debug Client ID: oidcdebugger.com Scope: openid Response Type: token Response Mode: form_post ``` Hit \[Send request\] and you will be redirected to your EGroupware, have to log in, if you not already are, and authorize the request. After that you will be redirected back to the OpenID Connect debuger, which will show if it was successful and in that case the access-token. It should also generate a row in egw\_openid\_access\_token and egw\_open\_id\_access\_token\_scopes table. Testing the authorization code grant ------------------------------------ [](#testing-the-authorization-code-grant) Here we use again the OpenID Connect Debugger site for the first step, so head to and change the URI and Response code as below: ``` Authorize URI: http://example.com/egroupware/openid/endpoint.php/authorize Redirect URI: https://oidcdebugger.com/debug Client ID: oidcdebugger.com Scope: openid Response Type: code Response Mode: form_post ``` Hit \[Send request\] and you will be redirected to your EGroupware, have to log in, if you not already are, and authorize the request. After that you will be redirected back to the OpenID Connect debuger, which will show if it was successful and in that case and temporary auth-code which now needs to be exchanged in a 2. step into an access- and a refresh-token. ``` curl -X POST -i http://example.org/egroupware/openid/endpoint.php/access_token \ -H "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=authorization_code" \ --data-urlencode "code=" \ --data-urlencode "client_id=oidcdebugger.com" \ --data-urlencode "client_secret=secret" \ --data-urlencode "redirect_uri=https://oidcdebugger.com/debug" HTTP/1.1 200 OK Date: Fri, 05 Apr 2019 06:42:29 GMT Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2r PHP/7.3.3 X-Powered-By: PHP/7.3.3 pragma: no-cache cache-control: no-store Content-Length: 2132 Content-Type: application/json; charset=UTF-8 {"id_token":"","token_type":"Bearer","expires_in":3600,"access_token":"","refresh_token":"