PHPackages                             kingsoft/azure-oauth2 - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. kingsoft/azure-oauth2

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

kingsoft/azure-oauth2
=====================

Handler to authenticate with AzureAD

1.4.0(10mo ago)140[2 issues](https://github.com/theking2/kingsoft-azure-oauth2/issues)[1 PRs](https://github.com/theking2/kingsoft-azure-oauth2/pulls)MITPHPPHP &gt;=8.2

Since Feb 18Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/theking2/kingsoft-azure-oauth2)[ Packagist](https://packagist.org/packages/kingsoft/azure-oauth2)[ RSS](/packages/kingsoft-azure-oauth2/feed)WikiDiscussions main Synced today

READMEChangelog (10)Dependencies (1)Versions (16)Used By (0)

OAUTH2 authenticator for AzureAD
================================

[](#oauth2-authenticator-for-azuread)

Security considerations
-----------------------

[](#security-considerations)

### `logoutAzure($redirectUrl)` — open-redirect risk (severity: Low)

[](#logoutazureredirecturl--open-redirect-risk-severity-low)

`logoutAzure()` appends `$redirectUrl` directly to the Microsoft `post_logout_redirect_uri` query parameter. Microsoft validates this value against the redirect URIs registered for your app, which limits exploitability. However, if user-supplied input (e.g. from `$_GET` or `$_POST`) is ever passed here, it becomes an open-redirect vector should that Azure-side validation be misconfigured or loosened.

**Rule:** always pass a hard-coded or configuration-derived URL — never a caller/user-supplied value.

```
// CORRECT – value comes from your own configuration
$authenticator->logoutAzure('https://' . $_SERVER['SERVER_NAME']);

// WRONG – value comes from user input
$authenticator->logoutAzure($_GET['redirect']);   // ← do not do this
```

Sample
------

[](#sample)

Where config.php sets the global SETTINGS and logger LOG

```
