This is a demo project that implements an Oauth2 server that handles saml2-bearer authorization grants. It mainly uses bshaffer/oauth2-server-php, onelogin/php-saml and codeguy/Slim
-
Clone the repository
# git clone https://github.com/aacotroneo/saml2-bearer-server.git # cd saml2-bearer-server -
Install all dependencies via composer
# composer installCurrently, as this is in development, you'll need to update the
bshaffer/oauth2-server-phpdependency to beaacotroneo/oauth2-server-php, but this will not be required as soon as we merge PR #510. For now, add the following to the composer.json"repositories": [ { "type": "vcs", "url" : "https://github.com/aacotroneo/oauth2-server-php" } ], -
Start the PHP web server
# cd web # php -S localhost:9000 -
Open up http://localhost:9000/tokeninfo in your browser!
-
To get a token run the following sample command. It uses a harcoded valid assertion and only works in strict mode = false, which validates basic stuff and signature. It's the client responsibility to get a valid token and will depend a lot on the existing Saml2 infrastructure.
# php console/test.php http://localhost:9000Note: you will need to have an existing database with a valid client (testclient:testpass) and scopes. Check the Cookbook
We use onelogin/saml to help us with the hard xml validations. I found that is not easy to find a tool in php to make standar-compliant saml2 tokens. Take a look at the comments at the [saml2 config file ] (https://github.com/aacotroneo/saml2-bearer-server/blob/master/inst/saml_settings.php)
The only problem you may face to integrate both projects is that they both have their own Request and Response. It's never a good thing to have 2 different objects hanging around which represent the same thing, especially the response, which is handled a bit differenty in each library. In slim you just have to echo the response (it's stored with ob_start), while on Oauth2 server you have to 'send()' it explicitely.
To overcome this issue I used a simple adapter pattern, but through inheritance instead of composition so that it is compilant with both interfaces. For example take a look at the Response Adapter which is the most interesting. Note that Oauth2 server adds params to the response, and slim willl automatically call finalize() when it's the right time. If therer are unsent params, we write a Json, so you won't have to call send() on responses anymore. That's it!
Thank you for reading, and let me know if you any questions, suggestions!
