Welcome to yii-auth-client Discussions!

[rossaddison]

👋 Welcome!

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.
• Welcome others and are open-minded. Remember that this is a community we
  build together 💪.

To get started, comment below with an introduction of yourself and tell us about what you do with this community.

[rossaddison]

OAuth2 clients can be augmented with an additional layer Iodc?

You're correct that OpenID Connect (OIDC) is an authentication protocol built on top of OAuth2, adding an identity layer. Since your repository, rossaddison/yii-auth-client, is for Yii Framework external authentication via OAuth and OpenID, integrating OIDC support is a logical extension.

Here's how you could approach adding OIDC support to your Yii authentication client:

1. Understand the Protocol Differences

• OAuth2: Provides authorization (access to resources).
• OIDC: Adds authentication (verifying user identity) on top of OAuth2, issuing an ID token (usually a JWT).

2. Identify Where OAuth2 Logic Exists

Look for the part of your codebase that handles OAuth2 flows (likely classes related to clients, token exchange, and user info retrieval).

3. Extend or Add an OIDC Client

• Create an OIDC client class (e.g., OidcClient), either extending the existing OAuth2 client or as a new class.
• OIDC requires additional endpoints (/.well-known/openid-configuration), and expects an id_token in response to token requests.

4. Update the Authorization and Token Logic

• During the authorization request, include the openid scope.
  Example:

  $params['scope'] = 'openid profile email';

• Upon token response, extract and verify the id_token (JWT).
• Use a JWT library to decode and validate the token signature and claims (aud, iss, exp, etc.).

5. Fetch User Info

• OIDC usually provides a UserInfo endpoint. After validating the ID token, use the access token to fetch additional user profile data if needed.

6. Integrate with Yii User Authentication

• Map OIDC claims (like sub, email, name) to your Yii user model or identity class.
• Handle user provisioning, login, or account-linking as needed.

---

Example: Basic PHP OIDC Integration

Pseudo-code for the main parts:

// 1. Build the auth URL with 'openid' scope
$authUrl = $oidcProvider->getAuthorizationUrl([
    'scope' => 'openid profile email'
]);

// 2. Exchange code for tokens (access_token, id_token)
$tokenData = $oidcProvider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
]);

$idToken = $tokenData['id_token'];
// 3. Validate id_token (using a JWT library)
$claims = $jwtLibrary->decode($idToken, $providerPublicKey);

// 4. Use claims for Yii user authentication
$user = Yii::$app->user->loginByOidcClaims($claims);

---

Libraries & References

• jumbojett/OpenID-Connect-PHP: A popular PHP OIDC client library.
• Yii2-OAuth2-Client Extension: Check if you can extend or adapt its OIDC support.
• OpenID Connect Specification.

---

Next Steps

• Decide if you want to write the OIDC logic yourself or use a library.
• Extend your repo’s OAuth2 client or add a new OIDC client class.
• Update your Yii user authentication to handle OIDC claims and flows.
• Test against an OIDC provider (Google, Auth0, Okta, etc.).

If you want code samples for a specific step, let me know which part you’d like to see!