OpenID-Connect-PHP
OpenID-Connect-PHP copied to clipboard
jumbojett
Authenticate(): Add possibility to return Redirect URL instead of redirecting
Currently, when calling the authenticate() function, you're redirected to the Identity Provider. This assumes that the currently executing script is the frontend in the user's browser. When implementing API-based applications this is of course not the case and you might want to return this URL to the client in order to perform the redirect there.
Other use cases might be when a framework (like laravel) is used, you might want to return a RedirectResponse as dictated by the framework in order to make use of it's middleware. This currently isn't feasible.
As the authenticate() function already returns a boolean, an additional function like getAuthenticationUrl() might be needed in order to not break the API for existing users. ``
It works with Laravel but not in the nicest way. I am creating a package for it so that it uses the Laravel session handlers.
For API-based applications it would be nice to get the authentication url indeed! I am wondering how it would work because it needs a session currently.
Apologies for the unsolicited advice, but I'm facing a similar scenario :)
I am wondering how it would work because it needs a session currently.
Unfortunately there's no session interface in PHP nor in a PSR. If your application uses the SessionHandleInterface, then using $_SESSION would simply work. However most frameworks opt to use a session interface. If I were maintainer of this library I would probably introduce a (simple) session interface including a default implementation using $_SESSION, and make it part of the configuration of the client.
@DeepDiver1975 I don't think this issue should be closed. Indeed my comment is answered by #374, but the initial question from @vixducis - retrieve the url instead of immediately redirecting - is not yet solved as requestAuthorization() is still private, so not overwriteable. Or am I missing something?
I think for this we need to split the authenticate() function.
So that the authenticate function will call an other function that do the checks and return the authenticate url.
@DeepDiver1975 I don't think this issue should be closed. Indeed my comment is answered by #374, but the initial question from @vixducis - retrieve the url instead of immediately redirecting - is not yet solved as
requestAuthorization()is still private, so not overwriteable. Or am I missing something?
Actually... Although requestAuthorization() is private, but the redirect($url) method is public. Would it be possible to override that to throw an appropriate exception that you can handle in the calling code? I know, than you would be using exceptions to flow control, so not nice but could be a workaround until a proper fix can be issued.
Be aware: the method is used by signOut($idToken, $redirect) too!
@talasjanos Yes. That currently is our solution; We override redirect() to actually store the redirect url in a property and add methods to check if it is set and to retrieve it (could be a single method, whatever is your preference).
I've made the modification in a fork, to provide two functions - the original one which redirects, and another public which returns the URL. Would you accept a PR ? Thanks Massimo
