I am trying to implement SAML authentication system using onelogin.com, I am using this php library https://github.com/simplesamlphp/saml2 with below code
// Set up an AuthnRequest
$request = new SAML2_AuthnRequest();
// $request->setId(SAML2_Utils::generateId());
$request->setIssuer('http://localhost:8888/yii2/dw/advanced/frontend/web/index.php?r=site/auth');
$request->setDestination('https://app.onelogin.com/trust/saml2/http-post/sso/418578');
// Send it off using the HTTP-Redirect binding
$binding = new SAML2_HTTPRedirect();
$binding->send($request);
Above code is successfully authenticating me and posting back me to my success page, but I don't know how to get user information from posted data.
I am trying below code to get the user data
$response = new \SAML2_Response();
print_r($response);
It is giving below data
SAML2_Response Object
(
[assertions:SAML2_Response:private] => Array
(
)
[inResponseTo:SAML2_StatusResponse:private] =>
[status:SAML2_StatusResponse:private] => Array
(
[Code] => urn:oasis:names:tc:SAML:2.0:status:Success
[SubCode] =>
[Message] =>
)
[extensions:protected] =>
[tagName:SAML2_Message:private] => Response
[id:SAML2_Message:private] => _afe4d7fd7add270de7d334231e2eec68d1492363130
[issueInstant:SAML2_Message:private] => 14340322405
[destination:SAML2_Message:private] =>
[consent:SAML2_Message:private] => urn:oasis:names:tc:SAML:2.0:consent:unspecified
[issuer:SAML2_Message:private] =>
[relayState:SAML2_Message:private] =>
[document:protected] =>
[signatureKey:SAML2_Message:private] =>
[messageContainedSignatureUponConstruction:protected] =>
[certificates:SAML2_Message:private] => Array
(
)
[validators:SAML2_Message:private] => Array
(
)
)
From above output I am not able to get user information, Please help.
Your code:
$response = new \SAML2_Response();
actually creates a new SAML 2.0 Response object instead of parsing the one that is posted back from the IDP. This call should be used by an IDP that wants to create a SAML response. You should be looking to execute something like the following code on the Assertion Consumer (ACS) URL:
$b = SAML2_Binding::getCurrentBinding();
$response = $b->receive();
but I would very strongly advise you to use simpleSAMLphp itself (or another 3rd party SAML implementation) for integration SAML in to your PHP application since it deals with all complex and security sensitive SAML processing.
The SAML 2.0 library is only meant for developers who want to use SAML for other purposes than Web SSO or that want to rebuild a SAML implementation because simpleSAMLphp does not suit them. Assuming you have no requirements that simpleSAMLphp can't meet, you're far better off (and secure) using that. Moreover, if you'd have an extension requirement, I would create a pull request for simpleSAMLphp instead of redoing that project from scratch.
#HansZ is right. Be careful when using directly the SAML core of simpleSAMLphp instead the whole framework.
I also wanted to suggest an alternative, since you want to connect your application with onelogin.com, why not use the OneLogin's PHP SAML Toolkit? https://github.com/onelogin/php-saml
Related
My application is based on PHP Codeigniter and for LMS I am using a Moodle cloud instance. I want to make my application that supports LTI 1.3. For that, I am using this PHP library (https://github.com/1EdTech/lti-1-3-php-library) which helps me to handle LTI 1.3 login and launch. I successfully implement that library but I noticed after login when I create a session where I store user details ->
application/controllers/Login.php
$user_details['userID'] = 123;
$user_details['key'] = 'xyz';
$user_details['userName'] = "Anubhab";
$this->session->set_userdata('logged_in', $user_details);
later I will try to send that session to another controller but in moodle, I lost the session data ->
application/controllers/Redirect.php
$logged_in = $this->session->userdata('logged_in');
print_r($logged_in);
I am getting a blank array when I launch my application from moodle.
If I print the session object I get this
print($this->session);
Output:
CI_Session Object ( [userdata] => Array ( [__ci_last_regenerate] => 167646604 ) [_driver:protected] => files [_config:protected] => Array ( [cookie_lifetime] => 7200 [cookie_name] => ci_session567fgf [cookie_path] => / [cookie_domain] => [cookie_secure] => [expiration] => 7200 [match_ip] => 1 [save_path] => /var/www/univ/system/cache/sessions [_sid_regexp] => [0-9a-f]{40} ) [_sid_regexp:protected] => [0-9a-f]{40} )
In standalone and Openedx(while I launch my application from OpenEdx) I can successfully send the session data to another controller but in moodle, the same code did not work. If anyone please tell me the reason that will be really helpful.
Thanks in advance!
i want to post content to wordpress from other php app. i am using rest api plugin for posting and for authentication i am using oath plugin.i just want to know how to get the access token .i am referring
https://github.com/WebDevStudios/WDS-WP-JSON-API-Connect
for the json_url in the code i use
eg(http://myproject.info/wpsingle/wp-content/plugins/my_plugin/json-rest-api/lib/wp-json.php)
ends up in error.
[errors] => Array ( [wp_json_api_connection_failed_error] => Array (
[0] => There was a problem connecting to the API URL specified. ) )
[error_data] => Array ( )
I used this for the same thing. I used basic authentication. i.e. admin panel username and password for authentication. Because I was the only person who was going to post to wordpress. And the correct URL to access end point was like below
http://domain.com/wp-json/posts?filter[s]=awesome
this is the link to how to create a post. I used Guzzle to call api like below to get a posts from particular category.
$client = new \GuzzleHttp\Client();
$response = $client->get("http://domain.com/wp-json/posts?filter[category_name]=test", array('auth' => ['username','password']));
$posts = $response->json();
But, If you are going to let other people post than you must use OAuth. Because you can not share admin panel username and password with everyone.
I have successfully done with the authentication of Evernote with PHP.
And I have got this response.
Array ( [oauth_token] => S=s1:U=6316e:E=144fcfdfdb9:C=13da54cd1ba:P=185:A=maheshchari-2599:V=2:H=6da806fe92b9289cf0334f04e2afdc55 [oauth_token_secret] => [edam_shard] => s1 [edam_userId] => 405870 [edam_expires] => 1395813907897 [edam_noteStoreUrl] => https://sandbox.evernote.com/shard/s1/notestore [edam_webApiUrlPrefix] => https://sandbox.evernote.com/shard/s1/ )
Now, I want the list of notebooks of the user which has been authenticated with evernote.
I have done a lot of research online but I couldnt find any thing which helps, I have came to know that guid is necessary to get the list of notebooks.
From where I can find that? And how can i access the notestore and userstore?
How can i call the functions of notestore and userstore to fetch the data of user's account and user's notes in php?
Thanks in Advance.
Using the Evernote SDK for PHP, you can list notebooks like the way below:
$client = new Client(array('token' => $authToken));
$noteStore = $client->getNoteStore();
$notebooks = $noteStore->listNotebooks();
All the API references can be found here.
Also, you shouldn't make your token public. Please make sure your token string you put can't be used any more. If you need more help on this, you can get supports from Evernote developer support.
https://github.com/evernote/evernote-sdk-php
go to this link and download this zip then go to sample folder then go to client folder and run EDAMTest.php page.
and add authtoken.
LinkedIn doesn't seem to like the idea of redirecting back to my test site.
This code directs me to the LinkedIn confirm page without any problems:
(This is pretty much a boilerplate example using Zend's OAuth)
$options = array(
'version' => '1.0',
'callbackUrl' => 'http://dev.local/',
'requestTokenUrl' => 'https://api.linkedin.com/uas/oauth/requestToken',
'userAuthorizationUrl' => 'https://api.linkedin.com/uas/oauth/authorize',
'accessTokenUrl' => 'https://api.linkedin.com/uas/oauth/accessToken',
'consumerKey' => [api],
'consumerSecret' => [secret]
);
$consumer = new Zend_Oauth_Consumer( $options );
// Start Requesting a LinkedIn Request Token
$token = $consumer->getRequestToken ();
// Store the LinkedIn Request Token
$_SESSION ['REQUEST_TOKEN'] = serialize ( $token );
// Redirect the Web User to LinkedIn Authentication Page
$consumer->redirect ();
However if my callback is http://dev.local/ it does not redirect, but if I specify a valid domain (like http://www.google.com) it redirects with no problem.
This behaviour happened recently (it was working fine until about a month ago). This is obviously a serious pain since I need to deploy code to be able to test anything.
Is this a problem people have experienced and has anyone found a way to get around?
it seems this is because LinkedIn changed their API, specifically how the api interacts with Oauth:
On the technical side, we've borrowed the OAuth 2.0 concept of the
"scope" parameter and incorporated it into our OAuth 1.0a and JS
Authentication flows.
Seems other apps, plugins and libraries are experiencing some difficulty with this as well.
I am trying to write a small webapp that pulls data from Yammer. I have to go through Yammer's OAuth bridge to access their data. I tried using the Oauth php library and do the 3 way handshake. But at the last step, I get an error stating I have an invalid OAuth Signature.
Here are the series of steps:
The first part involves getting the request Token URL and these are the query parameters that I pass.
[oauth_version] => 1.0
[oauth_nonce] => 4e495b6a5864f5a0a51fecbca9bf3c4b
[oauth_timestamp] => 1256105827
[oauth_consumer_key] => my_consumer_key
[oauth_signature_method] => HMAC-SHA1
[oauth_signature] => FML2eacPNH6HIGxJXnhwQUHPeOY=
Once this step is complete, I get the request Token as follows:
[oauth_token] => 6aMcbRK5wMqHgZQsdfsd
[oauth_token_secret] => ro8AJxZ67sUDoiOTk8sl4V3js0uyof1uPJVB14asdfs
[oauth_callback_confirmed] => true
I then try to authorize the given token and token secret by passing the parameters to the authorize url.It takes me to Yammer's authentication page where I have allow my app to talk to Yammer.
Yammer then gives me a 4 digit code that I have to put back into my application which then tries to acquire the permanent access token. I pass the following information to the access token URL:
[oauth_version] => 1.0
[oauth_nonce] => 52b22495ecd9eba277c1ce6b97b00fdc
[oauth_timestamp] => 1256106815
[oauth_consumer_key] => myconsumerkey
[callback_token] => 61A7
[oauth_token] => 6aMcbRK5wMqHgZQsdfsd
[oauth_token_secret] => ro8AJxZ67sUDoiOTk8sl4V3js0uyof1uPJVB14asdfs
[oauth_callback_confirmed] => true
[oauth_signature_method] => HMAC-SHA1
[oauth_signature] => V9YcMDq2rP7OiZTK1k5kb/otMzA=
Here I am supposed to receive the Oauth Permanent access token, but instead I get a Invalid Oauth signature. I dont know what I am doing wrong. I use the same signaures to sign the request. Should I sign the request using the new token and secret? I tried that as well but to no avail. I even tried implementing this in java using signpost library and got stuck at the exact same place. Help Help!!
The callback_token was something Yammer introduced in response to an OAuth security advisory earlier this year. When OAuth 1.0a was released, it was instead named oauth_verifier. However, it's not unlikely that Yammer still supports their workaround but rename it and try again to be sure.
Also, the below is information from the Yammer Development Network yesterday:
Tomorrow we will be releasing some
changes to the Yammer API to
facilitate user network switching on
API clients. Most of the change is in
the OAuth Access Tokens call which
allows you to generate pre-authorized
OAuth access tokens for a given user.
One token will be generated for each
network they are in and your clients
switch networks by sending an API
request signed with the appropriate
token for that network.
I'm assuming that Yammer OAuth libraries might need to be updated per this change. I haven't taken a look at it yet.
Edit: My python-yammer-oauth library still works despite Yammer having changed things on their side.
Edit2: Could you try using signature method PLAINTEXT instead of HMAC-SHA1? I've had problems with Yammer and HMAC-SHA1.
I tried by using PLAINTEXT.. but for this method its giving me the same "Invalid OAuth signature" error even for requesting the token.
So is it possible to generate the access token we use HMAC-SHA1 and for accessing the actual API method i.e. for posting the message.. we use PLAINTEXT?
just found the problem!
I had forgotten to add an ampersand ("&") at the end of CONSUMER_SECRET. Perhaps this is your issue as well?