Difference between revisions of "OpenID Connect Developer Guide"

Revision as of 16:38, 25 November 2015

Getting Started

To get started, you'll need to select an OpenID 2.0 compliant library compatible with your programming language.

The best place to look is the Getting Started Guide on OpenID.net. Google's OpenID documentation is also very useful. There are dozens of libraries in all major languages.

Authenticating the User

The OAuth 2.0 APIs in WHMCS can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification.

Authenticating the user involves obtaining an ID token and validating it. ID tokens are a standardized feature of OpenID Connect designed for use in sharing identity assertions on the Internet.

Authorization Endpoint

You should retrieve the Authorization Endpoint URI and all other Endpoint URIs from the Discovery document located at https://www.example.com/whmcs/oauth/openid-configuration.php. This provides various endpoint URIs, including the Authorization Endpoint URI and Token Endpoint URI, defied as authorization_endpoint and token_endpoint,

Important Note: HTTPS must be used for all requests. SSL is required for all OAuth 2.0 interaction per the OpenID Connect specification.

The Workflow

When a user tries to log in with WHMCS, you need to:

Create an anti-forgery state token
Send an Authentication Request to WHMCS
Confirm the anti-forgery state token
Exchange code for access_token and ID Token
Obtain user information from the ID Token
Authenticate the User

Create an anti-forgery state token

You must protect the security of your users by preventing request forgery attacks. The first step is creating a unique session token that holds state between your app and the user's client. You later match this unique session token with the authentication response returned by the WHMCS OAuth Login service to verify that the user is making the request and not a malicious attacker. These tokens are often referred to as cross-site request forgery (CSRF) tokens.

Best practices for generating state tokens is beyond the scope of this document. At a minimum, we suggest a string of 32 characters constructed by a high-entropy random number generator. Another suggest is a one-way hash generated by signing session state information with a key that is kept secret on your back-end.

Send an Authentication Request to WHMCS

Applications need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users and gain access to the WHMCS API. Instructions for provisioning these can be found in the OpenID Connect End User Documentation.

For a basic request, the following parameters are required:

client_id which you obtain from the OpenID Connect Management interface within WHMCS
response_type which should be code.
scope which in a basic request should be openid profile email.
redirect_uri should be the HTTP endpoint on your server that will receive the response from WHMCS. This must match the URI you specified when configuring your Application inside WHMCS.
state should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL.

Here is an example of a complete OpenID Connect authentication URI, with line breaks and spaces for readability:

 https://www.example.com/whmcs/oauth/authorize.php?
 client_id=WHMCS-DEMO./hW6JgfqRfZ8eCCIsZHQTg==&
 response_type=code&
 scope=openid%20profile%20email&
 redirect_uri=https://oauth2-login-demo.example.com/code&
 state=security_token%3D138r5719ru3e1%26url%3Dhttps://oauth2-login-demo.example.com/index

Confirm the anti-forgery state token

In response to the query above, a redirect is performed where in the target URL will be the provided (and validated) redirect_uri with a code parameter and the state that you specified in the request. All responses are returned in the query string, as shown below:

https://oauth2-login-demo.example.com/code? state=security_token%3D138r5719ru3e1%26url%3Dhttps://oa2cb.example.com/index&code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7

On the server, you must confirm that the state received from WHMCS matches the session token you created in Step 1. This round-trip verification helps to ensure that the user, not a malicious script, is making the request.

Exchange code for access token and ID Token

The response includes a code parameter, a one-time, short-lived authorization code that your server can exchange for an access token and ID token. Your server makes this exchange by sending an HTTPS POST request. The POST request is sent to the token endpoint, which you should retrieve from the Discovery document using the key token_endpoint. The following discussion assumes the endpoint is https://www.example.com/whmcs/oauth/token.php. The request must include the following parameters in the POST body:

code	The authorization code that is returned from the initial request.
client_id	The client ID that you obtain from the Developers Console, as described in Obtain OAuth 2.0 credentials.
client_secret	The client secret that you obtain from the Developers Console, as described in Obtain OAuth 2.0 credentials.
redirect_uri	The URI that you specify in the Developers Console, as described in Set a redirect URI.
grant_type	This field must contain a value of authorization_code, as defined in the OAuth 2.0 specification.

The actual request might look like the following example:

POST /whmcs/oauth/token.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
 
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=WHMCS-DEMO./hW6JgfqRfZ8eCCIsZHQTg==&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.example.com/code&
grant_type=authorization_code
A successful response to this request contains the following fields in a JSON array:

access_token	A token that can be sent to a WHMCS API.
id_token - A JWT that contains identity information about the user that is digitally signed by WHMCS.
expires_in - The remaining lifetime of the access token.
token_type - Identifies the type of token returned. At this time, this field always has the value Bearer.

Obtain user information from ID Token

An ID Token is a JWT (JSON Web Token, https://tools.ietf.org/html/rfc7519), that is, a cryptographically signed Base64-encoded JSON object.

We highly recommend validating this signed token. Many API libraries combine the validation with the work of decoding the base64 and parsing the JSON, so you will probably end up validating the token as you access the fields in the ID token. You may also what to visit http://jwt.io/ for more information on JWT.

An ID token's payload

An ID token is a JSON object containing a set of name/value pairs. Here’s an example, formatted for readability:

{
 "iss":"https://www.example.com/whmcs",
 "sub":"78506140-dc6a-4a66-9faa-a3c9e52531a2",
 "aud":"WHMCS-DEMO./hW6JgfqRfZ8eCCIsZHQTg==",
 "iat": 1448466862,
 "exp": 1448466962
}

WHMCS ID Tokens will contain the following fields (known as claims):

iss	The Issuer Identifier for the Issuer of the response. Always the System SSL URL for your WHMCS installation
sub	An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.
aud	Identifies the audience that this ID token is intended for. It will be one of the OAuth 2.0 client IDs of as generated by your WHMCS installation and used by your application.
iat	The time the ID token was issued, represented in Unix time (integer seconds).
exp	The time the ID token expires, represented in Unix time (integer seconds).

Authenticate the User In Your Application

xxxxxx After obtaining user information from the ID token, you should query your app's user database. If the user already exists in your database, you should start an application session for that user.

If the user does not exist in your user database, you should redirect the user to your new-user sign-up flow. You may be able to auto-register the user based on the information you receive from WHMCS, or at the very least you may be able to pre-populate many of the fields that you require on your registration form. In addition to the information in the ID token, you can get additional user information using one of our available claims. Available Claims The following claims are available: Claim Name Supported Version profile 6.2.0+ email 6.2.0+

Setting up OAuth 2.0 API Methods ListOpenIDCredentials CreateOpenIDCredential UpdateOpenIDCredential DeleteOpenIDCredential

@@ Line 3: / Line 3: @@
 To get started, you'll need to select an OpenID 2.0 compliant library compatible with your programming language.
-The best place to look is the Getting Started Guide on OpenID.net. Google's OpenID documentation is also very useful. There are dozens of libraries in all major languages.
+The best place to look is the [http://openid.net/add-openid/add-getting-started/ Getting Started Guide] on [http://openid.net/ OpenID.net]. [http://code.google.com/apis/accounts/docs/OpenID.html Google's OpenID documentation] is also very useful. There are [http://openid.net/developers/libraries/ dozens of libraries] in all major languages.
 ==Authenticating the User==
-The OAuth 2.0 APIs in WHMCS can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification.
+The OAuth 2.0 APIs in WHMCS can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the [http://openid.net/connect/ OpenID Connect] specification.
-Authenticating the user involves obtaining an ID token and validating it. ID tokens are a standardized feature of OpenID Connect designed for use in sharing identity assertions on the Internet.
+Authenticating the user involves obtaining an ID token and validating it. ID tokens are a standardized feature of [http://openid.net/connect/ OpenID Connect] designed for use in sharing identity assertions on the Internet.
 ===Authorization Endpoint===
@@ Line 30: / Line 30: @@
 ===Create an anti-forgery state token===
-You must protect the security of your users by preventing request forgery attacks. The first step is creating a unique session token that holds state between your app and the user's client. You later match this unique session token with the authentication response returned by the WHMCS OAuth Login service to verify that the user is making the request and not a malicious attacker. These tokens are often referred to as cross-site request forgery (CSRF) tokens.
+You must protect the security of your users by preventing request forgery attacks. The first step is creating a unique session token that holds state between your app and the user's client. You later match this unique session token with the authentication response returned by the WHMCS OAuth Login service to verify that the user is making the request and not a malicious attacker. These tokens are often referred to as cross-site request forgery ([http://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF]) tokens.
 Best practices for generating state tokens is beyond the scope of this document.  At a minimum, we suggest a string of 32 characters constructed by a high-entropy random number generator. Another suggest is a one-way hash generated by signing session state information with a key that is kept secret on your back-end.
@@ Line 62: / Line 62: @@
 <source lang="php">
- https://oauth2-login-demo.example.com/code? state=security_token%3D138r5719ru3e1%26url%3Dhttps://oa2cb.example.com/index&code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
+https://oauth2-login-demo.example.com/code? state=security_token%3D138r5719ru3e1%26url%3Dhttps://oa2cb.example.com/index&code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
 </source>

Documentation