Our journey towards OpenID Connect
We have been maintaining an identity provider service for quite some time now. It’s been a massive undertaking, but I also learned an incredible lot from the experience.
With the next version of phpauth I want to start to properly implement authorization and authentication in a way that is interoperable with the rest of the world. This is where OIDC comes into play.
Up until now, we used a proprietary mechanism to generate tokens for the users, and signatures for the clients. Unlike oAuth2, we would have the client generate a signature with it’s app id and secret, and exchange that signature for a token.
The identity provider would then generate a token that the client can redirect the user to authenticate.
While our system was rudimentary in a lot of ways, and probably undercooked, it provided many of the creature comforts that we expect from OIDC and gave me a great foundation for understanding what makes the work behind OIDC, oAuth2 and JWT so amazing.
I found that many of the problems I was trying to solve were already solved elegantly (or not so elegantly at some points), and that adhering to a standard would not just make life easier for me - since somebody already wrote the manual to my software for free - it would also make the software more useful and interoperable with others.
Most of the oAuth stuff is already implemented on phpauth 0.2, and I'll make sure to implement the rest of the openID standard and report with my findings back here.