feat(keycloak): added OIDC foundation

Author: thorsten

phpmyfaq/src/phpMyFAQ/Auth/Keycloak/KeycloakProviderConfigFactory.php

@@ -0,0 +1,75 @@
+<?php
+
+/**
+ * Keycloak OIDC provider config factory.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Keycloak;
+
+use phpMyFAQ\Auth\Oidc\OidcClientConfig;
+use phpMyFAQ\Auth\Oidc\OidcProviderConfig;
+use phpMyFAQ\Configuration;
+
+final readonly class KeycloakProviderConfigFactory
+{
+    public function __construct(
+        private Configuration $configuration,
+    ) {
+    }
+
+    public function create(): OidcProviderConfig
+    {
+        $baseUrl = rtrim(trim((string) $this->configuration->get('keycloak.baseUrl')), characters: '/');
+        $realm = trim((string) $this->configuration->get('keycloak.realm'));
+        $redirectUri = trim((string) $this->configuration->get('keycloak.redirectUri'));
+        $scopes = preg_split('/\s+/', trim((string) $this->configuration->get('keycloak.scopes')));
+        if ($scopes === false) {
+            $scopes = [];
+        }
+
+        if ($redirectUri === '') {
+            $redirectUri = rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/auth/keycloak/callback';
+        }
+
+        return new OidcProviderConfig(
+            provider: 'keycloak',
+            enabled: $this->toBool($this->configuration->get('keycloak.enable')),
+            discoveryUrl: $this->buildDiscoveryUrl($baseUrl, $realm),
+            client: new OidcClientConfig(
+                clientId: trim((string) $this->configuration->get('keycloak.clientId')),
+                clientSecret: trim((string) $this->configuration->get('keycloak.clientSecret')),
+                redirectUri: $redirectUri,
+                scopes: array_values(array_filter($scopes, static fn(string $scope): bool => $scope !== '')),
+            ),
+            autoProvision: $this->toBool($this->configuration->get('keycloak.autoProvision')),
+            logoutRedirectUrl: trim((string) $this->configuration->get('keycloak.logoutRedirectUrl')),
+        );
+    }
+
+    private function buildDiscoveryUrl(string $baseUrl, string $realm): string
+    {
+        if ($baseUrl === '' || $realm === '') {
+            return '';
+        }
+
+        return $baseUrl . '/realms/' . rawurlencode($realm) . '/.well-known/openid-configuration';
+    }
+
+    private function toBool(mixed $value): bool
+    {
+        return $value === true || $value === 1 || $value === '1' || $value === 'true';
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcClientConfig.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * OIDC client configuration.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use SensitiveParameter;
+
+final readonly class OidcClientConfig
+{
+    /**
+     * @param list<string> $scopes
+     */
+    public function __construct(
+        public string $clientId,
+        #[SensitiveParameter]
+        public string $clientSecret,
+        public string $redirectUri,
+        public array $scopes,
+    ) {
+    }
+
+    public function getScopesAsString(): string
+    {
+        return implode(' ', $this->scopes);
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryDocument.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Typed OIDC discovery document.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use InvalidArgumentException;
+
+final readonly class OidcDiscoveryDocument
+{
+    public function __construct(
+        public string $issuer,
+        public string $authorizationEndpoint,
+        public string $tokenEndpoint,
+        public string $userInfoEndpoint,
+        public string $jwksUri,
+        public ?string $endSessionEndpoint = null,
+    ) {
+    }
+
+    /**
+     * @param array<string, mixed> $data
+     */
+    public static function fromArray(array $data): self
+    {
+        foreach ([
+            'issuer',
+            'authorization_endpoint',
+            'token_endpoint',
+            'userinfo_endpoint',
+            'jwks_uri',
+        ] as $requiredKey) {
+            if (
+                !array_key_exists($requiredKey, $data)
+                || !is_string($data[$requiredKey])
+                || trim($data[$requiredKey]) === ''
+            ) {
+                throw new InvalidArgumentException(sprintf(
+                    'Missing or invalid OIDC discovery field: %s',
+                    $requiredKey,
+                ));
+            }
+        }
+
+        $endSessionEndpoint = null;
+        if (array_key_exists('end_session_endpoint', $data) && is_string($data['end_session_endpoint'])) {
+            $endSessionEndpoint = trim($data['end_session_endpoint']);
+        }
+
+        return new self(
+            issuer: trim($data['issuer']),
+            authorizationEndpoint: trim($data['authorization_endpoint']),
+            tokenEndpoint: trim($data['token_endpoint']),
+            userInfoEndpoint: trim($data['userinfo_endpoint']),
+            jwksUri: trim($data['jwks_uri']),
+            endSessionEndpoint: $endSessionEndpoint !== '' ? $endSessionEndpoint : null,
+        );
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcDiscoveryService.php

@@ -0,0 +1,59 @@
+<?php
+
+/**
+ * OIDC discovery document loader.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use JsonException;
+use RuntimeException;
+use Symfony\Contracts\HttpClient\Exception\ExceptionInterface;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+final readonly class OidcDiscoveryService
+{
+    public function __construct(
+        private HttpClientInterface $httpClient,
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function discover(OidcProviderConfig $config): OidcDiscoveryDocument
+    {
+        $response = $this->httpClient->request('GET', $config->discoveryUrl);
+        $content = $response->getContent(false);
+
+        if ($response->getStatusCode() >= 400) {
+            throw new RuntimeException(sprintf(
+                'OIDC discovery request failed for %s with status %d',
+                $config->provider,
+                $response->getStatusCode(),
+            ));
+        }
+
+        try {
+            /** @var array<string, mixed> $payload */
+            $payload = json_decode($content, associative: true, depth: 512, flags: JSON_THROW_ON_ERROR);
+        } catch (JsonException $exception) {
+            throw new RuntimeException('OIDC discovery response is not valid JSON', previous: $exception);
+        }
+
+        return OidcDiscoveryDocument::fromArray($payload);
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcPkceGenerator.php

@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * OIDC PKCE helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+final class OidcPkceGenerator
+{
+    public function generateVerifier(int $length = 128): string
+    {
+        $chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-._~';
+        $charLength = strlen($chars) - 1;
+        $verifier = '';
+
+        for ($index = 0; $index < $length; ++$index) {
+            $verifier .= $chars[random_int(0, $charLength)];
+        }
+
+        return $verifier;
+    }
+
+    public function generateChallenge(string $verifier): string
+    {
+        return rtrim(
+            strtr(base64_encode(hash(algo: 'sha256', data: $verifier, binary: true)), from: '+/', to: '-_'),
+            characters: '=',
+        );
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcProviderConfig.php

@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * OIDC provider configuration.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+final readonly class OidcProviderConfig
+{
+    public function __construct(
+        public string $provider,
+        public bool $enabled,
+        public string $discoveryUrl,
+        public OidcClientConfig $client,
+        public bool $autoProvision,
+        public string $logoutRedirectUrl,
+    ) {
+    }
+}

phpmyfaq/src/phpMyFAQ/Auth/Oidc/OidcSession.php

@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * OIDC session helper.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-18
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Auth\Oidc;
+
+use phpMyFAQ\Session\AbstractSession;
+use Symfony\Component\HttpFoundation\Session\Session;
+
+final class OidcSession extends AbstractSession
+{
+    final public const string OIDC_STATE = 'pmf-oidc-state';
+    final public const string OIDC_NONCE = 'pmf-oidc-nonce';
+    final public const string OIDC_PKCE_CODE = 'pmf-oidc-pkce-code';
+    final public const string OIDC_ID_ASSERTION = 'pmf-oidc-id-assertion';
+
+    public function __construct(Session $session)
+    {
+        parent::__construct($session);
+    }
+
+    public function setAuthorizationState(string $state, string $nonce, string $pkceVerifier): void
+    {
+        $this->set(self::OIDC_STATE, $state);
+        $this->set(self::OIDC_NONCE, $nonce);
+        $this->set(self::OIDC_PKCE_CODE, $pkceVerifier);
+    }
+
+    /**
+     * @return array{state: string, nonce: string, verifier: string}
+     */
+    public function getAuthorizationState(): array
+    {
+        return [
+            'state' => (string) $this->get(self::OIDC_STATE),
+            'nonce' => (string) $this->get(self::OIDC_NONCE),
+            'verifier' => (string) $this->get(self::OIDC_PKCE_CODE),
+        ];
+    }
+
+    public function clearAuthorizationState(): void
+    {
+        $this->set(self::OIDC_STATE, '');
+        $this->set(self::OIDC_NONCE, '');
+        $this->set(self::OIDC_PKCE_CODE, '');
+    }
+}