dolibarr 24.0.0-beta
Functions
openid_connect.lib.php File Reference

Library of functions for OpenID Connect authentication. More...

Go to the source code of this file.

Functions

 openid_connect_get_state ()
 Generate a self-verifiable state token for the OIDC authorization request.
 
 openid_connect_verify_state ($state)
 Verify an OIDC state token.
 
 openid_connect_get_redirect_url ()
 Return the OIDC callback redirect URL.
 
 openid_connect_get_url ()
 Return the OIDC authorization URL.
 
 openid_connect_create_user ($db, $userinfo, $login, $entity)
 Create a Dolibarr user from OIDC userinfo claims.
 

Detailed Description

Library of functions for OpenID Connect authentication.

Definition in file openid_connect.lib.php.

Function Documentation

◆ openid_connect_create_user()

openid_connect_create_user ( $db,
$userinfo,
$login,
$entity )

Create a Dolibarr user from OIDC userinfo claims.

The login is sanitized to remove characters not allowed by Dolibarr (e.g. @ from emails). If the OIDC userinfo contains a preferred_username claim without bad characters, it is used instead.

Parameters
DoliDB$dbDatabase handler
stdClass$userinfoDecoded OIDC userinfo JSON (claims from json_decode)
string$loginLogin value extracted from the configured claim
int$entityEntity (multicompany) ID
Returns
string|int Sanitized login string on success, negative int on failure
See also
check_user_password_openid_connect()

Definition at line 118 of file openid_connect.lib.php.

References $db, dol_syslog(), getDolGlobalInt(), getDolGlobalLoginBadCharUnauthorized(), getDolGlobalString(), getRandomPassword(), and string.

Referenced by check_user_password_openid_connect().

◆ openid_connect_get_redirect_url()

openid_connect_get_redirect_url ( )

Return the OIDC callback redirect URL.

Returns
string Redirect URL

Definition at line 85 of file openid_connect.lib.php.

Referenced by check_user_password_openid_connect(), and openid_connect_get_url().

◆ openid_connect_get_state()

openid_connect_get_state ( )

Generate a self-verifiable state token for the OIDC authorization request.

Uses HMAC with the instance unique ID as secret so the state can be verified without depending on the original session. This is necessary because browsers with SameSite=Lax cookies do not send the session cookie on cross-site redirects from the OIDC provider, causing a new session to be created on the callback.

Returns
string State token (format: nonce.signature)

Definition at line 39 of file openid_connect.lib.php.

Referenced by openid_connect_get_url().

◆ openid_connect_get_url()

openid_connect_get_url ( )

Return the OIDC authorization URL.

Returns
string Authorization URL

Definition at line 96 of file openid_connect.lib.php.

References getDolGlobalString(), openid_connect_get_redirect_url(), and openid_connect_get_state().

◆ openid_connect_verify_state()

openid_connect_verify_state ( $state)

Verify an OIDC state token.

Checks that the state was generated by this Dolibarr instance by recomputing the HMAC signature from the nonce and comparing it to the provided signature.

Parameters
string$stateThe state token to verify (format: nonce.signature)
Returns
bool True if valid, false otherwise

Definition at line 58 of file openid_connect.lib.php.

Referenced by check_user_password_openid_connect().

Generated on Mon Jun 22 2026 21:04:51 for dolibarr by Doxygen 1.11.0