Skip to main content

Connecting with PHP

This guide explains how to establish a connection between a PHP application and a Keycloak identity provider using the jumbojett/openid-connect-php library. It walks through the necessary setup, configuration, and execution of a protected login route using OpenID Connect (OIDC).

Variables

Certain parameters must be provided to integrate a PHP application with Keycloak. Below is a breakdown of each required variable, its purpose, and where to find it. Here’s what each variable represents:

Variable

Description

Purpose

CLIENT_ID

Client ID from the Keycloak Admin Console

Identifies the PHP app in the Keycloak realm

CLIENT_SECRET

Secret from the Client > Credentials tab

Authenticates the PHP app with Keycloak

ISSUER

The Keycloak realm URL (e.g., https://your-domain/realms/your-realm)

Acts as the OIDC issuer and discovery endpoint

REDIRECT_URI

The URI that Keycloak will redirect to after login

Where the user will be sent after successful authentication

TOKEN_ENDPOINT

Token URL under the selected realm

Used to retrieve access/ID tokens

USERINFO_ENDPOINT

URL to fetch user profile information

Used to retrieve authenticated user details

These values can be copied from the Keycloak Admin Console under Clients > [Your Client] > Endpoints.

Prerequisites

Install PHP and Composer

Ensure PHP is installed:

php -v

Install Composer (PHP dependency manager) if not already installed:

composer --version

If not installed, visit https://getcomposer.org and follow the install instructions

Install Required Package

Install the jumbojett/openid-connect-php package using Composer:

composer require jumbojett/openid-connect-php

Code

Once all prerequisites are set up, create a file named keycloak.php and add the following code:

<?php
require_once __DIR__ . '/vendor/autoload.php';

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient(
    'https://your-keycloak-domain/realms/your-realm',
    'CLIENT_ID',
    'CLIENT_SECRET'
);

// Optional config
$oidc->setRedirectURL('http://localhost:8000/keycloak.php');
$oidc->setProviderConfigParams([
    'token_endpoint' => 'https://your-keycloak-domain/realms/your-realm/protocol/openid-connect/token',
    'userinfo_endpoint' => 'https://your-keycloak-domain/realms/your-realm/protocol/openid-connect/userinfo'
]);

// Start login flow
$oidc->authenticate();

// Show user info
$userInfo = $oidc->requestUserInfo();

echo "<h1>Welcome, " . htmlspecialchars($userInfo->preferred_username) . "</h1>";
echo "<pre>";
print_r($userInfo);
echo "</pre>";
?>

Replace:

  • https://your-keycloak-domain/realms/your-realm with your actual realm URL

  • CLIENT_ID and CLIENT_SECRET with credentials from the Keycloak client settings

  • http://localhost:8000/keycloak.php with your desired callback/redirect URI

Ensure the Valid Redirect URIs field in Keycloak matches the above redirect URI.

Execution

Start a PHP development server in the directory containing keycloak.php:

php -S localhost:8000

Open your browser and navigate to:

http://localhost:8000/keycloak.php

If the connection is successful:

  1. You’ll be redirected to the Keycloak login page.

  2. After authentication, you’ll be redirected back to the PHP script.

  3. The user profile will be displayed using data returned from Keycloak.

No comments to display

Back to top