Can I implement Azure AD Authentication into an existing PHP application

Question

I built and maintain a PHP web application with an existing set of users. Authentication is username password, within the application.

There is now a requirement to provide access to a large new set of users, with existing Azure AD accounts. The client wants these users to be able to login using their Azure identities. The existing users would continue to authenticate the way they currently do.

I assumed this would be similar to Facebook/Google etc. SSO , but I'm struggling to find any examples of this in the Microsoft resources, or any libraries out there that will enable this. Is what I describe a valid use case, and achievable with Azuer AD Authentication?

Answer 1

Approach 1: Basically, to access the resources via Azure AD from PHP web application, you can refer to Web Application to Web API

To integrate Azure AD in PHP web applications, we need to follow authorization code grant flow steps to build several custom HTTP requests. E.G. To get access token via OAuth 2.0 protocol, we should refer to the steps on Authorization Code Grant Flow. generally, we will build 2 HTTP requests to get access token:

1. Request an authorization code.

2. Use the Authorization Code to Request an Access Token:

Please check this PHP test project for your reference

Approach 2 :

Please refer this github code:https://github.com/CoasterKaty/PHPAzureADoAuth

Try with these steps

1. Create app registration Azure AD > App registrations and click New registration.

2)After creating app registration Copy the client ID and tenant ID, pasting them into _OAUTH_SERVER and _OAUTH_CLIENTID in config.inc. The _OAUTH_SERVER entry should be the login.microsoftonline.com URL but with TENANT_ID replaced with your directory (tenant) ID

3)add a new secret and select the appropriate time. Don’t forget you will need to update this before it expires, so make a note in your calendar. Once done, copy the secret value and paste this into _OAUTH_SECRET within config.inc

4)After that able to browse to your application and be prompted to log in.. On your first go, you’ll be asked to allow permissions for everyone on your tenant (assuming you have the appropriate admin rights).

Answer 2

After registering the azure ,You can refer this code for a post request

eg:

<?php

$appid = "xxx";
$tennantid = "xxx";
$secret = "xxx";
$login_url ="https://login.microsoftonline.com/".$tennantid."/oauth2/v2.0/authorize";

session_start ();

$_SESSION['state']=session_id();

echo '<h2><p>You can <a href="?action=login">Log In</a> with Microsoft</p></h2>';

if ($_GET['action'] == 'login'){
   $params = array (
    'client_id' =>$appid,
    'redirect_uri' =>'https://example/',
    'response_type' =>'token',
    'response_mode' =>'form_post',
    'scope' =>'https://graph.microsoft.com/User.Read',
    'state' =>$_SESSION['state']);

   header ('Location: '.$login_url.'?'.http_build_query ($params));
}

if (array_key_exists ('access_token', $_POST)){
   $_SESSION['t'] = $_POST['access_token'];
   $t = $_SESSION['t'];

   $ch = curl_init ();
   curl_setopt ($ch, CURLOPT_HTTPHEADER, array ('Authorization: Bearer '.$t, 'Conent-type: application/json'));

   curl_setopt ($ch, CURLOPT_URL, "https://graph.microsoft.com/v1.0/me/");
   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

   $rez = json_decode (curl_exec ($ch), 1);

   if (array_key_exists ('error', $rez)){  
      var_dump ($rez['error']);    
      die();
    }
}