Add Authentication to your PHP App in 5 Minutes
Ever found yourself building an app and needing to add authentication, dreading the thought of setting up a username and password database? In this post I’ll show you how easy it is to use Okta to add authentication to a simple PHP app in 5 minutes.
Chris Jones
This does not seem to work anymore. I have setup an environment exactly as documented in this article, and when I attempt to login, I am redirected to my Okta instance, but I am getting the 400 Bad Request error.
Matt Raible
Does the error say you have an invalid redirect URI? If so, make sure you have a login redirect URI in your app that matches the redirect_uri parameter’s value in your browser’s address bar.
Chris Jones
First it was complaining about not having a default scope. I seem to have passed that point. But now it is not redirecting back to my redirect URI, which matches to what is in the browser’s address bar.
Darren Quigley
Working…
Was Getting same error as below, it was then saying "The+authorization+server+resource+does+not+have+any+configured+default+scopes%2C+%27scope%27+must+be+provided."
If I add in username as a default scope I then browse to http://localhost:8080/ and click login it works…
Maybe change the heading, this is not 5 mins 
Matt Raible
Did you create a custom authorization server? If you use the “default” authorization server that’s created when you sign up for a new account on developer.okta.com, everything should work.
Darren Quigley
No just default but there wasnt a default scope, it only started to work after i added one
aaronpk
You’re right, I totally forgot that I added a default scope to my authorization server that I didn’t document in this post. I’ll update it!
aaronpk
Once you’ve done this, check out our latest post which adds fine-grained access control to your applications! https://developer.okta.com/…
Ray Williams
Does this only work with PHP 7 (I am using PHP 5.6).
I replaced the random_bytes(5) call, put in my own Client Secret etc… However when I run the PHP I always get:
Notice: Trying to get property of non-object in oktatest.php on line 88
Which in my case is the call:
$authorize_url = $metadata->authorization_endpoint.’?’.http_build_query([
‘response_type’ => ‘code’,
‘client_id’ => $client_id,
‘redirect_uri’ => $redirect_uri,
‘state’ => $_SESSION[‘state’],
‘scope’ => ‘openid’,
]);
Any ideas?
aaronpk
PHP 5.6 has been officially at end-of-life for over a year now, so it’s really not a good idea to be running that version anymore. https://www.php.net/support…
In any case, it sounds like what’s happening is it’s failing to fetch the metadata, so $metadata is not an object. Double check that you’ve got the correct metadata URL in your code. You can visit the URL in your browser and you should see a bunch of JSON data. If that’s correct, then check why the curl call to fetch that might be failing.
Ray Williams
I had the correct metadata URL (I can see the JSON in my browser as you suggested). So I tracked this down to the curl_exec() call.
$l_CEResult = curl_exec ($ch);
if($l_CEResult === FALSE) {
die(curl_error($ch));
}
It fails with the following:
SSL certificate problem: unable to get local issuer certificateSo Okta needs a certificate or something? Any suggestions?
aaronpk
Glad you found a more specific error! Okta has SSL configured properly, so it’s likely that your system doesn’t have the expected root certificate. Given that you mentioned this is running PHP 5.6 I’m guessing the entire system is pretty out of date. Try to see if you can update the system’s root certificate list or just run system updates in general.
Ray Williams
The system isn’t out of date. It takes regular updates from MS, so I guess I am stumped.
aaronpk
It sounds like a root certificate issue so double check your list of roots is up to date, and make sure the system isn’t treating the certificate as untrusted. You should be able to visit the metadata URL in a browser on that machine to verify the root certificate is trusted. If that works then you’ll need to make sure PHP is configured to use the system’s root cert list too.
defter
Thanks for this wonderful easy to follow guide, however, I’m having issues getting the page to load properly.
When the page is loaded at http://localhost:8080/, it just shows the 'Authorization server returned invalid state parameter (meaning that the states are not matching). I tried looking for some other articles but haven’t come up with anything yet.
Any ideas?
EDIT: It literally worked as soon as I posted this… Thanks again for this article…
Jason Rohm
I am receiving the same error. Any ideas on where to look?
Error occurs immediately after authenticating. If I refresh the page, it does not ask to reauthenticate, nor does it fail but instead passes me right through and displays a null logged in user. I’m very confused by the behavior but very not familiar with the backend.
aaronpk
Double check that you’re starting at localhost and not 127.0.0.1, because while both will run your app, they are considered different domains when the cookie is set so you’ll get the state error when you get redirected back to the other. Also make sure your browser isn’t blocking cookies.
John Quinn
Thanks for the guide but im receiving an error message even after copying the code from github,
Notice: Undefined property: stdClass::$authorization_endpoint in C:\xampp\htdocs\okta\index.php on line 69
Any thoughts on why this is happening?
John Quinn
I found the problem , i had an incorrect url in the code