This is a third-party extension for the SimpleID OpenID provider written in PHP that adds the possibility to authenticate using a Yubico Yubikey.
- Copy
extensions/yubikey
into theextensions
folder below the webroot of your SimpleID installation. - Edit
config.php
and add the Yubikey extension to the comma-separated list of extensions in theSIMPLEID_EXTENSIONS
constant. - Edit your identities and add the required information for Yubikey authentication. See the configuration section for all possible values and their meaning.
The following variables from identity pages have an effect on the Yubikey authentication store:
auth_method
: This option controls whether a user can authenticate using a Yubikey or using the default password-based method. Since this extension hides the username field, you will probably want to set this toYUBIKEY
for all your users. Note that Yubikey authentication will only be attempted with accounts that haveauth_method
set toYUBIKEY
. Choosing Yubikey authentication requires a few keys in theyubikey
section.
The following options in the [yubikey]
identity file section control the authentication using
Yubikeys:
client_id
: The API key ID for the Yubikey validation server you want to use. For the official yubico.com infrastructure, you can get such a key at https://upgrade.yubico.com/getapikey/. If you run your own validation server, you probably know how to get this. Mandatory.client_key
: The API key corresponding to the API key ID. This is a short, base64-encoded string you usually get from whoever runs the validation server you use. Mandatory.use_https
: A boolean indicating whether the connection to the API server should use HTTPS. You should really set this to a value that will evaluate totrue
in PHP. Mandatory.key_id[]
: The IDs of the Yubikeys that should be able to log-in using the given identity. You can get this by stripping the last 32 characters from the output generated by your Yubikey. Mandatory.URLs
: Array-field that allows you to specify partial URLs to your own Yubikey validation servers. Do not specify the protocol (since that's controlled by theuse_https
option) and always use array brackets to add a value. Optional. Example:URLs[]=yubikey.yourdomain.tld:port/wsapi/2.0/verify
.
An example identity file might look like this:
identity="https://my.example.com"
pass="unused"
auth_method="YUBIKEY"
[yubikey]
client_id="1"
client_key="AaAaAaAaAaAaAaAaAaAaAaAaAaA="
use_https=1
key_id[]="hdvbhdvbillt"
key_id[]="hdvbhdvvvqll"
URLs[]="yubikey1.example.com/wsapi/2.0/verify"
URLs[]="yubikey2.example.com/wsapi/2.0/verify"
URLs[]="yubikey3.example.com:8443/wsapi/2.0/verify"
Support multiple Yubikeys per account. (#2)