'authorization_code', 'code' => $code, ); $h = curl_init($token_endpoint); curl_setopt($h, CURLOPT_RETURNTRANSFER, true); curl_setopt($h, CURLOPT_TIMEOUT, 10); curl_setopt($h, CURLOPT_USERPWD, "{$client_id}:{$client_secret}"); curl_setopt($h, CURLOPT_POST, true); curl_setopt($h, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); curl_setopt($h, CURLOPT_POSTFIELDS, http_build_query($data)); //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false); $res = curl_exec($h); if (!$res) exit(curl_error($h)); curl_close($h); $res = json_decode($res, true); echo "Token Response:\n"; print_r($res); echo "\n"; // Here you should decode JWT token and check signature using server's public key // $payload = Jwt::decode($response['id_token'], $this->serverPublicKey); // If Token Response is valid goto step 3 // Step 3. Get UserInfo $access_token = $res['access_token']; $h = curl_init($userinfo_endpoint); curl_setopt($h, CURLOPT_RETURNTRANSFER, true); curl_setopt($h, CURLOPT_TIMEOUT, 10); curl_setopt($h, CURLOPT_HTTPHEADER, array('Authorization: Bearer ' . $access_token)); //curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false); $res = curl_exec($h); if (!$res) exit(curl_error($h)); curl_close($h); $res = json_decode($res, true); echo "UserInfo Response:\n"; print_r($res); } else { // Step 1. Authorization Code request $data = array( 'response_type' => 'code', 'client_id' => $client_id, 'state' => 'xyz', 'scope' => 'openid profile', ); $authorization_endpoint .= '?' . http_build_query($data); header('Location: ' . $authorization_endpoint); exit(); } ?>