spaces/oauth2-client

OAuth 2.0 authentication for Mittwald SPACES

SPACES OAuth2.0 authentication

, _(*1)

Client library to integrate an OAuth2.0 authorization flow into PHP applications., _(*2)

Usage

1. Provide your own implementation of the Mw\Spaces\OAuth2\Context interface:, _(*3)

   namespace Your\Namespace;
   
   class Context implements \Mw\Spaces\OAuth2\Context
   {
       public function getRedirectURI()
       {
           return "https://my-application.example/oauth-redir";
       }        
   }

   Note that the /oauth-redir path needs to point to an application-specific OAuth2 redirection handler implemented by you., _(*4)

2. Create the OAuth2.0 provider:, _(*5)

   $ctx = new \Your\Namespace\Context();
   $opts = new \Mw\Spaces\OAuth2\EnvironmentOptions($_SERVER);
   
   $provider = new \Mw\Spaces\OAuth2\SpacesProvider($opts, $ctx); 

3. Next, retrieve the authorization URL and redirect your user there:, _(*6)

   $authorizationURL = $provider->getAuthorizationUrl();
   
   $_SESSION["spaces.de/auth/csrf"] = $provider->getState();
   
   header("Location: " . $authorizationURL);

4. The identity provider will prompt the user for their credentials, and - on success - will redirect the user back to your Redirect URI. When handling the redirected request, you'll need to retrieve the authorization code and check the CSRF value:, _(*7)

   $state = $_GET["state"];
   $code  = $_GET["code"];
   
   if ($_SESSION["spaces.de/auth/csrf"] != $state) {
       die("...");
   }

   After that, you can use the code to retrieve your access token:, _(*8)

   $accessToken = $provider->getAccessToken('authorization_code', [
       'code' => $code,
   ]);

5. Having the $accessToken, you can now (all while handling the redirected request) use that token to load the resource owner:, _(*9)

   try {
       $owner = $provider->getResourceOwner($accessToken);
       $ownerID = $accessToken->getResourceOwnerId();
   
       // synchronize local user using $owner
   } catch (\Mw\Spaces\OAuth2\Error\UserNotPresentException $err) {
       // user has no access to project
       // deny login
   }

   Use the data in the $owner object to construct a new local user (or update an existing record). You can store the Resource Owner ID for each created user to match them later on., _(*10)