dev-master
9999999-dev http://www.drahak.euNette OAuth2 Provider bundle
BSD-3-Clause GPL-2.0-only GPL-3.0-only
The Requires
- php >= 5.6.0
- nette/nette ~2.4.0
The Development Requires
server oauth2 nette provider drahak
Nette OAuth2 Provider bundle
This repository is being developed and it's highly unstable., (*1)
Drahak/OAuth2 requires PHP version 5.3.0 or higher. The only production dependency is Nette framework 2.0.x., (*2)
The easist way is to use Composer, (*3)
$ composer require drahak/oauth2:@dev
Then add following code to your app bootstrap file before creating container:, (*4)
Drahak\OAuth2\DI\Extension::install($configurator);
or register it in config.neon:, (*5)
extensions: restful: Drahak\Restful\DI\RestfulExtension
oauth2: accessTokenLifetime: 3600 # 1 hour refreshTokenLifetime: 36000 # 10 hours authorizationCodeLifetime: 360 # 6 minutes storage: 'ndb' # allowed values: 'ndb', 'dibi' accessTokenStorage: 'Drahak\OAuth2\Storage\NDB\AccessTokenStorage' authorizationCodeStorage: 'Drahak\OAuth2\Storage\NDB\AuthorizationCodeStorage' clientStorage: 'Drahak\OAuth2\Storage\NDB\ClientStorage' refreshTokenStorage: 'Drahak\OAuth2\Storage\NDB\RefreshTokenStorage'
accessTokenLifetime
- access token life time in secondsrefreshTokenLifetime
- refresh token life time in secondsauthorizationCodeLifetime
- authorization code life time in secondsstorage
- storage will switch between default NDB and dibi storage. You can use your storage for each storage part.+--------+ +---------------+ | |------ Authorization Request ->| Resource | | | | Owner | | |<------ Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |------- Authorization Grant -->| Authorization | | Client | | Server | | |<--------- Access Token -------| | | | +---------------+ | | | | +---------------+ | |---------- Access Token ------>| Resource | | | | Server | | |<------- Protected Resource ---| | +--------+ +---------------+
This application wants to get user's data from Resource server, so it needs to get an access token., (*6)
There is data which client wants. API server uses access token to access user's information., (*7)
Gives access to some portion of their account., (*8)
See also OAuth 2 Simplified and original specification, (*9)
Presenter (IOAuthPresenter
) that gives an access. In base it has 2 main methods, issueAccessToken
and issueAuthorizationCode
. Simple OAuth (Resource owner) presenter could looks like this:, (*10)
namespace MyApp\OAuth; use Drahak\OAuth2\Grant\IGrant; use Drahak\OAuth2\Application; use Drahak\OAuth2\OAuthException; class AuthorizationPresenter extends Application\OAuthPresenter { /** * Authorization * @param string $response_type * @param string $redirect_uri * @param string|null $scope */ public function actionAuthorize($response_type, $redirect_uri, $scope = NULL) { if (!$this->user->isLoggedIn()) { $this->redirect('AnyUser:login', array('backlink' => $this->storeRequest())); } if ($response_type == 'code') { $this->issueAuthorizationCode($response_type, $redirect_uri, $scope); } else if ($response_type == 'token') { $this->issueAccessToken(IGrant::IMPLICIT, $redirect_uri); } } /** * Access token provider */ public function actionToken() { try { $this->issueAccessToken(); } catch (OAuthException $e) { $this->oauthError($e); } } }
Method issueAccessToken
determines correct grant type from grant_type
parameter. In case of error throws some OAuthException
which can be handled by oauthError
method in default implementation., (*11)
Action authorize
is more complex. This is used for generating Authorization code (see below - Authorization code) but for Implicit grant type it's necessary to generate access token here. In case if user is not logged in, redirect user to some login page and then restore authorization request using backlink., (*12)
Are determined by grant_type
parameter. There is support of base grant types as defined in OAuth2 specification: Authorization Code, Implicit, Password, Client Credentials and Refresh token., (*13)
This grant type is great for third-party applications which can secure client secret code., (*14)
To generate access token, you'll need to get authorization code first. You can obtain it from IOAuthPresenter
by calling issueAuthorizationCode
, (*15)
GET //oauth.presenter.url/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email
code
In any case (error or success) Resource owner redirects back to the client using redirect_uri
with authorization code as a query parameter:, (*16)
//redirect_uri/?code=AnlSCIWYbchsCc5sdc5ac4caca8a2
Or, (*17)
//redirect_uri/?error=unauthorized_client&error_description=Client+is+not+found
Since you have authorization code you can make access token request (data provided as application/x-www-form-urlencoded
), (*18)
POST //oauth.presenter.url/token grant_type=authorization_code &code=AUTHORIZATION_CODE &client_id=CLIENT_ID &client_secret=CLIENT_SECRET
{ "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" }
In case or error, provides JSON response:, (*19)
{ "error": "invalid_request", "error_description": "Invalid authorization code" }
Is used for browser-based (web) or mobile applications, where you can't secure client secret so yopu can't use it to obtain access token., (*20)
GET //oauth.presenter.url/authorization?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email
Redirect to redirect_uri
, (*21)
//redirect_uri/#access_token=AnlSCIWYbchsCc5sdc5ac4caca8a2&expires_in=3600&token_type=bearer
In case or error, redirects to:, (*22)
//redirect_uri/#error=unauthorized_client&error_description=Client+is+not+found
Is used for trusted (usually first-party) applications, where you completely trust client because you generate access token from real user credentials (username, password), (*23)
POST //oauth.presenter.url/token grant_type=password &username=USERNAME &password=PASSWORD &client_id=CLIENT_ID
password
{ "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" }
In case or error:, (*24)
{ "error": "invalid_request", "error_description": "Invalid authorization code" }
If application needs to get access token for their own account outside the context of any specific user this is probably the best way., (*25)
POST //oauth.presenter.url/token grant_type=client_credentials &client_id=CLIENT_ID &client_SECRET=CLIENT_SECRET
password
{ "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" }
In case or error:, (*26)
{ "error": "invalid_request", "error_description": "Invalid authorization code" }
Is used to restore (actually re-generate) access token without authentication process. Refresh token is provided with almost every grant type (excluding Implicit)., (*27)
POST //oauth.presenter.url/token grant_type=refresh_token &refresh_token=DS6SA512ADCVa51adc54VDS51VD5 &client_id=CLIENT_ID
{ "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" }
In case or error:, (*28)
{ "error": "invalid_request", "error_description": "Invalid refresh token" }
Nette OAuth2 Provider bundle
BSD-3-Clause GPL-2.0-only GPL-3.0-only
server oauth2 nette provider drahak