OAuth 2.0 PHP Client and Server Example

php oauth oauth-2.0
68,646

Solution 1

Setting up an OAuth2 provider is rather easy once you know how the protocol works. It's a 2-or-3 step process (depending on your set-up and whether you're getting tokens on behalf of a user or just from the server).

What you'll need:

  • Working code for an OAuth2 provider
  • Patience

What you'll need to figure out how to do on your code:

  • Create a client (public and private access tokens)
  • Figure out how the authorize and token endpoints are named (typically /authorize and /token)
  • Figure out how the scopes are dealt with

The first step to getting a token is to call /authorize?response_type=code&client_id=[YOUR ID]&redirect_uri=[YOUR REDIRECT URI]&scope=[YOUR SCOPE] , where:

  • clientid ([YOUR ID]) is your public access token
  • redirect_uri ([YOUR REDIRECT URI]) is your redirect URI. You will be redirected to this once you complete the autorize step
  • scope is the scope of your future token

On completion (there's usually a submit button), your browser will be redirected to the URI specified with a code in the URL (code=blah). Save this value.

When you've got this code, call the other endpoint: /token?client_id=[YOUR ID]&client_secret=[YOUR SECRET]&grant_type=authorization_code&scope=[YOUR SCOPE]&code=[YOUR CODE]&redirect_uri=[YOUR REDIRECT URI]

The parameters: - client_id - again, your client public key - client_secret - your private key (this is supposed to be a server-side call) - scope - the scope for the token - MUST MATCH THE FIRST CALL - redirect_uri - the redirect URI - MUST MATCH THE FIRST CALL - code - the code you received

If everything went okay, you'll see a JSON object on your screen containing the token info.

What happens in the background

Step 1 (authorize)

When you confirm the form, the server creates a temporary token (auth token as they're called), which typically has a very short life (my oauth2 sp code typically sets this to 60 seconds). This is the time your server has to go from receiving the code to triggering step 2. It is just a confirmation system, and its purpose is to also store the info provided in step 1 to prevent hijacks.

Step 2 (token)

This is where your access token is actually created. Lots of verifications, lots of stuff, but in the end, the token is just a value that links your client_id and your token. That's all it is.

Shameless plug: if you're using the Laravel framework, I've built exactly this from scratch (rather than using the crappy, undocumented sample code): http://bundles.laravel.com/bundle/oauth2-sp

Solution 2

PHP has a PECL client: http://www.php.net/manual/en/book.oauth.php

Nice intro on oauth2: http://www.slideshare.net/aaronpk/an-introduction-to-oauth-2

This site oauth2.net/2/ list out 3 oauth server in different stages of development.

Big providers (Facebook, Google, Yahoo, Twitter, etc) implements their own flavour of Oauth, and moreover Oauth 2.0 is still in draft revision, each provider follows a different revision

Solution 3

I'm working on some type of this PHP client which does the following:

  • Listen on a socket
  • Authentication -> Request
  • Authentication Process -> Server Side Rules
  • Authentication -> Response as result
  • Continue Client Side demand on response gathered

Short answer is: curl + JSON

All authentication process requested with curl to my server-side script which takes authentication vars, then process and compare and at the end echo 'JSON Encoded' response contains multiple variables in echo returned to the client.

After response gathered 'JSON Decode' variables as independent var and now Client Side script know whatever do for this client.

Then give the currently authenticated user (specified by Sessions) some tools. All work is executed in PHP Desktop, an embed mongoose web server with PHP and curl support. In fact, it's not necessary to use any lib so PHP has own complete library. Use curl, JSON and in server-side PHP, MySQL (conditional check) is enough for authentication purposes.

Share:
68,646

Related videos on Youtube

JoHa
Author by

JoHa

Updated on December 12, 2020

Comments

  • JoHa
    JoHa over 3 years

    I downloaded the server version (PDO) available for the OAuth 2.0 here:

    Not sure if it is the best implementation out there honestly.

    It is configured and currently returns an error JSON indicating it is waiting for a client to pass it the correct arguments.

    Now, it comes with a "lib" folder that has a Client .inc file. Honestly, I am not sure how to use it given there is no PHP example I found in the archive and couldn't find anything online. I found an example for Drupal using this library, but it is a mess given they have their own Drupal-related functionalities as a module.

    I was wondering if anyone here has had luck using this PHP client library, and if so can they share an example that connects, authorizes and then redirects to the callback URL with the session to be able to access protected page/api calls?

    I wanted to try the Facebook Graph API (opensource), yet I found it very custom for Facebook and was not very sure where I should place the URL to the OAuth 2.0 server I installed on my own server machine.

    • Guram Savinov
      Guram Savinov over 12 years
      possible duplicate of Set up a PHP OAuth Provider
    • MerchantProtocol.com
      MerchantProtocol.com almost 12 years
      It's not a duplicate. The question you mention Noah is for OAuth 1.0, this question is for OAuth 2.0, a completely different beast.
    • Uzair Sajid
      Uzair Sajid over 11 years
      Anyone here been able to figure out how to set up a PHP OAuth provider?
    • Sébastien Renauld
      Sébastien Renauld over 10 years
      @UzairSajid: I wrote one a while back. Inspire yourself from the code? github.com/srenauld/laravel-oauth2-server
    • Uzair Sajid
      Uzair Sajid over 10 years
      @SébastienRenauld I also ended up writing my own as a Codeigniter library, based on a Draft 10 implementation I found.
    • Rohit Suthar
      Rohit Suthar over 8 years
  • Sébastien Renauld
    Sébastien Renauld over 10 years
    @Red2678: OP never came back.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I use access token from discord oauth2 login to get user information
Oauth2 in Symfony2
How to manage OAuth flow in mobile application with server
Oauth2 flow in Flutter app
How To Obtain All Twitter Followers Without Hitting API Limit
PHP HybridAuth social signin not working at all. Redirecting to ?hauth.start=Facebook&hauth.time
Why should Client Creadentials be associated with a user in Laravel Passport?
Facebook access token: server-side vs client-side flows
Unable to refresh OAuth2 token in PHP, invalid grant
Magento REST API OAuth