PHP Class OAuth2\OAuth2

Show file Open project: friendsofsymfony/oauth2-php Class Usage Examples

Protected Properties

Property Type Description
$conf Array of persistent variables stored.
$oldRefreshToken string Keep track of the old refresh token. So we can unset the old refresh tokens when a new one is issued.
$storage oauth2\IOAuth2Storage Storage engine for authentication server
$usedAuthCode OAuth2\Model\IOAuth2AuthCode Keep track of the used auth code. So we can mark it as used after successful authorization

Public Methods

Method Description
__construct ( oauth2\IOAuth2Storage $storage, array $config = [] ) Creates an OAuth2.0 server-side instance.
createAccessToken ( OAuth2\Model\IOAuth2Client $client, mixed $data, string | null $scope = null, integer | null $access_token_lifetime = null, boolean $issue_refresh_token = true, integer | null $refresh_token_lifetime = null ) : array Handle the creation of access token, also issue refresh token if support.
finishClientAuthorization ( boolean $isAuthorized, mixed $data = null, Request $request = null, string | null $scope = null ) : Response Redirect the user appropriately after approval.
getBearerToken ( Request $request = null, boolean $removeFromRequest = false ) : string | null This is a convenience function that can be used to get the token, which can then be passed to verifyAccessToken(). The constraints specified by the draft are attempted to be adheared to in this method.
getVariable ( string $name, mixed $default = null ) : mixed Returns a persistent variable.
grantAccessToken ( Request $request = null ) : Response Grant or deny a requested access token.
setVariable ( string $name, mixed $value ) : OAuth2 Sets a persistent variable.
verifyAccessToken ( string $tokenParam, string $scope = null ) : OAuth2\Model\IOAuth2AccessToken Check that a valid access token has been provided.

Protected Methods

Method Description
checkScope ( string $requiredScope, string $availableScope ) : boolean Check if everything in required scope is contained in available scope.
genAccessToken ( ) : string Generates an unique access token.
genAuthCode ( ) : string Generates an unique auth code.
getAuthorizationHeader ( Request $request ) : array Pull out the Authorization HTTP header and return it.
getAuthorizeParams ( Request $request = null ) : array Pull the authorization request data out of the HTTP $request.
getBearerTokenFromFormEncodedBody ( Request $request, boolean $removeFromRequest ) : string | null Get the token from url encoded entity-body.
getBearerTokenFromHeaders ( Request $request, boolean $removeFromRequest ) : string | null Get the access token from the header
getBearerTokenFromQuery ( Request $request, boolean $removeFromRequest ) : string | null Get the token from the query string
getClientCredentials ( array $inputData, array $authHeaders ) : array Internal function used to get the client credentials from HTTP basic auth or POST data.
getRedirectUri ( $redirectUri, OAuth2\Model\IOAuth2Client $client )
grantAccessTokenAuthCode ( OAuth2\Model\IOAuth2Client $client, array $input ) : array
grantAccessTokenClientCredentials ( OAuth2\Model\IOAuth2Client $client, array $input, array $clientCredentials ) : array | boolean
grantAccessTokenExtension ( OAuth2\Model\IOAuth2Client $client, array $inputData, array $authHeaders )
grantAccessTokenRefreshToken ( OAuth2\Model\IOAuth2Client $client, array $input ) : array
grantAccessTokenUserCredentials ( OAuth2\Model\IOAuth2Client $client, array $input ) : array | boolean
setDefaultOptions ( ) Default configuration options are specified here.
validateRedirectUri ( string $inputUri, string | array $storedUris ) : boolean Internal method for validating redirect URI supplied

Private Methods

Method Description
buildUri ( string $uri, array $params ) : string Build the absolute URI based on supplied URI and parameters.
createAuthCode ( OAuth2\Model\IOAuth2Client $client, mixed $data, string $redirectUri, string $scope = null ) : string Handle the creation of auth code.
createRedirectUriCallbackResponse ( string $redirectUri, array $params ) : Response Returns redirect response
getJsonHeaders ( ) : array Returns HTTP headers for JSON.

Method Details

__construct() public method

Creates an OAuth2.0 server-side instance.
public __construct ( oauth2\IOAuth2Storage $storage, array $config = [] )
$storage oauth2\IOAuth2Storage
$config array An associative array as below of config options. See CONFIG_* constants.

checkScope() protected method

Check if everything in required scope is contained in available scope.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
protected checkScope ( string $requiredScope, string $availableScope ) : boolean
$requiredScope string Required scope to be check with.
$availableScope string Supported scopes.
return boolean Return true if everything in required scope is contained in available scope or false if it isn't.

createAccessToken() public method

This belongs in a separate factory, but to keep it simple, I'm just keeping it here.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5
public createAccessToken ( OAuth2\Model\IOAuth2Client $client, mixed $data, string | null $scope = null, integer | null $access_token_lifetime = null, boolean $issue_refresh_token = true, integer | null $refresh_token_lifetime = null ) : array
$client OAuth2\Model\IOAuth2Client
$data mixed
$scope string | null
$access_token_lifetime integer | null How long the access token should live in seconds
$issue_refresh_token boolean Issue a refresh tokeniIf true and the storage mechanism supports it
$refresh_token_lifetime integer | null How long the refresh token should life in seconds
return array

finishClientAuthorization() public method

After the user has approved or denied the access request the authorization server should call this function to redirect the user appropriately.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
public finishClientAuthorization ( boolean $isAuthorized, mixed $data = null, Request $request = null, string | null $scope = null ) : Response
$isAuthorized boolean true or false depending on whether the user authorized the access.
$data mixed Application data
$request Symfony\Component\HttpFoundation\Request
$scope string | null
return Symfony\Component\HttpFoundation\Response

genAccessToken() protected method

Implementing classes may want to override this function to implement other access token generation schemes.
See also: OAuth2::genAuthCode()
protected genAccessToken ( ) : string
return string An unique access token.

genAuthCode() protected method

Implementing classes may want to override this function to implement other auth code generation schemes.
See also: OAuth2::genAccessToken()
protected genAuthCode ( ) : string
return string An unique auth code.

getAuthorizationHeader() protected method

According to draft 20, standard basic authorization is the only header variable required (this does not apply to extended grant types). Implementing classes may need to override this function if need be.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
protected getAuthorizationHeader ( Request $request ) : array
$request Symfony\Component\HttpFoundation\Request
return array An array of the basic username and password provided.

getAuthorizeParams() protected method

- The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it by setting CONFIG_ENFORCE_INPUT_REDIRECT to true. - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
protected getAuthorizeParams ( Request $request = null ) : array
$request Symfony\Component\HttpFoundation\Request
return array

getBearerToken() public method

As per the Bearer spec (draft 8, section 2) - there are three ways for a client to specify the bearer token, in order of preference: Authorization Header, POST and GET. NB: Resource servers MUST accept tokens via the Authorization scheme (http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2).
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.2
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.3
public getBearerToken ( Request $request = null, boolean $removeFromRequest = false ) : string | null
$request Symfony\Component\HttpFoundation\Request
$removeFromRequest boolean
return string | null

getBearerTokenFromFormEncodedBody() protected method

Get the token from url encoded entity-body.
See link: http://tools.ietf.org/html/rfc6750#section-2.2
protected getBearerTokenFromFormEncodedBody ( Request $request, boolean $removeFromRequest ) : string | null
$request Symfony\Component\HttpFoundation\Request
$removeFromRequest boolean
return string | null

getBearerTokenFromHeaders() protected method

Old Android version bug (at least with version 2.2)
See also: http://code.google.com/p/android/issues/detail?id=6684
protected getBearerTokenFromHeaders ( Request $request, boolean $removeFromRequest ) : string | null
$request Symfony\Component\HttpFoundation\Request
$removeFromRequest boolean
return string | null

getBearerTokenFromQuery() protected method

Get the token from the query string
protected getBearerTokenFromQuery ( Request $request, boolean $removeFromRequest ) : string | null
$request Symfony\Component\HttpFoundation\Request
$removeFromRequest boolean
return string | null

getClientCredentials() protected method

According to the spec (draft 20), the client_id can be provided in the Basic Authorization header (recommended) or via GET/POST.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
protected getClientCredentials ( array $inputData, array $authHeaders ) : array
$inputData array
$authHeaders array
return array A list containing the client identifier and password, for example

getRedirectUri() protected method

protected getRedirectUri ( $redirectUri, OAuth2\Model\IOAuth2Client $client )
$client OAuth2\Model\IOAuth2Client

getVariable() public method

Returns a persistent variable.
public getVariable ( string $name, mixed $default = null ) : mixed
$name string The name of the variable to return.
$default mixed The default value to use if this variable has never been set.
return mixed The value of the variable.

grantAccessToken() public method

This would be called from the "/token" endpoint as defined in the spec. Obviously, you can call your endpoint whatever you want. Draft specifies that the authorization parameters should be retrieved from POST, but you can override to whatever method you like.
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.6
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3
public grantAccessToken ( Request $request = null ) : Response
$request Symfony\Component\HttpFoundation\Request (optional) The request
return Symfony\Component\HttpFoundation\Response

grantAccessTokenAuthCode() protected method

protected grantAccessTokenAuthCode ( OAuth2\Model\IOAuth2Client $client, array $input ) : array
$client OAuth2\Model\IOAuth2Client
$input array
return array

grantAccessTokenClientCredentials() protected method

protected grantAccessTokenClientCredentials ( OAuth2\Model\IOAuth2Client $client, array $input, array $clientCredentials ) : array | boolean
$client OAuth2\Model\IOAuth2Client
$input array
$clientCredentials array
return array | boolean

grantAccessTokenExtension() protected method

protected grantAccessTokenExtension ( OAuth2\Model\IOAuth2Client $client, array $inputData, array $authHeaders )
$client OAuth2\Model\IOAuth2Client
$inputData array
$authHeaders array

grantAccessTokenRefreshToken() protected method

protected grantAccessTokenRefreshToken ( OAuth2\Model\IOAuth2Client $client, array $input ) : array
$client OAuth2\Model\IOAuth2Client
$input array
return array

grantAccessTokenUserCredentials() protected method

protected grantAccessTokenUserCredentials ( OAuth2\Model\IOAuth2Client $client, array $input ) : array | boolean
$client OAuth2\Model\IOAuth2Client
$input array
return array | boolean

setDefaultOptions() protected method

Default configuration options are specified here.
protected setDefaultOptions ( )

setVariable() public method

Sets a persistent variable.
public setVariable ( string $name, mixed $value ) : OAuth2
$name string The name of the variable to set.
$value mixed The value to set.
return OAuth2 The application (for chained calls of this method)

validateRedirectUri() protected method

Internal method for validating redirect URI supplied
protected validateRedirectUri ( string $inputUri, string | array $storedUris ) : boolean
$inputUri string
$storedUris string | array
return boolean

verifyAccessToken() public method

The token is returned (as an associative array) if valid. The scope parameter defines any required scope that the token must have. If a scope param is provided and the token does not have the required scope, we bounce the request. Some implementations may choose to return a subset of the protected resource (i.e. "public" data) if the user has not provided an access token or if the access token is invalid or expired. The IETF spec says that we should send a 401 Unauthorized header and bail immediately so that's what the defaults are set to. You can catch the exception thrown and behave differently if you like (log errors, allow public access for missing tokens, etc)
See also: http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
public verifyAccessToken ( string $tokenParam, string $scope = null ) : OAuth2\Model\IOAuth2AccessToken
$tokenParam string
$scope string A space-separated string of required scope(s), if you want to check for scope.
return OAuth2\Model\IOAuth2AccessToken Token

Property Details

$conf protected property

Array of persistent variables stored.
protected $conf

$oldRefreshToken protected property

Keep track of the old refresh token. So we can unset the old refresh tokens when a new one is issued.
protected string $oldRefreshToken
return string

$storage protected property

Storage engine for authentication server
protected IOAuth2Storage,oauth2 $storage
return oauth2\IOAuth2Storage

$usedAuthCode protected property

Keep track of the used auth code. So we can mark it as used after successful authorization
protected IOAuth2AuthCode,OAuth2\Model $usedAuthCode
return OAuth2\Model\IOAuth2AuthCode