-
Notifications
You must be signed in to change notification settings - Fork 66
OAuth2.0 Specification Implementation
OAuth2.0 specification defined 4 roles:
-
Resource Owner:
Eva\EvaOAuth\User\UserInterface -
Client:
Eva\EvaOAuth\OAuth2\Client -
Resource Server:
Eva\EvaOAuth\OAuth2\AuthorizationServerInterface -
Authorization Server:
Eva\EvaOAuth\OAuth2\ResourceServerInterface
In order to make code more simple, EvaOAuth merged resource server and authorization server as a Provider (Eva\EvaOAuth\OAuth2\Providers\AbstractProvider).
OAuth2.0 also defined 4 kinds of grant type for obtaining authorization. Currently EvaOAuth support authorization code grant.
Authorization code grant is the most common type for most sites. Work flow chart like below:
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
Step (A) Client redirect to authorization server, paramaters including:
- response_type : code
- client_id
- redirect_uri
- state
- scope (optional)
use Eva\EvaOAuth\OAuth2\Client;
use Eva\EvaOAuth\OAuth2\Providers;
$client = new Client([
'client_id' => 'client_id',
'client_secret' => 'client_secret',
'redirect_uri' => 'http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=facebook'
]);
$client->requestAuthorize(new Providers\Facebook());Actual request is:
HTTP/1.1 302 Moved Temporarily
Location: https://www.facebook.com/dialog/oauth?
response_type=code&
client_id=369238949824623&
redirect_uri=http%3A%2F%2Foauth.evaengine.com%2FEvaOAuth%2Fexamples%2Faccess.php%3Fprovider%3Dfacebook&
state=GxNqzZFpC3
Step (B) User confirm or deny client's request.
Step (C) Authorization server redirects user back to the client by redirect_uri
HTTP/1.1 302 Found
Location: http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=facebook&
code=somecode&
state=GxNqzZFpC3
Step (D) The client requests an access token from authorization server token by including the authorization code received in the previous step. Parameters:
- grant_type
- code
- client_id
- client_secret
- redirect_uri
- state
$token = $client->getAccessToken(new Providers\Facebook());Actual http request is:
POST /oauth/access_token HTTP/1.1
Host: graph.facebook.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=somecode&
client_id=369238949824623&
client_secret=some_secret&
redirect_uri=http%3A%2F%2Foauth.evaengine.com%2FEvaOAuth%2Fexamples%2Faccess.php%3Fprovider%3Dfacebook&
state=GxNqzZFpC3
Step (E) Authorization server valid request, if valid, return access token
Response:
HTTP/1.1 200 OK
access_token=tokenvalue&expires=5125751
Now client able to access protected resources with access token.
$httpClient = new Eva\EvaOAuth\AuthorizedHttpClient($token);
$response = $httpClient->get('https://graph.facebook.com/me');Actual http request:
GET /me HTTP/1.1
Host: graph.facebook.com
Authorization: Bearer tokenvalue
Response:
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
{"id": ...}