d4h/pkce

PHP implementation of RFC7636 (Proof Key for Code Exchange by OAuth Public Clients)

Fund package maintenance!
hannesvdvreken

1.0.0 2022-04-06 02:15 UTC

This package is auto-updated.

Last update: 2024-11-06 08:26:19 UTC


README

Latest Stable Version Total Downloads License

Implementation of RFC 7636

Usage

use function OAuth\PKCE\generatePair;
use function OAuth\PKCE\generateChallenge;
use function OAuth\PKCE\verifyChallenge;

// Generate a pair
$pair = generatePair(128);

// Store this in session
$codeVerifier = $pair->getVerifier();

// Pass this onto the /authorize endpoint of the OAuth server
$codeChallenge = $pair->getChallenge();

$queryString = http_build_query([
    'redirect_uri' => 'https://example.com',
    'response_type' => 'code',
    'client_id' => 'xxxxx',
    'code_challenge_method' => 'S256',
    'code_challenge' => $codeChallenge,
    'state' => $state,
]);

// Use the verifier to exchange the auth code for a token
$params = [
    'client_id' => 'xxxxx',
    'client_secret' => 'xxxxx', // If you have one
    'code' => $code, // Received on your redirect uri
    'code_verifier' => $codeVerifier, // Fetched from the session
];

// On the server side:
if (! verifyChallenge($codeVerifier, $codeChallenge)) {
    // Throw exception because the given code, code_verifier and code_challenge are not matching.
}

// Or if you've saved the code with the code_challenge as a key:
// Query for a stored token with the given code and generated code_challenge
$codeChallenge = generateChallenge($codeVerifier);

Contributing

Feel free to make a pull request. Give a concise but complete description of what is supposed to be added/changed/removed/fixed.

Testing

To test your code before pushing, run the unit test suite.

vendor/bin/phpunit

License

MIT