OAuth2 functionality for Bone Mvc Framework

v1.4.5 2020-08-28 14:17 UTC


Latest Stable Version Total Downloads License
OAuth2 Authorization and Resource Server functionality for Bone MVC Framework


Install via composer from the root of your Bone Framework project

composer require delboy1978uk/bone-oauth2


Simply add the Package to Bone's packages config


// use statements here
use Bone\OAuth2\BoneOAuth2Package;
use Bone\User\BoneUserPackage;

return [
    'packages' => [
        // packages here (order is important)...,
    // ...

generate a public and private key

Firstly go into the data/keys directory.

cd data/keys

Use openssl to generate a private key, then extract the public key from the private key:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
chmod 660 public.key
chmod 660 private.key

If you want to provide a passphrase for your private key run these commands instead:

openssl genrsa -passout pass:_passphrase_ -out private.key 2048
openssl rsa -in private.key -passin pass:_passphrase_ -pubout -out public.key
chmod 660 public.key
chmod 660 private.key

If a passphrase has been used to generate private key it must be provided to the authorization server.

The public key should be distributed to any services (for example resource servers) that validate access tokens.

generate an encryption key

Go back to the project root.

cd ../..

Run this command and add to your config.

Run database migrations to generate the tables

vendor/bin/bone migrant:diff vendor/bin/bone migrant:migrate vendor/bin/bone migrant:generate-proxies

### required config values
Keys can be stored out of the config array and fetched as an environment variable for better security, but these are the config settings you need.

return [
    'oauth2' => [
        'privateKeyPath' => '/path/to/private.key',
        'publicKeyPath' => '/path/to/private.key',
        'encryptionKey' => 'generatedKeyString',
## usage
#### server side
You can create a client using the `vendor/bin/bone` command. You can also create scopes, and grant scopes to clients.

To lock down an endpoint to require an access token, simply add the `ResourceServerMiddleware` to the route or route 
group in your Bone Framework Package class 
$router->map('GET', '/ping', [ExampleController::class, 'pingAction'])->middleware($c->get(ResourceServerMiddleware::class));
In your controller, you will have access to the user, which is now an instance of `OAuthUser`. You can also get the 
scopes granted for the request.
     * @param $request
     * @param array $args
     * @return ResponseInterface
     * @throws \Exception
    public function someAction(ServerRequestInterface $request, array $args) : ResponseInterface
        /** @var \Bone\OAuth2\Entity\OAuthUser $user */
        $user = $request->getAttribute('user');
        if (!in_array('email', $request->getAttribute('oauth_scopes'))) {
            throw new Exception('How dare you!', 403);

        return new JsonResponse(['random' => 'data']);
#### client side
Clients connect using the standard OAuth2 flow described in RFC6749, the two endpoints in your Bone App are
- /oauth2/authorize
- /oauth2/token
#### site users
Logged in users now have an additional end point which they can go to, `/user/api-keys`, where they can get a new API key, or delete existing ones.
#### console
You also have access to more `bone` command options:
bone client:create
bone client:create
bone scope:create
bone scope:list