OAuth2 Server for PHP

Installs: 193 037

Dependents: 16

Suggesters: 0

Security: 0

Stars: 320

Watchers: 33

Forks: 171


v2.1.1 2020-10-19 10:36 UTC

This package is auto-updated.

Last update: 2021-07-19 13:59:59 UTC


A wrapper for implementing an OAuth2 Server(


The preferred way to install this extension is through composer.

Either run

php composer.phar require --prefer-dist filsh/yii2-oauth2-server "*"

or add

"filsh/yii2-oauth2-server": "^2.0"

to the require section of your composer.json.

To use this extension, simply add the following code in your application configuration:

'bootstrap' => ['oauth2'],
'modules' => [
    'oauth2' => [
        'class' => 'filsh\yii2\oauth2server\Module',
        'tokenParamName' => 'accessToken',
        'tokenAccessLifetime' => 3600 * 24,
        'storageMap' => [
            'user_credentials' => 'common\models\User',
        'grantTypes' => [
            'user_credentials' => [
                'class' => 'OAuth2\GrantType\UserCredentials',
            'refresh_token' => [
                'class' => 'OAuth2\GrantType\RefreshToken',
                'always_issue_new_refresh_token' => true

common\models\User - user model implementing an interface \OAuth2\Storage\UserCredentialsInterface, so the oauth2 credentials data stored in user table

The next step you should run migration

yii migrate --migrationPath=@vendor/filsh/yii2-oauth2-server/src/migrations

this migration creates the oauth2 database scheme and insert test user credentials testclient:testpass for http://fake/

add url rule to urlManager

'urlManager' => [
    'rules' => [
        'POST oauth2/<action:\w+>' => 'oauth2/rest/<action>',


You can pass additional OAuth2 Server options by setting options property on the module. These options configure as the underlying OAuth2 Server also as various parts/components of bshaffer/oauth2-server-php. As an example, you can configure authorization code lifetime in a response by setting auth_code_lifetime option. Some of them are implemented as standalone properties on the module: tokenParamName => use_jwt_access_tokens, tokenAccessLifetime => token_param_name, useJwtToken => access_lifetime. Full list of options are supported by the underlying OAuth2 Server main component - source code. Options for various components spread across bshaffer/oauth2-server-php source code.


To use this extension, simply add the behaviors for your base controller:

use yii\helpers\ArrayHelper;
use yii\filters\auth\HttpBearerAuth;
use yii\filters\auth\QueryParamAuth;
use filsh\yii2\oauth2server\filters\ErrorToExceptionFilter;
use filsh\yii2\oauth2server\filters\auth\CompositeAuth;

class Controller extends \yii\rest\Controller
     * @inheritdoc
    public function behaviors()
        return ArrayHelper::merge(parent::behaviors(), [
            'authenticator' => [
                'class' => CompositeAuth::className(),
                'authMethods' => [
                    ['class' => HttpBearerAuth::className()],
                    ['class' => QueryParamAuth::className(), 'tokenParam' => 'accessToken'],
            'exceptionFilter' => [
                'class' => ErrorToExceptionFilter::className()

Create action authorize in site controller for Authorization Code

see more

 * SiteController
class SiteController extends Controller
     * @return mixed
    public function actionAuthorize()
        if (Yii::$app->getUser()->getIsGuest())
            return $this->redirect('login');
        /** @var $module \filsh\yii2\oauth2server\Module */
        $module = Yii::$app->getModule('oauth2');
        $response = $module->getServer()->handleAuthorizeRequest(null, null, !Yii::$app->getUser()->getIsGuest(), Yii::$app->getUser()->getId());
        /** @var object $response \OAuth2\Response */
        Yii::$app->getResponse()->format = \yii\web\Response::FORMAT_JSON;
        return $response->getParameters();

Also, if you set allow_implicit => true in the options property of the module, you can use Implicit Grant Type - see more

Request example:

With redirect response:


JWT Tokens

If you want to get Json Web Token (JWT) instead of conventional token, you will need to set 'useJwtToken' => true in module and then define two more configurations: 'public_key' => 'app\storage\PublicKeyStorage' which is the class that implements PublickKeyInterface and 'access_token' => 'OAuth2\Storage\JwtAccessToken' which implements JwtAccessTokenInterface.php

For Oauth2 base library provides the default access_token which works great except. Just use it and everything will be fine.

and public_key

namespace app\storage;

class PublicKeyStorage implements \OAuth2\Storage\PublicKeyInterface{

    private $pbk =  null;
    private $pvk =  null; 
    public function __construct()
        $this->pvk =  file_get_contents('privkey.pem', true);
        $this->pbk =  file_get_contents('pubkey.pem', true); 

    public function getPublicKey($client_id = null){ 
        return  $this->pbk;

    public function getPrivateKey($client_id = null){ 
        return  $this->pvk;

    public function getEncryptionAlgorithm($client_id = null){
        return 'RS256';


For more, see

Authors & Contributors

The original author of this package Igor Maliy . At the time the project maintainer is Vardan Pogosian.