onpayio / oauth2-client
Very simple OAuth 2.0 client
Requires
- php: >=5.4
- ext-curl: *
- ext-date: *
- ext-hash: *
- ext-json: *
- ext-pcre: *
- ext-pdo: *
- ext-session: *
- ext-spl: *
- paragonie/constant_time_encoding: ^1|^2
- paragonie/random_compat: >=1
- psr/log: ^1.0|^2.0
- symfony/polyfill-php56: ^1
Requires (Dev)
- phpunit/phpunit: ^4.8.35|^5|^6|^7
README
This is a very simple to use OAuth 2.0 client. It has minimal dependencies.
NOTE: if you are not bound to PHP 5.4, you are probably better off using the OAuth 2.0 client of the League of Extraordinary Packages! It can be found here.
Features
- Simplicity
- Works with PHP >= 5.4
- Minimal dependencies;
- Supports OAuth refresh tokens.
- Easy integration with your own application and/or framework;
- Does not enforce a framework on you;
- Only "authorization code" profile support, will not implement anything else;
- Only conforming OAuth 2.0 servers will work, this library will not get out of its way to deal with services that violate the OAuth 2.0 RFC;
- There will be no toggles to shoot yourself in the foot;
- Uses
paragonie/constant_time_encodingfor constant time encoding; - Uses
paragonie/random_compatpolyfill for CSPRNG; - Uses
symfony/polyfill-php56polyfill forhash_equals; - Uses
psr/logto provide an interface to log HTTP requests between OAuth client and server; usually very hard to debug "in the field";
You MUST configure PHP in such a way that it enforces secure cookies! See this resource for more information.
Use
Currently php-oauth2-client is not hosted on
Packagist. It may be added in the future. In your
composer.json:
"repositories": [
{
"type": "vcs",
"url": "https://git.tuxed.net/fkooman/php-oauth2-client"
},
...
],
"require": {
"fkooman/oauth2-client": "^7",
...
},
You can also download the signed source code archive here.
API
The API is very simple to use. See the example/ folder for a working example!
Security
As always, make sure you understand what you are doing! Some resources:
- The Fast Track to Safe and Secure PHP Sessions
- The OAuth 2.0 Authorization Framework
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
- OAuth 2.0 Threat Model and Security Considerations
- securityheaders.io
- Proof Key for Code Exchange by OAuth Public Clients
Contact
You can contact me with any questions or issues regarding this project. Drop me a line at fkooman@tuxed.net.
If you want to (responsibly) disclose a security issue you can also use the
PGP key with key ID 9C5EDD645A571EB2 and fingerprint
6237 BAF1 418A 907D AA98 EAA7 9C5E DD64 5A57 1EB2.
License
MIT.