phpway/one-auth-server

Simple OAuth2 server implementation with limited functionality designed for Single Page Applications

Maintainers

Details

github.com/phpway/OneAuth-Server

Source

Issues

Installs: 16

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

0.9.4 2024-08-24 08:05 UTC

Requires

MIT 8ffee2206088894ae4259295a468489db4b470da

  • Petr Havlik <petr.havlik.woop@gmail.com>

oauth2SPAone-auth

This package is auto-updated.

Last update: 2025-03-29 01:08:46 UTC

README

OneAuth server is very simple OAuth2 server implementation with limited functionality specifically designed for authenticating single page applications (SPA) according to the workflow described below with exclusive use of reference tokens only.

If you need a fully-featured OAuth2 server implementation, you can look up the official OAuth page https://oauth.net/code/php/.

Features

At the moment, OneAuth server provides 3 controllers:

  • AuthorizeController - handle requests for obtaining the Authorization Code which is one-time use, short-lived random code to be used by SPA for obtaining the Access Token.
  • TokenController - handle requests for obtaining the Access Token.
  • ResourceController - to verify API requests.

Request data required for each controller together with response details are described in the workflow below.

Since OneAuth server is designed for authenticating SPAs, all communication between OneAuth server and the client app is transparent to the user (either via url search params, or via sending form data in POST requests), meaning there is no back channel for exchanging data between these two entities.

Thus, there is no client secret in the workflow as the SPA has no mechanism to hide it. But it uses PKCE protection that requires the client app sending code verifier (random string) hash in the initial request for the authorization code, and then sending code verifier in plain text when exchanging this authorization code for the access token.

PSR-7 Request / Response

OneAuth server uses PSR-7 compatible request and response objects for handling requests to obtain authorization codes and/or access tokens. Thus, you will need to provide a PSR-7 implementation that best fits your application. Here are few options you can choose from:

To send the response to the client, you will also need to implement a response emitter, or use an existing one (for example ResponseEmitter.php from the Slim framework).

SPA Workflow

SPA workflow diagram

TODOs

  • Add resource controller for protecting APIs
    • Recognize token in headers
    • Recognize token in GET
    • Recognize token in POST
  • Implement revoking tokens
    • Individual token
    • All for given user
  • Add functionality for refresh tokens