OAuth2 server for TYPO3

Installs: 3 644

Dependents: 1

Suggesters: 0

Security: 0

Stars: 2

Watchers: 3

Forks: 2

Open Issues: 2


1.3.0 2023-05-30 17:54 UTC

This package is auto-updated.

Last update: 2023-05-31 19:38:45 UTC


OAuth2 server for TYPO3 based on PHP League's OAuth2 Server.


  • Supports all grant types from PHP League's OAuth2 Server
  • Scopes can be limited to clients
  • Grant types can be limited to clients
  • Can be used to protect API's from other extensions


Only composer supported!

$ composer require r3h6/oauth2-server


Create your own public and private keys.
Use the provided key pair only for development.

You must explicit enable the OAuth2 server in your site configuration yaml by adding at least following configuration:

oauth2: []

For the authorization code grant you must create a frontend login and a consent page.
This extension provides a Typoscript setup with a basic design.

Create a sysfolder and add a client record.

Page tree with new client


Endpoint Description
/oauth2/authorize GET = Start authorization, POST = Accept, DELETE = Deny
/oauth2/token Issues token
/oauth2/revoke Revokes an access token


  # Optional. Defaults to 'true'
  enabled: true

  # Path to private key
  # Type: string
  privateKey: 'EXT:oauth2_server/Resources/Private/Keys/private.key'

  # Path to public key
  # Type: string
  publicKey: 'EXT:oauth2_server/Resources/Private/Keys/public.key'

  # Access token lifetime
  # Type: string
  accessTokensExpireIn: 'P1M'

  # Refresh token lifetime
  # Type: string
  refreshTokensExpireIn: 'P1M'

  # Requires all public clients to provide a PKCE code challenge
  # See https://oauth2.thephpleague.com/upgrade-guide/
  # Type: boolean
  requireCodeChallengeForPublicClients: true

  # Page uid with "Oauth2: Consent" plugin
  # Type: int
  consentPageUid: 0

  # Page uid for frontend login (otherwise users are redirected to the root page)
  # Type: int
  loginPageUid: 0

  # Scopes
  # Type: array
    - scope1
    - { identifier: scope2, description: 'Description or LLL path', consent: true }

  # Configuration for protected resources

    # Resource name

      # Resource route, string, a regex matching the request path
      # Type: string
      path: /rest/.*

      # Resource methods (optional)
      # Type: string|array
      methods: POST|GET

      # Resource target (optional)
      # Type: string
      target: Controller::action

      # Firewall rule, checks if a user is authenticated (optional)
      # Type: boolean
      authenticated: false

      # Firewall rule, check if client ip matches given pattern (optional)
      # Type: string
      ip: '127.*'

      # Firewall rule, check if request is using https (optional)
      # Type: boolean
      https: true

      # Firewall rule, check if access token has at least one of the scopes (optional)
      # Type: string|array
      scope: 'read|write'

      # Firewall rule, check if access token has all scopes (optional)
      # Type: string|array
      scope: 'read,write'

Protecting resources from Extbase plugins.

Extbase plugins with routing can still be called through query parameters.
Such requests bypass the request validation of this extension.
You should therefore make some htaccess rules denying such request,
implement the request validation by yourself or
use the ExtbaseGuard to check if the request passed the validation.

class ExtbaseController extends ActionController
     * @var \R3H6\Oauth2Server\Security\ExtbaseGuard
     * @TYPO3\CMS\Extbase\Annotation\Inject
    protected $guard;

    public function initializeAction()
        $this->guard->checkAccess($GLOBALS['TYPO3_REQUEST'], 'my_resource', $this->response); //v10
        $this->guard->checkAccess($GLOBALS['TYPO3_REQUEST'], 'my_resource'); //v11


This extensions adds several middlewares to the stack. They must be executed in the expected order in order to work correctly.



  • Marco Huber for handing over the extension key and sharing his ideas