This package is not installable via Composer 1.x, please make sure you upgrade to Composer 2+. Read more about our Composer 1.x deprecation policy.

Lumen league oauth2 wrapper

1.3.1 2018-11-07 23:04 UTC


Build Status StyleCI

Scrutinizer Build Scrutinizer Scrutinizer Code Coverage codecov Packagist Latest Unstable Version License VersionEYE Total Downloads Monthly Downloads Daily Downloads composer.lock


composer require sonrac/lumen-league-oauth2


Resister service provider first:

Add to your bootstrap/app.php



league/oauth2 -server implementation for lumen


Contracts or oauth2 server implemented in sonrac\lumenRest\Oauth2ServiceProvider


Events usages described in official documentation


Use League\OAuth2\Server\Middleware\ResourceMiddleware for validate authentication request

Use League\OAuth2\Server\Middleware\AuthorizationServerMiddleware for user authenticate

Example routing

Get access token

$app->router->post('/access_token', function (\Psr\Http\Message\ServerRequestInterface $request,
                                              \Psr\Http\Message\ResponseInterface $response) use ($app) {
  /* @var \League\OAuth2\Server\AuthorizationServer $server */
  $server = $app->make(\League\OAuth2\Server\AuthorizationServer::class);

  try {

      // Try to respond to the request
      return $server->respondToAccessTokenRequest($request, $response);

  } catch (\League\OAuth2\Server\Exception\OAuthServerException $exception) {

      // All instances of OAuthServerException can be formatted into a HTTP response
      return $exception->generateHttpResponse($response);

  } catch (\Exception $exception) {

      // Unknown exception
      $body = new \Zend\Diactoros\Stream('php://temp', 'r+');
      return $response->withStatus(500)->withBody($body);


Authorize third-party clients (implicit & auth code grants)

$app->router->get('/authorize', function (\League\OAuth2\Server\AuthorizationServer $server,
                                          \Psr\Http\Message\ServerRequestInterface $request,
                                          \Psr\Http\Message\ResponseInterface $response) {
    try {
        // Validate the HTTP request and return an AuthorizationRequest object.
        $authRequest = $server->validateAuthorizationRequest($request);

        // The auth request object can be serialized and saved into a user's session.
        // You will probably want to redirect the user at this point to a login endpoint.

        // Once the user has logged in set the user on the AuthorizationRequest
        $authRequest->setUser(app()->make(\League\OAuth2\Server\Entities\UserEntityInterface::class)); // an instance of UserEntityInterface

        // At this point you should redirect the user to an authorization page.
        // This form will ask the user to approve the client and the scopes requested.

        // Once the user has approved or denied the client update the status
        // (true = approved, false = denied)

        // Return the HTTP redirect response
        return $server->completeAuthorizationRequest($authRequest, $response);
    } catch (\Exception $exception) {

        // Unknown exception
        $body = new \Zend\Diactoros\Stream('php://temp', 'r+');

        return $response->withStatus(500)->withBody($body);


JWT guard

For using JWT token you need define JWT guard

Example config:

'defaults' => [
        'guard' => 'jwt'
    'guards' => [
        'jwt' => [
            'driver' => 'jwt',
            'provider' => 'clients',
        'user' => [
            'driver' => 'token',
            'provider' => 'users',
    'providers' => [
        'clients' => [
            'driver' => 'eloquent',
            'model' => app(\League\OAuth2\Server\Entities\ClientEntityInterface::class),
        'users' => [
            'driver' => 'eloquent',
            'model' => app(\League\OAuth2\Server\Entities\UserEntityInterface::class),

Generate keys

For using SSL encryption generate keys first:

php artisan generate:keys