spaces / oauth2-client
OAuth 2.0 authentication for Mittwald SPACES
Installs: 1 115
Dependents: 1
Suggesters: 0
Security: 0
Stars: 1
Watchers: 9
Forks: 0
Open Issues: 0
Requires
- league/oauth2-client: ^2.3
Requires (Dev)
- helmich/phpunit-psr7-assert: ^3.1.0
- phpunit/phpunit: ^7.0
This package is auto-updated.
Last update: 2020-04-12 14:02:33 UTC
README
Client library to integrate an OAuth2.0 authorization flow into PHP applications.
Usage
-
Provide your own implementation of the
Mw\Spaces\OAuth2\Context
interface:namespace Your\Namespace; class Context implements \Mw\Spaces\OAuth2\Context { public function getRedirectURI() { return "https://my-application.example/oauth-redir"; } }
Note that the
/oauth-redir
path needs to point to an application-specific OAuth2 redirection handler implemented by you. -
Create the OAuth2.0 provider:
$ctx = new \Your\Namespace\Context(); $opts = new \Mw\Spaces\OAuth2\EnvironmentOptions($_SERVER); $provider = new \Mw\Spaces\OAuth2\SpacesProvider($opts, $ctx);
-
Next, retrieve the authorization URL and redirect your user there:
$authorizationURL = $provider->getAuthorizationUrl(); $_SESSION["spaces.de/auth/csrf"] = $provider->getState(); header("Location: " . $authorizationURL);
-
The identity provider will prompt the user for their credentials, and - on success - will redirect the user back to your Redirect URI. When handling the redirected request, you'll need to retrieve the authorization code and check the CSRF value:
$state = $_GET["state"]; $code = $_GET["code"]; if ($_SESSION["spaces.de/auth/csrf"] != $state) { die("..."); }
After that, you can use the code to retrieve your access token:
$accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $code, ]);
-
Having the
$accessToken
, you can now (all while handling the redirected request) use that token to load the resource owner:try { $owner = $provider->getResourceOwner($accessToken); $ownerID = $accessToken->getResourceOwnerId(); // synchronize local user using $owner } catch (\Mw\Spaces\OAuth2\Error\UserNotPresentException $err) { // user has no access to project // deny login }
Use the data in the
$owner
object to construct a new local user (or update an existing record). You can store the Resource Owner ID for each created user to match them later on.