ekwav/uf_oauth2_server
Composer 安装命令:
composer require ekwav/uf_oauth2_server
包简介
OAuth2 Api module for UserFrosting.
关键字:
README 文档
README
Implementation of league/oauth2-server in userfrosting4
What does it do?
With this sprinkle, you can securely connect your app to userfrosting with the OAuth2 authorization flow.
In short, this is the This App wants to get access to ... that you know from Google Facebook and others for Userfrosting.
To get access to some data you have to redirect the user to YourDomain.com/authorize/{{AppID}}/token/{{scope}} while AppID
is a unique identifier to your app (you can have as many as you want) that will be generated when you register your app.
And {{scope}} is a list of permissions for your app separated by + or space.
You can also replace token with code to obtain an access code instead of a token, more on this here,
but I would recommend using the token for people that just want to connect their unity3d game to their own server.
And also for other people that are just getting started.
Installation
- Edit UserFrosting
app/sprinkles.jsonfile and add the following to therequirelist :"ekwav/uf_oauth2_server": "dev-master". AddOAuth2Serverto thebaselist. Yoursprinkles.jsonshould look like this:
{
"require": {
"ekwav/uf_oauth2_server": "dev-master"
},
"base": [
"core",
"account",
"admin",
"OAuth2Server"
]
}
- Run
composer updateto download the sprinkle. - Then you have to create a public and private key, we need them in order to encrypt the tokens.
Navigate toapp/sprinkles/Api/src/OAuth2open the terminal and runopenssl genrsa -out private.key 1024you can also replace 1024 with 2048 to generate a stronger key Then you have to extract the public key from the private key withopenssl rsa -in private.key -pubout -out public.key. You can also generate the keys somewhere else, if you do so, change thepublicKeyandprivatKeypath in your config (Look intoconfig/default.phpto see the exact shema). More information on the keys here. - Generate a
EncryptionKeyand change the one in the default config, you can usephp -r 'echo base64_encode(random_bytes(32)), PHP_EOL;'in your commandline to do that.
You can use this template for your config. Please check, that you have set this as a root element:
'oauthserver' => [
'EncryptionKey' => 'YOURKEY'
]
- Open the terminal in your root Userfrosting directory and run
php bakery bakewait untill it finishes and closes the terminal.
You can now createClientsaka Applications. - Open
YourDomain/appsand continue there.
It looks like this
Important things to know
My sprinkle may contain bugs and errors of any type, if you find one, please report it in the issues tab.
If you need help, you can find me in the userfrosting chat.
-You have to add every API-endpoint to the csrf blacklist in your config.-
Currently (1.7.2017) this didn't work for me, for that I recommend you to create
your routes after the schema remoteapi/CUSTOMNAME to cover them automatically.
'csrf' => [
// A list of URL paths to ignore CSRF checks on
'blacklist' => [
"^remoteapi/userinfo",
"^remoteapi/anotherEndpoint"
]
Usage
Protect your API endpoints by adding ->add(new ResourceServerMiddleware($this->ci->ResourceServer)); to the routes you want to protect. Remember adding it to the csrfBlacklist.
Now that route is protected and can only be accessed by using POST and an Authorization header with the value access token.
How to get an access_token
Getting an access token is as easy as redirecting the user from your application, mobile app or other server to your Userfrosting installation. The URL has to follows the schema https://YOURDOMAIN.COM/authorize/APPID/code/SCOPES
you can find your APPID on the page /apps
SCOPES is an array of permissions you want to get separated by space or + (URL encoded space).
The user can then review the requested permissions and authorize, edit or deny it.
If the user authorizes the request he will be redirected to the URL specified on app creation with an authorization code as a parameter. You then have to grab it from the URL and send it along with your app secret that you can also find on the /apps page, to your Userfrosting installation, but this time as a POST and to the url https://YOURDOMAIN/oauth2/access_token, with the following Parameters:
grant_type = authorization_code
client_id = your application id (from the /apps page)
client_secret= your application secret
code= the athorization_code you received in the first request.
this will return a JSON response with the access_token and an refresh_token you have to save both to the device/server storage.
Making requests
Now you have the token on your user's device, you are able to send requests.
POST it as a header with the key Authorization to the route you have protected and everything should work fine.
But what is the refresh_token you ask? After 6 hours (you can change that in the config) the access_token gets invalid, this has the purpose that if the token is stolen by a third party, it will become useless. Anyways, you have to get a new access_token how do you do that?
Refreshing access
To get a new access_token you have to send a POST request to /oauth2/access_token with the Body parameters:
grant_type=refresh_token
client_id= your application id (from the /apps page)
client_secret= your application secret
refresh_token= the refresh token you received in the second request.
This will return a new access_token and a new refresh_token the old tokens should now be replaced by the new ones.
Serverside
But how do you know, what user is requesting data from you at the server side in your Userfrosting Controller? It turns out, that the access token is an encrypted JSON array aka JSON Web Token that contains all important information about the token. It stores:
- The user_id
- The app/client_id
- The scopes
- The expiration time.
- The access token ID. (Can be used for disabling it from the server side or tracking purposes)
For an example on how to use these look at the
getUserInfo()function in the ApiAuthController
Don't remove the Powered by Coflnet from the authorization page, it has to stay visible. You can modify everything else under MIT to fit your needs.
ekwav/uf_oauth2_server 适用场景与选型建议
ekwav/uf_oauth2_server 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 56 次下载、GitHub Stars 达 5, 最近一次更新时间为 2017 年 07 月 01 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「oauth2」 「server」 「userfrosting」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 ekwav/uf_oauth2_server 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 ekwav/uf_oauth2_server 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 ekwav/uf_oauth2_server 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.
A secure, modern user management system for PHP.
Form generator for UserFrosting V5
Email Toolkit Plugin for CakePHP
Breadcrumb service provider for UserFrosting V4
A jQuery augmented PHP library for creating and validating HTML forms
统计信息
- 总下载量: 56
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 5
- 点击次数: 4
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: Unknown
- 更新时间: 2017-07-01