承接 ekwav/uf_oauth2_server 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

ekwav/uf_oauth2_server

Composer 安装命令:

composer require ekwav/uf_oauth2_server

包简介

OAuth2 Api module for UserFrosting.

README 文档

README

Implementation of league/oauth2-server in userfrosting4

What does it do?

With this sprinkle, you can securely connect your app to userfrosting with the OAuth2 authorization flow. In short, this is the This App wants to get access to ... that you know from Google Facebook and others for Userfrosting. To get access to some data you have to redirect the user to YourDomain.com/authorize/{{AppID}}/token/{{scope}} while AppID is a unique identifier to your app (you can have as many as you want) that will be generated when you register your app. And {{scope}} is a list of permissions for your app separated by + or space. You can also replace token with code to obtain an access code instead of a token, more on this here, but I would recommend using the token for people that just want to connect their unity3d game to their own server. And also for other people that are just getting started.

Installation

  1. Edit UserFrosting app/sprinkles.json file and add the following to the require list : "ekwav/uf_oauth2_server": "dev-master". Add OAuth2Server to the base list. Your sprinkles.json should look like this:
{
    "require": {
        "ekwav/uf_oauth2_server": "dev-master"
    },
    "base": [
        "core",
        "account",
        "admin",
        "OAuth2Server"
    ]
}
  1. Run composer update to download the sprinkle.
  2. Then you have to create a public and private key, we need them in order to encrypt the tokens.
    Navigate to app/sprinkles/Api/src/OAuth2 open the terminal and run openssl genrsa -out private.key 1024 you can also replace 1024 with 2048 to generate a stronger key Then you have to extract the public key from the private key with openssl rsa -in private.key -pubout -out public.key. You can also generate the keys somewhere else, if you do so, change the publicKey and privatKey path in your config (Look into config/default.php to see the exact shema). More information on the keys here.
  3. Generate a EncryptionKey and change the one in the default config, you can use php -r 'echo base64_encode(random_bytes(32)), PHP_EOL;' in your commandline to do that.
    You can use this template for your config. Please check, that you have set this as a root element:
'oauthserver' => [
'EncryptionKey' => 'YOURKEY'
]  
  1. Open the terminal in your root Userfrosting directory and run php bakery bake wait untill it finishes and closes the terminal.
    You can now create Clients aka Applications.
  2. Open YourDomain/apps and continue there.

It looks like this

screenshot1 screenshot2 screenshot1

Important things to know

My sprinkle may contain bugs and errors of any type, if you find one, please report it in the issues tab.

If you need help, you can find me in the userfrosting chat.

-You have to add every API-endpoint to the csrf blacklist in your config.- Currently (1.7.2017) this didn't work for me, for that I recommend you to create your routes after the schema remoteapi/CUSTOMNAME to cover them automatically.

'csrf' => [
    // A list of URL paths to ignore CSRF checks on
    'blacklist' =>  [
      "^remoteapi/userinfo",
	    "^remoteapi/anotherEndpoint"
]

Usage

Protect your API endpoints by adding ->add(new ResourceServerMiddleware($this->ci->ResourceServer)); to the routes you want to protect. Remember adding it to the csrfBlacklist.
Now that route is protected and can only be accessed by using POST and an Authorization header with the value access token.

How to get an access_token

Getting an access token is as easy as redirecting the user from your application, mobile app or other server to your Userfrosting installation. The URL has to follows the schema https://YOURDOMAIN.COM/authorize/APPID/code/SCOPES
you can find your APPID on the page /apps
SCOPES is an array of permissions you want to get separated by space or + (URL encoded space).
The user can then review the requested permissions and authorize, edit or deny it.
If the user authorizes the request he will be redirected to the URL specified on app creation with an authorization code as a parameter. You then have to grab it from the URL and send it along with your app secret that you can also find on the /apps page, to your Userfrosting installation, but this time as a POST and to the url https://YOURDOMAIN/oauth2/access_token, with the following Parameters: grant_type = authorization_code
client_id = your application id (from the /apps page) client_secret= your application secret
code= the athorization_code you received in the first request. this will return a JSON response with the access_token and an refresh_token you have to save both to the device/server storage.

Making requests

Now you have the token on your user's device, you are able to send requests. POST it as a header with the key Authorization to the route you have protected and everything should work fine. But what is the refresh_token you ask? After 6 hours (you can change that in the config) the access_token gets invalid, this has the purpose that if the token is stolen by a third party, it will become useless. Anyways, you have to get a new access_token how do you do that?

Refreshing access

To get a new access_token you have to send a POST request to /oauth2/access_token with the Body parameters:
grant_type=refresh_token
client_id= your application id (from the /apps page)
client_secret= your application secret
refresh_token= the refresh token you received in the second request. This will return a new access_token and a new refresh_token the old tokens should now be replaced by the new ones.

Serverside

But how do you know, what user is requesting data from you at the server side in your Userfrosting Controller? It turns out, that the access token is an encrypted JSON array aka JSON Web Token that contains all important information about the token. It stores:

  1. The user_id
  2. The app/client_id
  3. The scopes
  4. The expiration time.
  5. The access token ID. (Can be used for disabling it from the server side or tracking purposes) For an example on how to use these look at the getUserInfo() function in the ApiAuthController

Don't remove the Powered by Coflnet from the authorization page, it has to stay visible. You can modify everything else under MIT to fit your needs.

ekwav/uf_oauth2_server 适用场景与选型建议

ekwav/uf_oauth2_server 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 56 次下载、GitHub Stars 达 5, 最近一次更新时间为 2017 年 07 月 01 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「oauth2」 「server」 「userfrosting」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 ekwav/uf_oauth2_server 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 ekwav/uf_oauth2_server 我们能提供哪些服务?
定制开发 / 二次开发

基于 ekwav/uf_oauth2_server 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 56
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 5
  • 点击次数: 4
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 5
  • Watchers: 1
  • Forks: 2
  • 开发语言: PHP

其他信息

  • 授权协议: Unknown
  • 更新时间: 2017-07-01