定制 google/auth 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

google/auth

Composer 安装命令:

composer require google/auth

包简介

Google Auth Library for PHP

README 文档

README

Reference Docs

Description

This is Google's officially supported PHP client library for using OAuth 2.0 authorization and authentication with Google APIs.

Installing via Composer

The recommended way to install the google auth library is through Composer.

# Install Composer
curl -sS https://getcomposer.org/installer | php

Next, run the Composer command to install the latest stable version:

composer.phar require google/auth

Application Default Credentials

This library provides an implementation of Application Default Credentials (ADC) for PHP.

Application Default Credentials provides a simple way to get authorization credentials for use in calling Google APIs, and is the recommended approach to authorize calls to Cloud APIs.

Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to Validate credential configurations from external sources.

Set up ADC

To use ADC, you must set it up by providing credentials. How you set up ADC depends on the environment where your code is running, and whether you are running code in a test or production environment.

For more information, see Set up Application Default Credentials.

Enable the API you want to use

Before making your API call, you must be sure the API you're calling has been enabled. Go to APIs & Auth > APIs in the Google Developers Console and enable the APIs you'd like to call. For the example below, you must enable the Drive API.

Call the APIs

As long as you update the environment variable below to point to your JSON credentials file, the following code should output a list of your Drive files.

use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];

// create middleware
$middleware = ApplicationDefaultCredentials::getMiddleware($scopes);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'base_uri' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// make the request
$response = $client->get('drive/v2/files');

// show the result!
print_r((string) $response->getBody());
Guzzle 5 Compatibility

If you are using Guzzle 5, replace the create middleware and create the HTTP Client steps with the following:

// create the HTTP client
$client = new Client([
  'base_url' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// create subscriber
$subscriber = ApplicationDefaultCredentials::getSubscriber($scopes);
$client->getEmitter()->attach($subscriber);

Call using an ID Token

If your application is running behind Cloud Run, or using Cloud Identity-Aware Proxy (IAP), you will need to fetch an ID token to access your application. For this, use the static method getIdTokenMiddleware on ApplicationDefaultCredentials.

use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

// Provide the ID token audience. This can be a Client ID associated with an IAP application,
// Or the URL associated with a CloudRun App
//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
//    $targetAudience = 'https://service-1234-uc.a.run.app';
$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';

// create middleware
$middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'auth' => 'google_auth',
  // Cloud Run, IAP, or custom resource URL
  'base_uri' => 'https://YOUR_PROTECTED_RESOURCE',
]);

// make the request
$response = $client->get('/');

// show the result!
print_r((string) $response->getBody());

For invoking Cloud Run services, your service account will need the Cloud Run Invoker IAM permission.

For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID used when you set up your protected resource as the target audience. See how to secure your IAP app with signed headers.

Call using a specific JSON key

If you want to use a specific JSON key instead of using GOOGLE_APPLICATION_CREDENTIALS environment variable, you can do this:

use Google\Auth\CredentialsLoader;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// Define the Google Application Credentials array
$jsonKey = ['key' => 'value'];

// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];

// Load credentials from JSON containing service account credentials.
$creds = new ServiceAccountCredentials($scopes, $jsonKey),

// For other credentials types, create those classes explicitly using the
// "type" field in the JSON key, for example:
$creds = match ($jsonKey['type']) {
    'service_account' => new ServiceAccountCredentials($scope, $jsonKey),
    'authorized_user' => new UserRefreshCredentials($scope, $jsonKey),
    default => throw new InvalidArgumentException('This application only supports service account and user account credentials'),
};

// optional caching
$creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);

// create middleware
$middleware = new AuthTokenMiddleware($creds);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'base_uri' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// make the request
$response = $client->get('drive/v2/files');

// show the result!
print_r((string) $response->getBody());

Call using Proxy-Authorization Header

If your application is behind a proxy such as Google Cloud IAP, and your application occupies the Authorization request header, you can include the ID token in a Proxy-Authorization: Bearer header instead. If a valid ID token is found in a Proxy-Authorization header, IAP authorizes the request with it. After authorizing the request, IAP passes the Authorization header to your application without processing the content. For this, use the static method getProxyIdTokenMiddleware on ApplicationDefaultCredentials.

use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

// Provide the ID token audience. This can be a Client ID associated with an IAP application
//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';

// create middleware
$middleware = ApplicationDefaultCredentials::getProxyIdTokenMiddleware($targetAudience);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'auth' => ['username', 'pass'], // auth option handled by your application
  'proxy_auth' => 'google_auth',
]);

// make the request
$response = $client->get('/');

// show the result!
print_r((string) $response->getBody());

External credentials (Workload identity federation)

Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).

Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud resources. Using identity federation, you can allow your workload to impersonate a service account. This lets you access Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.

Follow the detailed instructions on how to Configure Workload Identity Federation.

Verifying JWTs

If you are using Google ID tokens to authenticate users, use the Google\Auth\AccessToken class to verify the ID token:

use Google\Auth\AccessToken;

$auth = new AccessToken();
$auth->verify($idToken);

If your app is running behind Google Identity-Aware Proxy (IAP), you can verify the ID token coming from the IAP server by pointing to the appropriate certificate URL for IAP. This is because IAP signs the ID tokens with a different key than the Google Identity service:

use Google\Auth\AccessToken;

$auth = new AccessToken();
$auth->verify($idToken, [
  'certsLocation' => AccessToken::IAP_CERT_URL
]);

Caching

Caching is enabled by passing a PSR-6 CacheItemPoolInterface instance to the constructor when instantiating the credentials.

We offer some caching classes out of the box under the Google\Auth\Cache namespace.

use Google\Auth\ApplicationDefaultCredentials;
use Google\Auth\Cache\MemoryCacheItemPool;

// Cache Instance
$memoryCache = new MemoryCacheItemPool;

// Get the credentials
// From here, the credentials will cache the access token
$middleware = ApplicationDefaultCredentials::getCredentials($scope, cache: $memoryCache);

FileSystemCacheItemPool Cache

The FileSystemCacheItemPool class is a PSR-6 compliant cache that stores its serialized objects on disk, caching data between processes and making it possible to use data between different requests.

use Google\Auth\Cache\FileSystemCacheItemPool;
use Google\Auth\ApplicationDefaultCredentials;

// Create a Cache pool instance
$cache = new FileSystemCacheItemPool(__DIR__ . '/cache');

// Pass your Cache to the Auth Library
$credentials = ApplicationDefaultCredentials::getCredentials($scope, cache: $cache);

// This token will be cached and be able to be used for the next request
$token = $credentials->fetchAuthToken();

Integrating with a third party cache

You can use a third party that follows the PSR-6 interface of your choice.

// run "composer require symfony/cache"
use Google\Auth\ApplicationDefaultCredentials;
use Symfony\Component\Cache\Adapter\FilesystemAdapter;

// Create the cache instance
$filesystemCache = new FilesystemAdapter();

// Create Get the credentials
$credentials = ApplicationDefaultCredentials::getCredentials($targetAudience, cache: $filesystemCache);

License

This library is licensed under Apache 2.0. Full license text is available in COPYING.

Contributing

See CONTRIBUTING.

Support

Please report bugs at the project on Github. Don't hesitate to ask questions about the client or APIs on StackOverflow.

google/auth 适用场景与选型建议

google/auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 292.18M 次下载、GitHub Stars 达 1.4k, 最近一次更新时间为 2015 年 04 月 24 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「Authentication」 「oauth2」 「google」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 google/auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 google/auth 我们能提供哪些服务?
定制开发 / 二次开发

基于 google/auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 292.18M
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1441
  • 点击次数: 18
  • 依赖项目数: 159
  • 推荐数: 3

GitHub 信息

  • Stars: 1398
  • Watchers: 65
  • Forks: 196
  • 开发语言: PHP

其他信息

  • 授权协议: Apache-2.0
  • 更新时间: 2015-04-24