定制 kielabokkie/oauth-proxy 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

kielabokkie/oauth-proxy

Composer 安装命令:

composer create-project kielabokkie/oauth-proxy

包简介

OAuth Proxy for single-page apps

README 文档

README

OAuth proxy for single-page apps (SPA) built with Lumen.

Introduction

We all know that keeping secrets is hard when it comes to SPAs, especially when it comes to OAuth. The OAuth 2.0 spec dictates that you should never expose your client id or secret and your access token as well as the refresh token. If you have to use OAuth you'll require some sort of trade-off as you can't keep all of the above a secret. There are a lot of different techniques, all with their own pros and cons.

OAuth Proxy sits between your SPA and your API and provides two endpoints that forward OAuth requests to your API and automatically adds the required client id and client secret. On top of that it can also handle refreshing access tokens using the refresh_token grant. Because all of this happens server-side you keep most of your secrets to yourself. The only trade-off is that the client requires the access token. If you use short lived access tokens and always use SSL (which I hope you do!) then the risk is minimised.

Prerequisites

As this project is built with Lumen it requires a PHP version of 5.6.4 or higher. If you haven’t used Lumen or Laravel before I suggest you first have a look through the documentation.

At the moment it also depends on Redis as it makes it fast and easy to store key-value pairs with an expiration but I intend to add other providers as well.

Installation

You can install OAuth Proxy by running the composer create-project command in your terminal:

composer create-project --prefer-dist kielabokkie/oauth-proxy

Configuration

OAuth Proxy provides two endpoints. The first one, to acquire an access token using the password grant, is /oauth/token. The second endpoint, which lets you refresh access tokens, is /oauth/token/refresh. If you prefer to use different endpoints for the Proxy (maybe to match the style of your API) you can overwrite the endpoints in the .env file, more on that later.

Environment file

If you are familiar with Lumen (or Laravel) you’ll know that the .env file contains various configuration settings. Before you can try out the proxy there are a couple of parameters that you need to enter.

Below is an example .env file:

APP_ENV=local
APP_DEBUG=true
APP_KEY=tdXF17HfY1yWpPtIV4DGxrivKEpN4yDh

ROUTE_ACCESS_TOKEN='/oauth/token'
ROUTE_REFRESH_TOKEN='/oauth/token/refresh'

API_URL='http://api.myapp.dev'
API_ACCESS_TOKEN_ENDPOINT='/v1/oauth/token'
API_REFRESH_TOKEN_ENDPOINT='/v1/oauth/token'

OAUTH_CLIENT_ID=my-spa-client
OAUTH_CLIENT_SECRET=s3cr3tk3y
OAUTH_REFRESH_TOKEN_TTL=2592000 # 30 days

CORS_ALLOW_ORIGIN='*'
CORS_ALLOW_METHODS='OPTIONS, GET, POST, PUT, PATCH, DELETE'
CORS_ALLOW_HEADERS='Authorization, Content-Type'

REDIS_URI='tcp://127.0.0.1:6379'

The first three parameters are standard Lumen ones that you have to changed based on your environment (e.g. don’t set APP_DEBUG to true on production environments). The APP_KEY can be set automatically by running the php artisan key:generate command.

The ROUTE_ACCESS_TOKEN and ROUTE_REFRESH_TOKEN are used to customise the endpoints of the Proxy (as mentioned earlier).

The next set of parameters are all related to your actual API, the API_URL is the full URL of your API. API_ACCESS_TOKEN_ENDPOINT and API_REFRESH_TOKEN_ENDPOINT allow you to specify what endpoint on your API should be used for getting an access token and refreshing an access token.

Next we have the OAuth related parameters. Here you specify the client id and client secret and the TTL of your refresh tokens. For this last parameter you have to make sure it matches the TTL you have set for refresh tokens on your OAuth server. It’s important that these are the same as the TTL is used to automatically remove them from the datastore after they expire.

The next three parameters are all to handle CORS headers.

Lastly we have the optional REDIS_URI variable. If you don't add this variable to your .env file the application uses the following URI for the Redis connection tcp://127.0.0.1:6379. The REDIS_URI variable allows you to customise the URI in case you want to use a custom IP address or port.

Webserver setup

As this Proxy is separate from your API and front-end you will need to setup your webserver to serve this application. You can either setup a subdomain (e.g. proxy.myapp.com) or have your webserver switch to your proxy based on the uri of your endpoints.

Usage

So you have everything setup now and your Proxy is ready to be used!

Password grant

The /oauth/token endpoint requires a POST request with the username and password as parameters. Below is a example CURL command that sends the username and password as x-www-form-urlencoded data (as per the OAuth 2.0 spec):

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=wouter@myapp.com&password=password' "http://proxy.myapp.com/oauth/token"

If you prefer to send JSON encoded data you can also do that:

curl -X POST -H "Content-Type: application/json" -d '{"username": "wouter@myapp.com", "password": "password"}' "http://proxy.myapp.com/oauth/token"

Refresh token grant

The /oauth/token/refresh endpoint requires a GET request with the Authorization header containing the bearer token (e.g. the access token that expired). Below is an example of such request:

curl -X GET -H "Authorization: Bearer F9kqePKN424Ci3hRDqk5vzsGjP3qnXrnqGUxxiE9" "http://proxy.myapp.com/oauth/token/refresh"

That's it, happy Proxying!

kielabokkie/oauth-proxy 适用场景与选型建议

kielabokkie/oauth-proxy 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 18 次下载、GitHub Stars 达 5, 最近一次更新时间为 2016 年 11 月 20 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「oauth」 「proxy」 「laravel」 「lumen」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 kielabokkie/oauth-proxy 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 kielabokkie/oauth-proxy 我们能提供哪些服务?
定制开发 / 二次开发

基于 kielabokkie/oauth-proxy 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 18
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 5
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 5
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2016-11-20