piv915/oauth2-client
Composer 安装命令:
composer require piv915/oauth2-client
包简介
OAuth 2.0 Client Library 5.4 backport
README 文档
README
This package makes it simple to integrate your application with OAuth 2.0 service providers.
We are all used to seeing those "Connect with Facebook/Google/etc." buttons around the internet, and social network integration is an important feature of most web applications these days. Many of these sites use an authentication and authorization standard called OAuth 2.0 (RFC 6749).
This OAuth 2.0 client library will work with any OAuth provider that conforms to the OAuth 2.0 standard. Out-of-the-box, we provide a GenericProvider that may be used to connect to any service provider that uses Bearer tokens (see example below).
Many service providers provide additional functionality above and beyond the OAuth 2.0 standard. For this reason, this library may be easily extended and wrapped to support this additional behavior. We provide links to all known provider clients extending this library (i.e. Facebook, GitHub, Google, Instagram, LinkedIn, etc.). If your provider isn't in the list, feel free to add it.
This package is compliant with PSR-1, PSR-2, PSR-4, and PSR-7. If you notice compliance oversights, please send a patch via pull request. If you're interesting in contributing to this library, please take a look at our contributing guidelines.
Requirements
The following versions of PHP are supported.
- PHP 5.5
- PHP 5.6
- PHP 7.0
- HHVM
Providers
A list of official PHP League providers, as well as third-party providers, may be found in the providers list README.
To build your own provider, please refer to the provider guide README.
Usage
In most cases, you'll want to use a specific provider client library rather than this base library.
Take a look at README.PROVIDERS.md to see a list of provider client libraries.
If using Composer to require a specific provider client library, you do not need to also require this library. Composer will handle the dependencies for you.
Authorization Code Grant
The following example uses the out-of-the-box GenericProvider provided by this library. If you're looking for a specific provider (i.e. Facebook, Google, GitHub, etc.), take a look at our list of provider client libraries. HINT: You're probably looking for a specific provider.
The authorization code grant type is the most common grant type used when authenticating users with a third-party service. This grant type utilizes a client (this library), a server (the service provider), and a resource owner (the user with credentials to a protected—or owned—resource) to request access to resources owned by the user. This is often referred to as 3-legged OAuth, since there are three parties involved.
The following example illustrates this using Brent Shaffer's demo OAuth 2.0 application named Lock'd In. When running this code, you will be redirected to Lock'd In, where you'll be prompted to authorize the client to make requests to a resource on your behalf.
Now, you don't really have an account on Lock'd In, but for the sake of this example, imagine that you are already logged in on Lock'd In when you are redirected there.
$provider = new \League\OAuth2\Client\Provider\GenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); // If we don't have an authorization code then get one if (!isset($_GET['code'])) { // Fetch the authorization URL from the provider; this returns the // urlAuthorize option and generates and applies any necessary parameters // (e.g. state). $authorizationUrl = $provider->getAuthorizationUrl(); // Get the state generated for you and store it to the session. $_SESSION['oauth2state'] = $provider->getState(); // Redirect the user to the authorization URL. header('Location: ' . $authorizationUrl); exit; // Check given state against previously stored one to mitigate CSRF attack } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); exit('Invalid state'); } else { try { // Try to get an access token using the authorization code grant. $accessToken = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'] ]); // We have an access token, which we may use in authenticated // requests against the service provider's API. echo $accessToken->getToken() . "\n"; echo $accessToken->getRefreshToken() . "\n"; echo $accessToken->getExpires() . "\n"; echo ($accessToken->hasExpired() ? 'expired' : 'not expired') . "\n"; // Using the access token, we may look up details about the // resource owner. $resourceOwner = $provider->getResourceOwner($accessToken); var_export($resourceOwner->toArray()); // The provider provides a way to get an authenticated API request for // the service, using the access token; it returns an object conforming // to Psr\Http\Message\RequestInterface. $request = $provider->getAuthenticatedRequest( 'GET', 'http://brentertainment.com/oauth2/lockdin/resource', $accessToken ); } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) { // Failed to get the access token or user details. exit($e->getMessage()); } }
Refreshing a Token
Once your application is authorized, you can refresh an expired token using a refresh token rather than going through the entire process of obtaining a brand new token. To do so, simply reuse this refresh token from your data store to request a refresh.
This example uses Brent Shaffer's demo OAuth 2.0 application named Lock'd In. See authorization code example above, for more details.
$provider = new \League\OAuth2\Client\Provider\GenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); $existingAccessToken = getAccessTokenFromYourDataStore(); if ($existingAccessToken->hasExpired()) { $newAccessToken = $provider->getAccessToken('refresh_token', [ 'refresh_token' => $existingAccessToken->getRefreshToken() ]); // Purge old access token and store new access token to your data store. }
Resource Owner Password Credentials Grant
Some service providers allow you to skip the authorization code step to exchange a user's credentials (username and password) for an access token. This is referred to as the "resource owner password credentials" grant type.
According to section 1.3.3 of the OAuth 2.0 standard (emphasis added):
The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).
We do not advise using this grant type if the service provider supports the authorization code grant type (see above), as this reinforces the password anti-pattern by allowing users to think it's okay to trust third-party applications with their usernames and passwords.
That said, there are use-cases where the resource owner password credentials grant is acceptable and useful. Here's an example using it with Brent Shaffer's demo OAuth 2.0 application named Lock'd In. See authorization code example above, for more details about the Lock'd In demo application.
$provider = new \League\OAuth2\Client\Provider\GenericProvider([ 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider 'redirectUri' => 'http://example.com/your-redirect-url/', 'urlAuthorize' => 'http://brentertainment.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'http://brentertainment.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'http://brentertainment.com/oauth2/lockdin/resource' ]); try { // Try to get an access token using the resource owner password credentials grant. $accessToken = $provider->getAccessToken('password', [ 'username' => 'demouser', 'password' => 'testpass' ]); } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) { // Failed to get the access token exit($e->getMessage()); }
Client Credentials Grant
When your application is acting on its own behalf to access resources it controls/owns in a service provider, it may use the client credentials grant type. This is best used when the credentials for your application are stored privately and never exposed (e.g. through the web browser, etc.) to end-users. This grant type functions similarly to the resource owner password credentials grant type, but it does not request a user's username or password. It uses only the client ID and secret issued to your client by the service provider.
Unlike earlier examples, the following does not work against a functioning demo service provider. It is provided for the sake of example only.
// Note: the GenericProvider requires the `urlAuthorize` option, even though // it's not used in the OAuth 2.0 client credentials grant type. $provider = new \League\OAuth2\Client\Provider\GenericProvider([ 'clientId' => 'XXXXXX', // The client ID assigned to you by the provider 'clientSecret' => 'XXXXXX', // The client password assigned to you by the provider 'redirectUri' => 'http://my.example.com/your-redirect-url/', 'urlAuthorize' => 'http://service.example.com/authorize', 'urlAccessToken' => 'http://service.example.com/token', 'urlResourceOwnerDetails' => 'http://service.example.com/resource' ]); try { // Try to get an access token using the client credentials grant. $accessToken = $provider->getAccessToken('client_credentials'); } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) { // Failed to get the access token exit($e->getMessage()); }
Install
Via Composer
$ composer require league/oauth2-client
Contributing
Please see CONTRIBUTING for details.
License
The MIT License (MIT). Please see License File for more information.
piv915/oauth2-client 适用场景与选型建议
piv915/oauth2-client 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 20 次下载、GitHub Stars 达 0, 最近一次更新时间为 2015 年 08 月 29 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「authorization」 「Authentication」 「oauth」 「oauth2」 「SSO」 「identity」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 piv915/oauth2-client 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 piv915/oauth2-client 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 piv915/oauth2-client 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
WeChat OAuth SDK
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Ory-Hydra OAuth 2.0 Client Provider for The PHP League OAuth2-Client
Library for ORCID web services
A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.
统计信息
- 总下载量: 20
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 18
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2015-08-29