bshaffer / oauth2-server-php-docs Goto Github PK
View Code? Open in Web Editor NEWdocumentation for the oauth2-server-php library
documentation for the oauth2-server-php library
From bshaffer/oauth2-server-php#459:
Hello,
Great work on this, very educational and helpful. Many thanks.
Here:
http://bshaffer.github.io/oauth2-server-php-docs/cookbook/The server.php code should probably also include:
// Add the "password" grant type (this is where the oauth magic happens)
$server->addGrantType(new OAuth2\GrantType\UserCredentials($storage));This is also important for people trying the demo app later.
Add a link to the demo app from the user credentials docs page, and add a link to the other grant types from the walkthrough page.
Add a Symfony 1.4 article to the cookbook
from bshaffer/oauth2-server-php#231
I've just upgraded from an older version of this library to the latest on my server. Most everything seems to be working fine, however, I cannot seem to get the validateAuthorizeRequest function to return an array of client data as it did before.
public function displayAuth()
{
# validate the authorize request
$request = OAuth2\Request::createFromGlobals();
$response = new OAuth2\Response();
if (!$clientdata = $this->server->validateAuthorizeRequest($request, $response)) {
$response->send();
die;
}
# display an authorization form
if (empty($_POST)) {
return View::make("layouts.api")->nest("child", "api.auth", array("status" => "form", "client" => $clientdata));
}
}
I'm using a Laravel controller to route API functions - it's constructed in the following manner.
class OAuthController extends BaseController {
protected $server, $storage;
public function __construct()
{
# register the autoloader
require_once('/fake/path/to/oauth2-server/src/OAuth2/Autoloader.php');
OAuth2\Autoloader::register();
$storage = new OAuth2\Storage\Pdo([connection info array]);
# Pass a storage object or array of storage objects to the OAuth2 server class
$server = new OAuth2\Server($storage);
# set up scopes
$memory = new OAuth2\Storage\Memory(array(
'default_scope' => 'profile',
'supported_scopes' => array(
'profile',
'email',
'sensitive'
)
));
$server->setScopeUtil(new OAuth2\Scope($memory));
$this->server = $server;
$this->storage = $storage;
}
[other stuff here]
A quick var_dump() on the client variable returns bool(true). However, the documentation states that validateAuthorizeRequest returns false or an array of client data. Has this changed?
Hi,
first: I love your library, it's really easy to create an OAuth2 token controller and application!
I found a small problem: In the docs it says that I can give the config setting 'always_issue_new_refresh_token' to the OAuth\Server constructor, see here:
http://bshaffer.github.io/oauth2-server-php-docs/grant-types/refresh-token/
However, both of these configuration options can be sent in when the server is created using the server's configuration array:
$server = new OAuth2\Server($storage, array(
'always_issue_new_refresh_token' => true,
'refresh_token_lifetime' => 2419200,
));
For me this does not work, and as far as I can see it is not supported in the code. This setting has to be done in the RefreshToken-constructor.
Now there are 2 solutions: correct the docs, or implement this feature. I don't know which is better.
Michael
I remember seeing reference to a configuration option that would allow the access_token
to be passed in the header of the message rather than the default of appending to the URL as a GET variable. I can't, however, find that reference anywhere.
Hoping you can point me to how best to achieve this goal.
I guess I more leaving this here in case anyone else runs into this problem.
I can't lay my finger on exactly what is causing the problem I'm having, but here is what happens.
From the command line I have the whole thing working just fine, I re-implemented everything as a web call from PHP and the access tokens are expired as soon as I make a call for them.
I'm not sure if I missed part of the set up, or something else, but my solution was to
This removes all the unnecessary (from what I saw, but maybe I missed something) time stamp to time string conversions, and solves my problem.
Hope this helps anyone else that had this issue.
from bshaffer/oauth2-server-php#461:
Schema for jti_table and public_key_table implemented by PDO storage is missing.
hello, i have followed the cookbook by every step. http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
During [Create a Token Controller] when i give it i try to test the files it returns an error which is as follows:
{
"error": "invalid_client",
"error_description": "Client credentials were not found in the headers or body"
}
I have used hurl.it to test the http Authorization
I have also attached the images of the request
Kindly guide me through this.
see bshaffer/oauth2-server-php#317:
The docs specify that you should base64_decode the signature before passing it to openssl_verify.
This will fail because the signature is not base64 encoded, it is "url safe base64 encoded", so the decode needs to be Jwt::urlSafeB64Decode, or its contents:$b64 = str_replace(array('-', '_'), array('+', '/'), $b64); return base64_decode($b64);
Hi,'
how do we configure, Authorize code life time for 1 month...
Some of classes in Doctrine Cookbook extends PluginOAuthClientTable, but definition of this class is missing.
The Walkthrough should include instructions on how to run this using a built-in PHP server (i.e. php -S localhost:9000)
From bshaffer/oauth2-server-php#463:
Good afternoon,
Just noticed that the DDL statements on the following page http://bshaffer.github.io/oauth2-server-php-docs/cookbook/ are not in sync with the OAuth2/Storage/Pdo.php function getBuildSql.
E.g. user table has more fields in Pdo.php than in the cookbook.
The /authorize implementation described in the step-by-step walkthrough allows for CSRF, where an attacker would be able to forge a request bypassing the authorization form.
It would be great if a note could be added so that future developers are aware of this. An example implementation would also be incredibly useful.
Hi, do I understand correctly that I cannot use authorisation code as grant type without using client credentials? What I was trying to do, is to send a user to a webpage from my standalone app ( plugin actually ), then redirect him back with authorisation code, then use this auth code to receive access_token + refresh_token, and use the latter two to access my API. But I noticed that I need to send client_id and client_secret which is inappropriate for an app because it can be hacked? One solution would be to use implicit authorisation, but then I can't use refresh tokens and have to set access_token lifetime to quite long period of time. On the other hand, I can create a unique client id for each user and pass client id + secret during the redirect. This way, each user has its own client and people can't hack my own admin client so to speak.
Which way do you think is better and why? Many thanks. Sorry if it's not an appropriate place to ask such a question.
I have managed to add scope on the jwt bearer grant type but it won't validate the scope like other grant types are doing by default.
$jwt = generateJWT($private_key, $client_id, $user_id, $scope, $audience, $expires, $nbf);
{
access_token: "30dd4b59463766d4704a3d2242f6e8b40145b79c",
expires_in: 3600,
token_type: "Bearer",
scope: "unknown_scope"
}
unknow_scope is not supported and other grant type validate that except for jwt bearer
Hei,
First of all my compliments on this great library (I'm running the v1.3 branch locally).
I am wondering if there are more (documented) details about user identification?
I'm implementing the flow described in http://openid.net/specs/openid-connect-basic-1_0.html for a (local) fictive client (RP).
After having reached step 2.1.6, I am making an access token request to the token end point, with the parameters:
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
(see http://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest)
I'm expecting the result shown here:
http://openid.net/specs/openid-connect-basic-1_0.html#TokenOK
But I'm getting a json response with the claims:
access_token, expires_in, token_type, scope, refresh_token (question on the side: "scope" is not defined in http://openid.net/specs/openid-connect-basic-1_0.html#TokenOK - is this correct?)
The claim id_token is missing.
Am I doing something wrong? Do I have to implement this myself, and if so, where?
Also: the UserInfo endpoint is missing. Again, do I have to implement this myself?
It would be great with a little bit more details on this (documentation?).
Thanks for a response.
Keep up the good work :)
Any chances to have a doc on how to use OpenID
?
In the last commit, you removed the Gemfile, on purpose? Once the Gemfile is put back into place and after the bundle install/update, I'm getting:
LoadError: cannot load such file -- yajl/json_gem
Now I don't know much about Ruby, but I want to contribute to the docs, so know a quick and dirty fix?
in database expire time is inserted 4 hours back. if time is 16:20:43 then there time inserted 12:03:47. please explain me how its work?
I have a iOS native app that I am trying to implement the full cycle of user's authorisation. That is:
The User Credentials documentation doesn't show what code is setup in what file.
I would like to know if it is possible to add additional data to JWT Access Token Payload? For example we would like to include a user's role type in the JWT Access Token Payload. Thanks in advance!
There is an open issue with the library requesting table definitions for a grant type. #170
Would it be a good idea to add a sample table to the grant types page. The issue with this is it obviously depends on the storage adapter you are using, so maybe even a new page all together covering the storage adapters and hoe to use them with the different grants?
Is there any built in function that we can execute in a CRON job to clean up the databases so we can get rid of old tokens etc and any data that is no longer relevant?
Document the "use_crypto_tokens" option, which makes adding crypto tokens much easier
I'm building an angular webapp, which will communicate with an API and oAuth2 authentication service. The webapps source code is viewable, so I don't want to store the client_secret in the code, this site:
http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#password
suggests I should be able to send a request (in theory) using the granttype "password", but without the client secret, therefore protecting it from sniffing. However the library insists the client_secret is required.
If the above article is wrong what methods do you recommend for authenticating a pure JS app against the api, without using a server?
Thanks in advance!
Ben
P.S. The documentation has come on leaps and bounds recently :) thanks!
show how UserCredentials
and AuthorizationCode
grant types can be used without client_secret
for Public Clients
Hello,
Using the table scheme outlined: https://github.com/bshaffer/oauth2-server-php-docs/blob/master/content/cookbook/index.md#mysql--sqlite--postgresql--ms-sql-server causes an error.
It would appear supported_scopes
and default_scope
is missing from oauth_clients
. I stumbled across this following the step-by-step walkthrough exactly.
Are there any more fields missing that you know of?
W
The grant types section should:
http://localhost/authorize.php?response_type=code&client_id=testclient&state=xyz
must include &redirect_uri=
plus a URL.
If not, and you set redirect_uri
in oauth_clients
, you get this fatal error:
Uncaught exception 'PDOException' with message 'SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'redirect_uri' cannot be null'
.
See also bshaffer/oauth2-server-php#163.
Hello,
I'm trying to implement oauth2-server (with the client credentials flow) with Slim framework.
Would it be possible to add a working example to the cookbook ? I don't know where to begin...
Hi there,
I think the token can not be sent as JSON.
Is that right?
Greetings
Tim
Xauth: https://dev.twitter.com/oauth/xauth
Is user credentials grant type related to xauth?
I am using the User Credentials (aka, grant_type of password
) to gain an access token. It does effectively validate both that the user's username and password are correct as well as validate that the client_id. If the user validations fail than an error message such as the following is returned:
Status Code: 400
{"error":"invalid_grant","error_description":"Invalid username and password combination"}
if the client_id is invalid I get something along the lines of:
Status Code: 404
{"error" : "invalid_client","error_description::"client_id does not exist"}
I may tweak and change the error messages a bit but that part is working. The part that I think is behaving incorrectly is the success scenario. In the "step-by-step" guide it is indicated that the response should look something like:
{"access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35","expires_in":3600,"token_type":"bearer","scope":null}
Instead I just get a HTTP status code of 304 - Not Modified
and nothing in the body of the message (as is standard for a 304).
My code is as follows:
$request = OAuth2_Request::createFromGlobals();
$request->request['grant_type']='password';
$response = new OAuth2_Response();
$server = new OAuth2_Server(static::$storage);
$server->addGrantType(new OAuth2_GrantType_AuthorizationCode(static::$storage));
$server->addGrantType(new OAuth2_GrantType_ClientCredentials(static::$storage));
$server->addGrantType(new OAuth2_GrantType_UserCredentials(static::$storage));
$server->handleTokenRequest(static::$request,static::$response)->send();
die();
Also of note, my storage object's getAuthorizationCode() is never called. Finally, I am using the v0.9 from Composer which I believe is the latest.
see bshaffer/oauth2-server-php#460
We need to rename the claims in the docs to be consistent with the latest version of the library:
http://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/
It would be nice to able to store the relationship between access_tokens and their refresh_tokens to make revoking tokens and clearing expired tokens cleaner.
However, adding the parameter to RefreshTokenInterface::setRefreshToken
would break bwc.
Add Laravel Cookbook Article
@julien-c has expressed interest in doing this
According to the JWT OAuth2 spec the scope attribute is a list of space separated values, instead of comma as mentioned in the docs .
Following http://bshaffer.github.io/oauth2-server-php-docs/cookbook/ the step at
Create_an_Authorize_Controller
fails, until you run
ALTER TABLE oauth_authorization_codes ADD COLUMN id_token VARCHAR(80);
[not sure about 80 as size]
Be sure to update the CREATE TABLE at the start of the cookbook.
Note that you must display errors in php.ini, to see the problem (or view log).
Add a Doctrine2 article to the cookbook
The link pointing to the Composer website has a typo in the target URL. It must be getcomposer.org instead of getcomposer.php.
See the Wordpress OAuth2 Plugin and add it to the cookbook, specifically the Wordpressdb Storage Adapter
Please add to the openID documentation, that you musst add a new grant type
$config['use_openid_connect'] = true;
$config['issuer'] = 'brentertainment.com';
$server = new OAuth2\Server($config);
$server->addGrantType(new OAuth2\OpenID\GrantType\AuthorizationCode($storage));
Hi I was able to successfully generate the JWT token and got the access token, following the code in https://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/, openssl_verify keeps on returning 0 instead of 1, and I was not able to var_dump the jwt payload in the end.
Moving bshaffer/oauth2-server-php#81 to here
From @bojanz:
The implicit flow is less secure than the authorization code flow, neither the spec or any other resources attempt to hide that.
A potential problem revolves around mistakenly using OAuth2 not just for authorization, but for authentication as well.
An attack is described in http://homakov.blogspot.com/2012/08/oauth2-one-accesstoken-to-rule-them-all.html
and can be resolved by implementing an additional call to validate the access token after it has been received (send the token and a client id, get a status
and a list of scopes back).I think it would make sense to have a note in the README about this.
As the people providing the library (and Drupal integration in my case), we are responsible if people shoot themselves in the foot with it.
Another related resource: http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html>
In an attempt to get a simple test of the "Resource Owner Password" workflow working I ran into an Unsupported operand types
PHP error in the AuthorizeController.php (line 74):
$clientData += array('redirect_uri' => null); // this should be set. We should create ClientData interface
I haven't dug deeply into this as I'm not sure how deep the rabbit hole goes but I did put a debug line in right before to check what my "query" string is in the request and I get the following:
[query] => Array
(
[grant_type] => client_credentials
[redirect_uri] => http://fake.url.com
[username] => testclient
[password] => testpass
[client_id] => 1
)
This is what I was expecting it to send so I'm at a loss. I'm hoping that I'm doing something obviously wrong and someone can quickly point me to the fault. It might also be a bug? I don't know at this stage.
Document OpenID Connect integration
I am considering having applications allowed to use the "client credentials" workflow (aka, internal apps) have no expiry. In looking at the code it looks like the expiry timeframe is set at the "server" level (on construction) rather than on a workflow basis. Anyway, my questions are:
Ken
from @jgoux
Hello,
I want to implement the User credentials grant with your library (which is excellent :D)
I have an issue with the constraints set on the oauth_clients table.
In the doc, you give this query to create the oauth_clients table :CREATE TABLE oauth_clients (client_id VARCHAR(80) NOT NULL, client_secret VARCHAR(80) NOT NULL, redirect_uri VARCHAR(2000) NOT NULL, grant_types VARCHAR(80), scope VARCHAR(100), user_id VARCHAR(80), CONSTRAINT client_id_pk PRIMARY KEY (client_id));As my client is public, I don't need to associate a client_secret to it, and as I want to use the User credentials grant, I don't need to set a redirect_uri either.
So maybe client_secret and redirect_uri don't need the NOT NULL constraint by default.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.