Download the PHP package alex-kalanis/oauth2 without Composer
On this page you can find all versions of the php package alex-kalanis/oauth2. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package oauth2
OAuth2 Provider
This is repository for adding OAuth into Nette. Fork of older Drahak repository with refactor to run on php 8.1+.
The main difference is in directory structure, namespaces, tests, static analysis and dependency check.
This package also supports multiple storages. With a few simple steps (implementing own version and extending configuration) you can add another storage. Currently available are Nette DB and Dibi.
Requirements
kalanis/OAuth2 requires PHP version 8.1.0 or higher. The only production dependency is Nette framework 3.2.x.
But for php8.1 you probably need to add SensitiveParameter
attribute class into your bootstrap. The example is in Tests.
Installation & setup
The easiest way is to use Composer
Then add following code to your app bootstrap file before creating container:
Neon configuration
accessTokenLifetime- access token lifetime in secondsrefreshTokenLifetime- refresh token lifetime in secondsauthorizationCodeLifetime- authorization code lifetime in secondsstorage- storage will switch between default NDB and dibi storage. You can use your storage for each storage part.
OAuth2
Abstract protocol flow
OAuth Roles
Client - the third-party application
This application wants to get user's data from Resource server, so it needs to get an access token.
Resource server - API
There is data which client wants. API server uses access token to access user's information.
Resource owner
Gives access to some portion of their account.
See also OAuth 2 Simplified and original specification
OAuth presenter
Presenter (IOAuthPresenter) that gives an access. In base it has 2 main methods,
issueAccessToken and issueAuthorizationCode. Simple OAuth (Resource owner)
presenter could looks like this:
Method issueAccessToken determines correct grant type from grant_type parameter.
In case of error throws some OAuthException which can be handled by oauthError
method in default implementation.
Action authorize is more complex. This is used for generating Authorization code
(see below - Authorization code) but for Implicit grant type it's necessary
to generate access token here. In case if user is not logged in, redirect user to
some login page and then restore authorization request using backlink.
Grant types
Are determined by grant_type parameter. There is support of base grant types as
defined in OAuth2 specification: Authorization Code, Implicit, Password, Client
Credentials and Refresh token.
-
Authorization code
This grant type is great for third-party applications which can secure client secret code.
To generate access token, you'll need to get authorization code first. You can obtain
it from IOAuthPresenter by calling issueAuthorizationCode.
Request for authorization code:
- [REQUIRED] response_type - you want to generate authorization
code - [REQUIRED] client_id - client ID (e.g. application) that requests for access token
- [REQUIRED] redirect_uri - URL address whereto redirect in case of success or error
- [OPTIONAL] scope - specify the scope of access request
Authorization code response:
In any case (error or success) Resource owner redirects back to the client using
redirect_uri with authorization code as a query parameter:
Or
Since you have authorization code you can make access token request (data provided
as application/x-www-form-urlencoded).
Request for access token:
- [REQUIRED] grant_type - this parameter says OAuth to use Authorization code
- [REQUIRED] code - authorization code which you got from Resource owner
- [REQUIRED] client_id - client ID (e.g. application) that requests for access token
- [REQUIRED] client_secret - client (e.g. application) secret key that requests for access token
Access token response
In case or error, provides JSON response:
-
Implicit
Is used for browser-based (web) or mobile applications, where you can't secure client secret so yopu can't use it to obtain access token.
Request for access token:
- [REQUIRED] response_type - since you request access token from Resource owner, you must tell you want an access token (not authorization code)
- [REQUIRED] client_id - client ID (e.g. application) that requests for access token
- [REQUIRED] redirect_uri - URL where to redirect in case of success or error
- [OPTIONAL] scope - specify the scope of access request
Access token response
Redirect to redirect_uri
In case or error, redirects to:
-
Password
Is used for trusted (usually first-party) applications, where you completely trust client because you generate access token from real user credentials (username, password)
Request for access token:
- [REQUIRED] grant_type - Password grant type uses identifier (so unexpectedly)
password - [REQUIRED] client_id - client ID (e.g. application) that requests for access token
- [REQUIRED] username - real user's username
- [OPTIONAL] password - real user's password
Access token response
In case or error:
-
Client credentials
If application needs to get access token for their own account outside the context of any specific user this is probably the best way.
Request for access token:
- [REQUIRED] grant_type - Password grant type uses identifier (so unexpectedly)
password - [REQUIRED] client_id - client ID (e.g. application) that requests for access token
- [REQUIRED] client_secret - client (e.g. application) secret key that requests for access token
Access token response
In case or error:
-
Refresh token
Is used to restore (actually re-generate) access token without authentication process. Refresh token is provided with almost every grant type (excluding Implicit).
Request for refresh token:
- [REQUIRED] grant_type - Refresh token identifier
- [REQUIRED] refresh_token - refresh token itself, that you got from almost any access token
- [REQUIRED] client_id - client ID (e.g. application) that requests for access token
Access token response
In case or error:
Subnotes:
I run this locally on my own Docker instances which was based on phpdocker.io. So you do not see the whole project. I also have my private tasks for it which aren't part of the repository.
All versions of oauth2 with dependencies
ext-pdo Version *
ext-openssl Version *
nette/application Version ^3.2
nette/bootstrap Version ^3.2
nette/database Version ^3.2
nette/di Version ^3.2
nette/http Version ^3.3
nette/security Version ^3.2