Download the PHP package codewiser/oauth2-resource-server without Composer
On this page you can find all versions of the php package codewiser/oauth2-resource-server. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download codewiser/oauth2-resource-server
More information about codewiser/oauth2-resource-server
Files in codewiser/oauth2-resource-server
Package oauth2-resource-server
Short Description OAuth 2.0 Resource Server
License MIT
Informations about the package oauth2-resource-server
Description
OAuth is an authorization server. It provides and validates tokens. It is the best solution to build distributed api infrastructure.
Infrastructure may consist of many api servers, called Resource Server.
Every request those servers accept must contain authorization information — an access_token
issued by authorization server.
Every resource server is an OAuth client. It has client_id
and client_secret
and may issue its own access_token
using client credentials
grant.
Otherhand, it may be a personal access_token
, issued by a user in a traditional way.
After issuing access_token
the server will use it to make requests to the neighbors (other resource servers in the same infrastructure),
or to provide access to the local resources.
When server receives request with authorization information,
it will introspect (see rfc7662) access_token
from request.
Api server calls OAuth server and receives from it information about given access_token
.
If token is valid and has appropriate scopes, the server will handle the request. If it is not, the server will reply with an error.
RFC
- Token Introspection
https://tools.ietf.org/html/rfc7662 - Bearer Token Usage
https://tools.ietf.org/html/rfc6750
The package based on league/oauth2-client
Prerequisite
Your OAuth server must implement rfc7662 (token introspection endpoint). Take a look at ipunkt/laravel-oauth-introspection.
Installation
Publish package config.
Setup
An environment requires all standard OAuth client properties.
SCOPE
is for default scopes for requested access tokens.
Next are optional and has default values.
You may provide full URLs or only paths.
Facades and Middlewares
ResourceServer
ResourceServer
is a layer of OAuth-client,
that takes responsibility to keep Client Credentials Access Token
and to protect API resources.
This will return cached (or newly issued) Client Access Token. Use it call other API servers.
Token may be sent as Athorization
header
(see rfc6750#section-2.1),
as access_token
body parameter
(see rfc6750#section-2.2) or
as access_token
query parameter
(see rfc6750#section-2.3).
Then your server receives API request with Bearer token, it should introspect token on OAuth-server.
In a simple way you may protect the routes with ResourceServerMiddleware
.
Define it in app/Http/Kernel.php
in way you like.
And than protect you route.
Otherwise you may protect group of routes with middleware and validate scope in controllers.
If request were not validated, the throwed exception renders proper response (according to rfc6750).
OAuthClient
OAuthClient
is a layer of OAuth-client,
that takes responsibility to authorize users and keeps their Personal Access Token
.
Authorization server will return user back to CallbackController
.
You may use built-in or define new one.
So, if we have Personal Access Token
we should provide requested information to the user.
In a simple way you may protect the routes with PersonalAccessMiddleware
.
Define it in app/Http/Kernel.php
in way you like.
And than protect you route.
If user has no Personal Access Token
he or she will be redirected to Authorization Server.
Cache
All tokens are cached locally for a limited time.