Download the PHP package tflori/oauth2 without Composer
On this page you can find all versions of the php package tflori/oauth2. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download tflori/oauth2
More information about tflori/oauth2
Files in tflori/oauth2
Package oauth2
Short Description A small oauth2 library to provide a oauth2 service
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package oauth2
tflori/oauth2
This library helps you to create an oauth service with oauth2 three legged authentication mechanism.
Currently the only supported flow is "implicit" with refresh token:
This is described here: https://tools.ietf.org/html/rfc6749#section-4.1
Security
How secure is oauth2 and why? The main problem is storing the secret of the client. How ever you implement it to an app running on users end: your can reverse engineer the app to get the secret. The only way of making it secure is to store the secret on a service that gets the authorization code and asks the authorization service for the access code.
Is it save then? No. Every app can ask your service. You know a way how to accomplish that the request is really from your app? Great: send suggestions to [email protected].
The main idea behind oauth is not to ensure the app is really the app it tells to be. The only thing we can proof is: the user is really the user that has the password and user identification (or how ever the authentication works in your implementation).
Usage
Setup
... todo: write how to setup composer require tflori/oauth2 ...
In the examples we will use nikic/fast-route for routing and tflori/dependency-injector for dependency injection but you can use any other router and dependency injector.
Obtain an authorization code (A over B to C)
The authorization code enables the client to get an access token (and refresh token). The client sends the user to the authorization server. If the user is logged in already (usually by cookies) he sends the user back to the callback providing the authorization code.
Example:
Obtain an access token (D to E)
With access token the client can access the data. To get an access token the client needs to provide the client id, the client secret and the previously generated authorization code.
Example:
Check authorization
When the client request a resource it sends the access token in header
(usually: Authorization: Bearer <access_token>). The resource server has to check if this access token is valid.
There are two possible scenarios:
Resource Server on the same server
When the resource server runs on the same server you can just create a Handler and aks him:
Resource Server on another server
In this case you need to send a request to the authorization server:
On the Authorisation Server run the same as before:
Logout
When the user logs out every access token for the session should get invalid immediately. Nothing is easier:
