OAuth2.0 is a protocol used to authorize third-party applications to access user resources. It is now widely used in the Internet field. With the development of Internet business, more and more applications need to support the OAuth2.0 protocol. This article will introduce the best way to implement the OAuth2.0 protocol using PHP.
1. Basic knowledge of OAuth2.0
Before introducing the implementation method of OAuth2.0, we need to understand some basic knowledge of OAuth2.0.
The OAuth2.0 protocol defines 4 different authorization types: authorization code mode (authorization code), implicit authorization mode (implicit grant), Password mode (resource owner password credentials) and client mode (client credentials). Different authorization types are suitable for different scenarios. The specific authorization type to use needs to be decided based on business needs.
The OAuth2.0 protocol defines three roles: resource owner, client and resource server. . The resource owner refers to the authorized user, the client refers to the third-party application, and the resource server refers to the server where the user's resources are stored.
The process in the OAuth2.0 protocol includes the following steps:
(1) The client requests authorization from the resource owner;
(2) The resource owner agrees to the authorization and issues an authorization code to the client;
(3) The client carries the authorization code to request an access token from the resource server;
( 4) The resource server verifies the authorization code and issues an access token to the client.
2. Implementation method
There are many mature solutions on the market for the implementation of the OAuth2.0 protocol, such as Laravel Passport, PHP League OAuth2 Server, etc. This article will focus on the implementation of PHP League OAuth2 Server.
First, you need to create a new PHP project and install the PHP League OAuth2 Server component. The installation method is as follows:
composer require league/oauth2-server
Then, you need to create a database and create the following table structure:
``
CREATE TABLE oauth_clients (
client_id VARCHAR(80) NOT NULL, client_secret VARCHAR(80) NOT NULL, redirect_uri VARCHAR(2000) NOT NULL, grant_types VARCHAR(80), scope VARCHAR(4000), user_id VARCHAR(255), CONSTRAINT clients_client_id_pk PRIMARY KEY (client_id)
);
CREATE TABLE oauth_access_tokens (
access_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(4000), CONSTRAINT access_token_pk PRIMARY KEY (access_token)
);
CREATE TABLE oauth_authorization_codes (
authorization_code VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), redirect_uri VARCHAR(2000), expires TIMESTAMP NOT NULL, scope VARCHAR(4000), CONSTRAINT auth_code_pk PRIMARY KEY (authorization_code)
);
CREATE TABLE oauth_refresh_tokens (
refresh_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(4000), CONSTRAINT refresh_token_pk PRIMARY KEY (refresh_token)
);
2. 配置服务器 在PHP项目中创建一个OAuth2服务器文件,并进行基本配置。实现代码如下:
require_once DIR . '/vendor/autoload.php';
use LeagueOAuth2ServerAuthorizationServer;
use LeagueOAuth2ServerResourceServer;
use LeagueOAuth2ServerGrantClientCredentialsGrant ;
use LeagueOAuth2ServerGrantPasswordGrant;
use LeagueOAuth2ServerGrantAuthCodeGrant;
use LeagueOAuth2ServerGrantImplicitGrant;
use LeagueOAuth2ServerRepositories{AccessTokenRepositoryInterface,
AuthCodeRepositoryInterface, ClientRepositoryInterface, RefreshTokenRepositoryInterface, UserRepositoryInterface};
use LeagueOAuth2Server{ResourceServer, AuthorizationValidatorsBearerTokenValidator};
/ / Configure server
$server = new AuthorizationServer(
$clientRepository, $accessTokenRepository, $scopeRepository, $privateKey, $publicKey
);
// Configure authorization type
$server->enableGrantType(new ClientCredentialsGrant());
$server->enableGrantType(
new PasswordGrant( $userRepository, $refreshTokenRepository )
);
$server->enableGrantType(
new AuthCodeGrant( $authCodeRepository, $refreshTokenRepository, new DateInterval('PT10M') )
);
$server->enableGrantType(
new ImplicitGrant( new DateInterval('PT1H') )
);
//Configure the resource server
$resourceServer = new ResourceServer(
$accessTokenRepository, $publicKey
);
//Configure the BearerTokenValidator
$bearerTokenValidator = new BearerTokenValidator(
$accessTokenRepository, $publicKey
);
上述代码中的各个参数需要根据实际的业务需求进行具体配置。 3. 执行授权请求 在OAuth2服务器文件中,需要实现授权请求的处理逻辑。实现代码如下:
use PsrHttpMessageServerRequestInterface;
use PsrHttpMessageResponseInterface;
// Process authorization request
$server->respondToAccessTokenRequest($request , $response);
上述代码中的$request和$response分别为从HTTP传输层获取的请求参数和响应结果。需要根据实际业务需求进行具体实现。 4. 请求受保护的资源 完成授权后,客户端可以携带访问令牌请求受保护的资源。OAuth2.0服务器需要对访问令牌进行验证,并返回相应的结果。实现代码如下:
// Verify Bearer Token
try {
$bearerTokenValidator->validateAuthorization($request);
} catch (Exception $e) {
$response->getBody()->write($e->getMessage()); return $response->withHeader('Content-Type', 'text/plain')->withStatus(401);
}
// Process the access token in the request header
$accessToken = $request->getHeader('Authorization')[0];
$accessToken = substr($accessToken, strpos($accessToken, ' ' ) 1);
//Verify access token
try {
$resourceServer->validateAuthenticatedRequest($request); $response->getBody()->write('Access granted');
} catch (Exception $e) {
$errorMessage = $e->getMessage(); $response->getBody()->write($errorMessage); return $response->withHeader('Content-Type', 'text/plain')->withStatus(401);
}
5. 总结
The above is the detailed content of The best way to implement OAuth2.0 using PHP. For more information, please follow other related articles on the PHP Chinese website!