mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-23 13:39:48 +05:30
Doc improvements
This commit is contained in:
parent
256c4be99d
commit
4e189ced50
@ -63,7 +63,7 @@ $privateKey = 'file://path/to/private.key';
|
|||||||
$publicKey = 'file://path/to/public.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\AuthorizationServer(
|
||||||
$clientRepository,
|
$clientRepository,
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
$scopeRepository,
|
||||||
@ -95,8 +95,8 @@ The client will redirect the user to an authorization endpoint.
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
@ -140,8 +140,8 @@ The client will request an access token using an authorization code so create an
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ $privateKey = 'file://path/to/private.key';
|
|||||||
$publicKey = 'file://path/to/public.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\AuthorizationServer(
|
||||||
$clientRepository,
|
$clientRepository,
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
$scopeRepository,
|
||||||
@ -63,8 +63,8 @@ The client will request an access token so create an `/access_token` endpoint.
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ $privateKey = 'file://path/to/private.key';
|
|||||||
$publicKey = 'file://path/to/public.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\AuthorizationServer(
|
||||||
$clientRepository,
|
$clientRepository,
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
$scopeRepository,
|
||||||
@ -75,8 +75,8 @@ The client will redirect the user to an authorization endpoint.
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
|
@ -46,7 +46,7 @@ $privateKey = 'file://path/to/private.key';
|
|||||||
$publicKey = 'file://path/to/public.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\AuthorizationServer(
|
||||||
$clientRepository,
|
$clientRepository,
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
$scopeRepository,
|
||||||
@ -77,8 +77,8 @@ The client will request an access token so create an `/access_token` endpoint.
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
||||||
|
@ -37,12 +37,11 @@ $refreshTokenRepository = new RefreshTokenRepository();
|
|||||||
|
|
||||||
// Path to public and private keys
|
// Path to public and private keys
|
||||||
$privateKey = 'file://path/to/private.key';
|
$privateKey = 'file://path/to/private.key';
|
||||||
// Private key with passphrase if needed
|
//$privateKey = new CryptKey('file://path/to/private.key', 'passphrase'); // if private key has a pass phrase
|
||||||
//$privateKey = new CryptKey('file://path/to/private.key', 'passphrase');
|
|
||||||
$publicKey = 'file://path/to/public.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\AuthorizationServer(
|
||||||
$clientRepository,
|
$clientRepository,
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
$scopeRepository,
|
||||||
@ -50,10 +49,13 @@ $server = new \League\OAuth2\Server\Server(
|
|||||||
$publicKey
|
$publicKey
|
||||||
);
|
);
|
||||||
|
|
||||||
// Enable the refresh token grant on the server with a token TTL of 1 hour
|
$grant = new \League\OAuth2\Server\Grant\RefreshTokenGrant($refreshTokenRepository);
|
||||||
|
$grant->setRefreshTokenTTL(new \DateInterval('P1M')); // new refresh tokens will expire after 1 month
|
||||||
|
|
||||||
|
// Enable the refresh token grant on the server
|
||||||
$server->enableGrantType(
|
$server->enableGrantType(
|
||||||
new \League\OAuth2\Server\Grant\RefreshTokenGrant($refreshTokenRepository),
|
$grant,
|
||||||
new \DateInterval('PT1H')
|
new \DateInterval('PT1H') // new access tokens will expire after an hour
|
||||||
);
|
);
|
||||||
{% endhighlight %}
|
{% endhighlight %}
|
||||||
|
|
||||||
@ -64,8 +66,8 @@ The client will request an access token so create an `/access_token` endpoint.
|
|||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
|
||||||
|
|
||||||
/* @var \League\OAuth2\Server\Server $server */
|
/* @var \League\OAuth2\Server\AuthorizationServer $server */
|
||||||
$server = $app->getContainer()->get(Server::class);
|
$server = $app->getContainer()->get(AuthorizationServer::class);
|
||||||
|
|
||||||
// Try to respond to the request
|
// Try to respond to the request
|
||||||
try {
|
try {
|
||||||
|
@ -14,20 +14,14 @@ Wherever you intialize your objects, initialize a new instance of the resource s
|
|||||||
|
|
||||||
{% highlight php %}
|
{% highlight php %}
|
||||||
// Init our repositories
|
// Init our repositories
|
||||||
$clientRepository = new ClientRepository();
|
$accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface
|
||||||
$accessTokenRepository = new AccessTokenRepository();
|
|
||||||
$scopeRepository = new ScopeRepository();
|
|
||||||
|
|
||||||
// Path to public and private keys
|
// Path to authorization server's public key
|
||||||
$privateKeyPath = 'file://path/to/private.key';
|
$publicKey = 'file://path/to/public.key';
|
||||||
$publicKeyPath = 'file://path/to/public.key';
|
|
||||||
|
|
||||||
// Setup the authorization server
|
// Setup the authorization server
|
||||||
$server = new \League\OAuth2\Server\Server(
|
$server = new \League\OAuth2\Server\ResourceServer(
|
||||||
$clientRepository,
|
|
||||||
$accessTokenRepository,
|
$accessTokenRepository,
|
||||||
$scopeRepository,
|
|
||||||
$privateKeyPath,
|
|
||||||
$publicKeyPath
|
$publicKeyPath
|
||||||
);
|
);
|
||||||
{% endhighlight %}
|
{% endhighlight %}
|
||||||
|
@ -1,69 +0,0 @@
|
|||||||
---
|
|
||||||
layout: default
|
|
||||||
title: Token types
|
|
||||||
permalink: /token-types/
|
|
||||||
---
|
|
||||||
|
|
||||||
# Token Types
|
|
||||||
|
|
||||||
This library supports Bearer and MAC tokens out of the box.
|
|
||||||
|
|
||||||
## Bearer Tokens
|
|
||||||
|
|
||||||
Bearer tokens are the default type of access tokens. They are automatically enabled when either an Authorization Server or Resource Server are initialized.
|
|
||||||
|
|
||||||
If you [implement the core storage interfaces](/implementing-storage-interfaces/) then you don't need to do anymore.
|
|
||||||
|
|
||||||
When calling an API endpoint bearer tokens are either presented either in the query string (e.g. `?access_token=abcdef`) or as an authorization header (e.g. `Authorization: Bearer abcdef`).
|
|
||||||
|
|
||||||
## MAC Tokens
|
|
||||||
|
|
||||||
A MAC (Message Authentication Code) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin.
|
|
||||||
|
|
||||||
When MAC tokens are enabled a _MAC key_ is presented with the access token. When a client makes an API request it computes a MAC signature that sent with the access token to provide cryptographic verification of the request. Because only the client who was presented with the access token has the mac key it can prevent sniffed access tokens from being used by unauthorized clients.
|
|
||||||
|
|
||||||
To enable support for MAC tokens you should implement the `League\OAuth2\Server\Storage\MacTokenInterface` storage interface so that the authorization server can save generated MAC keys and the resource server can find them.
|
|
||||||
|
|
||||||
Then set the MAC Storage object and set the token type to be MAC tokens.
|
|
||||||
|
|
||||||
~~~ php
|
|
||||||
$server->setMacStorage($macStorage);
|
|
||||||
$server->setTokenType(new League\OAuth2\Server\TokenType\MAC);
|
|
||||||
~~~
|
|
||||||
|
|
||||||
You're good to go!
|
|
||||||
|
|
||||||
When calling API endpoints that are secured by MAC tokens the client should send an authorization header like so:
|
|
||||||
|
|
||||||
~~~
|
|
||||||
Authorization: MAC id="the access token", ts="current unix timestamp", nonce="random string", mac="base64 encoded signature"
|
|
||||||
~~~
|
|
||||||
|
|
||||||
To calculate the signature concatenate the following parameters with newline characters:
|
|
||||||
|
|
||||||
1. The timestamp (as specified in the `ts` attribute in the authorization header)
|
|
||||||
2. The nonce (as specified in the `nonce` attribute in the authorization header)
|
|
||||||
3. The HTTP request method in uppercase
|
|
||||||
4. The full HTTP request URI (as specified in [RFC2616] section 5.1.2)
|
|
||||||
5. The hostname
|
|
||||||
6. The port
|
|
||||||
|
|
||||||
Assuming the request was:
|
|
||||||
|
|
||||||
~~~ http
|
|
||||||
POST /users HTTP/1.1
|
|
||||||
Host: api.example.com
|
|
||||||
~~~
|
|
||||||
|
|
||||||
The concatenated string would be:
|
|
||||||
|
|
||||||
~~~
|
|
||||||
1419723092
|
|
||||||
9s0df90s09d
|
|
||||||
POST
|
|
||||||
https://api.example.com/users
|
|
||||||
api.example.com
|
|
||||||
443
|
|
||||||
~~~
|
|
||||||
|
|
||||||
Then sign this string with the MAC key (use sha-256 algorithm) and base64 encode it - `hash_hmac` is the function to this in PHP.
|
|
Loading…
Reference in New Issue
Block a user