ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2024-11-01 16:33:07 +05:30
Code Issues Packages Projects Releases Wiki Activity

Updated #232

Browse Source
This commit is contained in:
Alex Bilbie 2014-11-08 16:26:22 +00:00
parent 6d57c99a66
commit 8131b71e26
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
resource-server-securing-api.md
View File

@ -94,12 +94,12 @@ When `$server->isValidRequest()` is called the library will run the following ta
Assuming an exception isnt thrown you can then use the following functions in your API code:
* `getOwnerType()` - This will return the type of the owner of the access token. For example if a user has authorized another client to use their resources the owner type would be “user”.
* `getOwnerId()` - This will return the ID of the access token owner. You can use this to check if the owner has permission to do take some sort of action (such as retrieve a document or upload a file to a folder).
* `getClientId()` - Returns the ID of the client that was involved in creating the session that the access token is linked to.
* `getAccessToken()` - Returns the access token used in the request.
* `hasScope()` - You can use this function to see if a specific scope (or several scopes) has been associated with the access token. You can use this to limit the contents of an API response or prevent access to an API endpoint without the correct scope.
* `getScopes()` - Returns all scopes attached to the access token.
* `$server->getAccessToken()->getSession()->getOwnerType()` - This will return the type of the owner of the access token. For example if a user has authorized another client to use their resources the owner type would be “user”.
* `$server->getAccessToken()->getSession()->getOwnerId()` - This will return the ID of the access token owner. You can use this to check if the owner has permission to do take some sort of action (such as retrieve a document or upload a file to a folder).
* `$server->getAccessToken()->getSession()->getClient()->getId()` - Returns the ID of the client that was involved in creating the session that the access token is linked to.
* `$server->getAccessToken()` - Returns the access token used in the request.
* `$server->getAccessToken()->hasScope()` - You can use this function to see if a specific scope (or several scopes) has been associated with the access token. You can use this to limit the contents of an API response or prevent access to an API endpoint without the correct scope.
* `$server->getAccessToken()->getScopes()` - Returns all scopes attached to the access token.
## A simple example
@ -136,7 +136,7 @@ $router->get('/users/{username}', function (Request $request, $args) use ($serve
In this example, only a users access token is valid:
~~~ php
if ($server->getOwnerType() !== 'user') {
if ($server->getAccessToken()->getSession()->getOwnerType() !== 'user') {
throw new Exception\AccessDeniedException;
}
~~~
@ -146,7 +146,7 @@ if ($server->getOwnerType() !== 'user') {
In this example, the endpoint will only respond to access tokens that are owner by client applications and that have the scope `users.list`.
~~~ php
if ($server->getOwnerType() !== 'client' && $server->hasScope('users.list')) {
if ($server->getAccessToken()->getSession()->getOwnerType() !== 'client' && $server->getAccessToken()->hasScope('users.list')) {
throw new Exception\AccessDeniedException;
}
~~~
@ -156,7 +156,7 @@ You might secure an endpoint in this way to only allow specific clients (such as
## Return resource based on access token owner
~~~ php
$photos = $model->getPhotos($server->getOwnerId());
$photos = $model->getPhotos($server->getAccessToken()->getSession()->getOwnerId());
~~~