From fd55b78c052df0cbc3e380b7f5bea3ced856d8ad Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Wed, 23 Mar 2016 12:44:47 +0000 Subject: [PATCH] Updated client credentials grant --- auth-server-client-credentials.md | 36 ++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/auth-server-client-credentials.md b/auth-server-client-credentials.md index 12aa8845..c57845ce 100755 --- a/auth-server-client-credentials.md +++ b/auth-server-client-credentials.md @@ -6,25 +6,39 @@ permalink: /authorization-server/client-credentials-grant/ # Client credentials grant -This grant is similar to the resource owner credentials grant except only the client’s credentials are used to authenticate a request for an access token. Again this grant should only be allowed to be used by trusted clients. - This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Another example would be a client making requests to an API that don’t require user’s permission. +## Flow + +The client sends a POST request with following body parameters to the authorization server: + +* `grant_type` with the value `client_credentials` +* `client_id` with the the client's ID +* `client_secret` with the client's secret +* `scope` with a space-delimited list of requested scope permissions. + +The authorization server will respond with a JSON object containing the following properties: + +* `token_type` with the value `Bearer` +* `expires_in` with an integer representing the TTL of the access token +* `access_token` a JWT signed with the authorization server's private key + ## Setup Wherever you initialize your objects, initialize a new instance of the authorization server and bind the storage interfaces and authorization code grant: {% highlight php %} -// Your implementation of the required repositories +// Init our repositories $clientRepository = new ClientRepository(); $accessTokenRepository = new AccessTokenRepository(); $scopeRepository = new ScopeRepository(); +// Path to public and private keys $privateKeyPath = 'file://path/to/private.key'; $publicKeyPath = 'file://path/to/public.key'; - + // Setup the authorization server -$server = new Server( +$server = new \League\OAuth2\Server\Server( $clientRepository, $accessTokenRepository, $scopeRepository, @@ -34,7 +48,7 @@ $server = new Server( // Enable the client credentials grant on the server with a token TTL of 1 hour $server->enableGrantType( - new ClientCredentialsGrant(), + new \League\OAuth2\Server\Grant\ClientCredentialsGrant(), new \DateInterval('PT1H') ); {% endhighlight %} @@ -46,19 +60,17 @@ The client will request an access token so create an `/access_token` endpoint. {% highlight php %} $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) { - // Retrieve the authorization server from the DI container + /* @var \League\OAuth2\Server\Server $server */ $server = $app->getContainer()->get(Server::class); - + + // Try to respond to the request try { - // A successful response with an access token return $server->respondToRequest($request, $response); - } catch (OAuthServerException $exception) { - // A correctly formatted OAuth error response + } catch (\League\OAuth2\Server\Exception\OAuthServerException $exception) { return $exception->generateHttpResponse($response); } catch (\Exception $exception) { - // An unknown server error $body = new Stream('php://temp', 'r+'); $body->write($exception->getMessage()); return $response->withStatus(500)->withBody($body);