mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-11-01 16:33:07 +05:30
46 lines
1.4 KiB
Markdown
Executable File
46 lines
1.4 KiB
Markdown
Executable File
---
|
|
layout: default
|
|
title: Securing your API
|
|
permalink: /resource-server/securing-your-api/
|
|
---
|
|
|
|
# Securing your API
|
|
|
|
This library provides a PSR-7 friendly resource server middleware that can validate access tokens.
|
|
|
|
## Setup
|
|
|
|
Wherever you intialize your objects, initialize a new instance of the resource server with the storage interfaces:
|
|
|
|
{% highlight php %}
|
|
// Init our repositories
|
|
$accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface
|
|
|
|
// Path to authorization server's public key
|
|
$publicKey = 'file://path/to/public.key';
|
|
|
|
// Setup the authorization server
|
|
$server = new \League\OAuth2\Server\ResourceServer(
|
|
$accessTokenRepository,
|
|
$publicKeyPath
|
|
);
|
|
{% endhighlight %}
|
|
|
|
Then add the middleware to your stack:
|
|
|
|
{% highlight php %}
|
|
new \League\OAuth2\Server\Middleware\ResourceServerMiddleware($server);
|
|
{% endhighlight %}
|
|
|
|
## Implementation
|
|
|
|
The authorization header on an incoming request will automatically be validated.
|
|
|
|
If the access token is valid the following attributes will be set on the ServerRequest:
|
|
|
|
* `oauth_access_token_id` - the access token identifier
|
|
* `oauth_client_id` - the client identifier
|
|
* `oauth_user_id` - the user identifier represented by the access token
|
|
* `oauth_scopes` - an array of string scope identifiers
|
|
|
|
If the authorization is invalid an instance of `OAuthServerException::accessDenied` will be thrown. |