davidxu/yii2-oauth2-server

OAuth2 Server for PHP, a fork of filsh/yii2-oauth2-server

Extension for Yii2 providing an oAuth 2 server

Forked from https://github.com/davidxu/yii2-oauth2-server Uses parts of https://github.com/samdark/yii2-league-oauth2-server, _(*1)

Also inspired by https://github.com/chervand/yii2-oauth2-server, _(*2)

Install

Add this to your composer.json:, _(*3)

"davidxu/yii2-oauth2-server": "*"

Usage

Step 1

You need a few things:, _(*4)

• A UserRepository for this module to get its users from. The easiest is to take your existing User class, and make sure it also implements the following interfaces:, _(*5)

  • yii\web\IdentityInterface
  • League\OAuth2\Server\Entities\UserEntityInterface
  • League\OAuth2\Server\Repositories\UserRepositoryInterface
    • Make sure to validate the user in UserRepositoryInterface::getUserEntityByUserCredentials()

  Also make sure to implement findIdentityByAccessToken(), it's used by davidxu\oauth2\components\authMethods\HttpBearerAuth to authenticate the user by access token. Example:, _(*6)

  <?php
    /**
   * {@inheritdoc}
   */
  public static function findIdentityByAccessToken($token, $type = null) {
      return static::find()
          ->where(['user.status'=>static::STATUS_ACTIVE])
          ->leftJoin('{{%oauth_access_token}}', '`user`.`id` = `{{%oauth_access_token}}`.`user_id`')
          ->andWhere(['{{%oauth_access_token}}.identifier' => $token])
          ->one();
  }
  

  And then pass the User class as the property $userRepository in the configuration array as below., _(*7)

• An SSH key pair. See https://oauth2.thephpleague.com/installation/, _(*8)

$ openssl genrsa -out private.key 2048

```bash $ openssl rsa -in private.key -pubout -out public.key, <sub>(*9)</sub>

Make sure the file rights are 600 or 660 for the generated key files.

- An encryption key (just a random string)

- The migrations

```bash
$ php yii migrate --migrationPath=@vendor/davidxu/yii2-oauth2-server/migrations

Step 2

Add it as a yii2 module:, <sub>(*10)</sub>

<?php
$config = [
 'modules' => [
        'oauth2' => [
            'class' => davidxu\oauth2\Module::class,
            'userRepository' => \app\models\User::class,
            'privateKey' => '@common/data/keys/private.key',
            'publicKey' => '@common/data/keys/public.key',
            'encryptionKey' => 'put-a-nice-random-string-here',
        ],
    ],
];
?>

Also add the module to your application bootstrap:, <sub>(*11)</sub>

...
'bootstrap' => ['log','api.v1',...,'oauth2'],
...

Configuration

There's not a lot of configuration yet. Maybe the types of grants available will be dynamic someday., <sub>(*12)</sub>

Access control (Guarding API calls)

Check Client Credentials

Because the Client Credentials method creates access tokens that are not linked to a specific user, it uses a different filter to check the validity of the token., <sub>(*13)</sub>

Add the davidxu\oauth2\components\filters\CheckClientCredentials to your behaviors to validate Client Credential access keys., <sub>(*14)</sub>

Other auth flows

Add the davidxu\oauth2\components\authMethods\HttpBearerAuth to your behaviors, for example:, <sub>(*15)</sub>

<?php
 public function behaviors()
    {
        $behaviors = parent::behaviors();
        $behaviors['authenticator'] = [
            'class' => HttpBearerAuth::class,
        ];
        $behaviors['contentNegotiator'] = [
            'class' => 'yii\filters\ContentNegotiator',
            'formats' => [
                'application/json' => Response::FORMAT_JSON,
            ]
        ];

        return $behaviors;
    }

Usage with with yiisoft/yii2-authclient (or similar Authorization Code Grant clients)

Create a custom client, with the following URLs: - authorize URL: <domain>/oauth2/authorize - token URL: <domain>/oauth2/token/create, <sub>(*16)</sub>