OAuth2.0 Specification Implementation

AlloVince edited this page Apr 21, 2015 · 2 revisions

OAuth2.0 specification defined 4 roles:

  • Resource Owner: Eva\EvaOAuth\User\UserInterface
  • Client: Eva\EvaOAuth\OAuth2\Client
  • Resource Server:Eva\EvaOAuth\OAuth2\AuthorizationServerInterface
  • Authorization Server: Eva\EvaOAuth\OAuth2\ResourceServerInterface

In order to make code more simple, EvaOAuth merged resource server and authorization server as a Provider (Eva\EvaOAuth\OAuth2\Providers\AbstractProvider).

OAuth2.0 also defined 4 kinds of grant type for obtaining authorization. Currently EvaOAuth support authorization code grant.

Authorization Code Grant

Authorization code grant is the most common type for most sites. Work flow chart like below:

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

Step (A) Client redirect to authorization server, paramaters including:

  • response_type : code
  • client_id
  • redirect_uri
  • state
  • scope (optional)
use Eva\EvaOAuth\OAuth2\Client;
use Eva\EvaOAuth\OAuth2\Providers;

$client = new Client([
    'client_id' => 'client_id',
    'client_secret' => 'client_secret',
    'redirect_uri' => 'http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=facebook'
]);
$client->requestAuthorize(new Providers\Facebook());

Actual request is:

HTTP/1.1 302 Moved Temporarily
Location: https://www.facebook.com/dialog/oauth?
             response_type=code&
             client_id=369238949824623&
             redirect_uri=http%3A%2F%2Foauth.evaengine.com%2FEvaOAuth%2Fexamples%2Faccess.php%3Fprovider%3Dfacebook&
             state=GxNqzZFpC3

Step (B) User confirm or deny client's request.

Step (C) Authorization server redirects user back to the client by redirect_uri

HTTP/1.1 302 Found
Location: http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=facebook&
             code=somecode&
             state=GxNqzZFpC3

Step (D) The client requests an access token from authorization server token by including the authorization code received in the previous step. Parameters:

  • grant_type
  • code
  • client_id
  • client_secret
  • redirect_uri
  • state
$token = $client->getAccessToken(new Providers\Facebook());

Actual http request is:

POST /oauth/access_token HTTP/1.1
Host: graph.facebook.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=somecode&
client_id=369238949824623&
client_secret=some_secret&
redirect_uri=http%3A%2F%2Foauth.evaengine.com%2FEvaOAuth%2Fexamples%2Faccess.php%3Fprovider%3Dfacebook&
state=GxNqzZFpC3

Step (E) Authorization server valid request, if valid, return access token

Response:

HTTP/1.1 200 OK

access_token=tokenvalue&expires=5125751

Now client able to access protected resources with access token.

$httpClient = new Eva\EvaOAuth\AuthorizedHttpClient($token);
$response = $httpClient->get('https://graph.facebook.com/me');

Actual http request:

GET /me HTTP/1.1
Host: graph.facebook.com
Authorization: Bearer tokenvalue

Response:

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8

{"id": ...}