Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A Symfony plugin to create the basis of a OAuth server
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.

tiDoctrineOAuthServerPlugin (for Symfony 1.4)

The tiDoctrineOAuthServerPlugin provides the basis for making an OAuth server. It provides each requested URL in the OAuth protocol 1.0a (request token, user authorization and access token). It provides the pages to authorize/refuse the access to the connected sfDoctrineGuardUser. If the user is not connected, he is automatically redirected to a login page. The authorized consumer keys (that authorizes applications to request tokens) are defined in the database (they must be added manually for the moment).


  • Install the plugin (via a package, install version <= 0.0.4)

    symfony plugin:install tiDoctrineOAuthServerPlugin
  • Install the plugin (via a git checkout)

    git clone git:// plugins/tiDoctrineOAuthServerPlugin
  • Activate the plugin in the config/ProjectConfiguration.class.php

    class ProjectConfiguration extends sfProjectConfiguration
      public function setup()
  • Rebuild your model, update you database tables by starting from scratch and load the fixtures (it will delete all the existing tables, then re-create them)

    symfony doctrine:build --all --and-load --no-confirmation
  • Enable the tiOAuthServer module in your settings.yml

          enabled_modules:      [default, tiOAuthServer]
  • Clear your cache

    symfony cc

How to use

The tiDoctrineOAuthServerPlugin provides three routes, for each step of the OAuth connexion protocol :

  • ti_oauth_request_token: via /request_token, used to retrieve the request token

  • ti_oauth_authorize: via /authorize, used to allow the user to authorize (or not) the access to all the user data

  • ti_oauth_access_token: via /access_token, used to retrieve the access token, that must be stored in the client application.

You should override each of these templates to have nice pages.

Configure your client

First you have to generate an application key and secret to be used by the client. You can do that by simply rename data/fixtures/fixtures.yml to fixtures.yml.

You can use a plugin like sfDoctrineOAuthPlugin to manage the client-side connexion. Here is the PHP code you have to use to connect the client:

$server = "http://localhost/my_project";
// Application key and secret registered in our server
$oauth = new sfOAuth1("12345", "67890"));
// We can set a name to debug
// We set all the URLs
// We set a callback URL
$token = $oauth->getRequestToken();
$verifier = $oauth->requestAuth(array('oauth_callback' => $oauth->getCallback()));

You have to configure the callback action (called at the callback URL defined above):

$server = "http://localhost/my_project";
$verifier = $request->getParameter('oauth_verifier');
$key = $request->getParameter('oauth_token');
$request_token = Doctrine_Core::getTable('Token')->createQuery('a')
        ->where('a.token_key = ?', $key)
$oauth = new sfOAuth1("12345", "67890"));
$access_token = $oauth->getAccessToken($verifier);
if ($access_token->getTokenKey() && $access_token->getTokenSecret()) {
  // Here I store the token for the current user, to prevent doing the authentication each time 
  $this->getUser()->setAttribute('access_identifier', $access_token->getTokenKey());

Create your secured actions

Then, all you have to do is to create actions and protect them like that:

public function executeMyPostTicket(sfWebRequest $request)
  try {
    $req = OAuthRequest::from_request();
    list($consumer, $token) = tiOAuthServer::getInstance()->verify_request($req);
    $access_token = Doctrine_Core::getTable('OAuthServerAccessTokens')->createQuery('a')
            ->where(' = ?', $token)
    if (!$access_token)
      throw new OAuthException();
    // Write your code here
    echo $access_token->getIdUser();
    return sfView::NONE;
  } catch( OAuthException $e ) {
    // The request wasn't valid!
    header('WWW-Authenticate: OAuth realm="http://localhost/"');
    echo 'I\'m afraid I can\'t let you do that Dave.';


2013/03/26: 0.0.5

  • The README now has a better documentation
  • Add .md extension to the README file
Something went wrong with that request. Please try again.