-
Notifications
You must be signed in to change notification settings - Fork 24
/
index.html.twig
90 lines (81 loc) · 8.41 KB
/
index.html.twig
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
{% extends 'html.html.twig' %}
{% set head_title = 'Authorization Server | AuthBucket\\OAuth2' %}
{% block page %}
<div class="container">
<div class="row">
<div class="col-md-12">
<h1 id="authorization-server" class="page-header">Authorization Server</h1>
<blockquote>
<p>The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.</p>
<footer><a href="http://tools.ietf.org/html/rfc6749#section-1.1">1.1. Roles</a></footer>
</blockquote>
<p class="lead">Authorization server's endpoints usually without GUI, but just RESTful API interface. Read though <a href="https://github.com/authbucket/oauth2-php/blob/master/tests/AuthBucket/OAuth2/Tests/TestBundle/Resources/config/routing_oauth2.php">routing_oauth2.php</a> to see how we implement it.</p>
<h2 id="protocol-endpoints" class="page-header">Protocol Endpoints</h2>
<blockquote>
<p>The authorization process utilizes two authorization server endpoints (HTTP resources):</p>
<footer><a href="http://tools.ietf.org/html/rfc6749#section-3">3. Protocol Endpoints</a></footer>
</blockquote>
<h3 id="authorization-endpoint-oauth2authorize-and-oauth2authorizehttp">Authorization Endpoint <small>(<code>/api/oauth2/authorize</code> and <code>/demo/authorize</code>)</small></h3>
<blockquote>
<p>The authorization endpoint is used to interact with the resource owner and obtain an authorization grant.</p>
<footer><a href="http://tools.ietf.org/html/rfc6749#section-3.1">3.1. Authorization Endpoint</a></footer>
</blockquote>
<p class="lead">Authorization endpoint (<a href="{{ path('api_oauth2_authorize') }}">HTTP Basic Authentication</a> and <a href="{{ path('demo_authorize') }}">Form-based Authentication</a>) are protected by Silex's <a href="http://silex.sensiolabs.org/doc/providers/security.html">SecurityServiceProvider</a> in this example. Read though <a href="https://github.com/authbucket/oauth2-php/blob/master/app/config/security.php">security.php</a> to see how we implement it.</p>
<p>Direct browser access is possible, authentication request will therefore triggered, and able to login with following testing account:</p>
<ul>
<li>Username: <code>demousername1</code></li>
<li>Password: <code>demopassword1</code></li>
</ul>
<p>After successful login, by default if access this endpoint without addition parameters, an error message <code>{"error":"invalid_request"}</code> should be shown in JSON format.</p>
<h3 id="token-endpoint-oauth2token">Token Endpoint <small>(<code>/api/oauth2/token</code>)</small></h3>
<blockquote>
<p>The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token.</p>
<footer><a href="http://tools.ietf.org/html/rfc6749#section-3.2">3.2. Token Endpoint</a></footer>
</blockquote>
<p class="lead"><a href="{{ path('api_oauth2_token') }}">Token endpoint</a> is protected by OAuth2's <a href="https://github.com/authbucket/oauth2-php/blob/master/src/AuthBucket/OAuth2/Provider/AuthBucketOAuth2ServiceProvider.php">AuthBucketOAuth2ServiceProvider</a> in this example. Read though <a href="https://github.com/authbucket/oauth2-php/blob/master/app/config/security.php">security.php</a> to see how we implement it.</p>
<p>By default this endpoint shouldn't access by browser directly with GET, else an error message <code>{"error":"invalid_request"}</code> should be show in JSON format.</p>
<p>For debug purpose, may consider send out POST request to this endpoint by <a href="https://addons.mozilla.org/en-US/firefox/addon/httprequester/">HttpRequester</a>.</p>
<h2 id="additional-endpoints" class="page-header">Additional Endpoints</h2>
<p class="lead">Following endpoints are excluded from <a href="http://tools.ietf.org/html/rfc6749">RFC6749</a>, but live implementation should consider it.</p>
<h3 id="form-based-authentication-demologin">Form-based Authentication <small>(<code>/demo/login</code>)</small></h3>
<p class="lead"><a href="{{ path('demo_login') }}">Form-based Authentication</a> implemented by Silex's <a href="http://silex.sensiolabs.org/doc/providers/security.html">SecurityServiceProvider</a> in this example. Read though <a href="https://github.com/authbucket/oauth2-php/blob/master/tests/AuthBucket/OAuth2/Tests/TestBundle/Resources/config/routing_oauth2.php">routing_oauth2.php</a> and <a href="https://github.com/authbucket/oauth2-php/blob/master/tests/AuthBucket/OAuth2/Tests/TestBundle/Resources/views/demo/login.html.twig">login.html.twig</a> for more information.</p>
<p>This is used for protect above Authorization Endpoints.</p>
<h3 id="debug-endpoint-oauth2debug">Debug Endpoint <small>(<code>/api/oauth2/debug</code>)</small></h3>
<p class="lead"><a href="{{ path('api_oauth2_debug') }}">Debug Endpoint</a> clone the idea of <a href="https://developers.facebook.com/docs/facebook-login/access-tokens#debug">Facebook's Debug API Endpoint</a>, return raw information of corresponding <code>access_token</code> provided. Read though <a href="https://github.com/authbucket/oauth2-php/blob/master/app/config/security.php">security.php</a> and <a href="https://github.com/authbucket/oauth2-php/blob/master/tests/AuthBucket/OAuth2/Tests/TestBundle/Resources/config/routing_oauth2.php">routing_oauth2.php</a> for more information.</p>
<p>When working with an access token, you may need to check what information is associated with it, such as its user or expiry. To use this endpoint, you can issue a GET/POST request, e.g.:</p>
<pre><code class="http">GET /api/oauth2/debug?access_token={access_token} HTTP/1.1
Host: server.example.com</code></pre>
<ul>
<li><code>access_token</code>: the access token you want to get information about</li>
</ul>
<p>The response of the API call is a JSON array containing a map of fields. For example:</p>
<pre><code class="json">{
"access_token": "5dc0bdbb2f66a842cb46a02b6d559131",
"client_id": "authorization_code_grant",
"expires": 1404641243,
"scope": [
"demoscope1"
],
"token_type": "bearer",
"username": "demousername1"
}</code></pre>
<p>Remote <a href="{{ path('resource') }}">Resource Server</a> may also utilize this debug endpoint to verfiy the supplied access token.</p>
<h3 id="crud-endpoints-apiv1.0authorize-apiv1.0client-and-apiv1.0scope">CRUD Endpoints <small>(<code>/api/authorize</code>, <code>/api/client</code> and <code>/api/scope</code>)</small></h3>
<p><a href="http://en.wikipedia.org/wiki/Create,_read,_update_and_delete">CRUD Endpoints</a> provide APIs for accessing raw data set in <a href="http://en.wikipedia.org/wiki/Representational_state_transfer">RESTful API</a> style, with <a href="http://en.wikipedia.org/wiki/JSON">JSON</a> or <a href="http://en.wikipedia.org/wiki/XML">XML</a> request/response format, e.g:</p>
<pre><code class="no-highlight">POST /api/scope.json create a new scope
GET /api/scope[/:id].json get the scope specified by id
PUT /api/scope[/:id].json update a scope
DELETE /api/scope[/:id].json delete the scope specified by id
GET /api/scope.json get the entire list of scopes</code></pre>
<p>In this demo we protect these CRUD Endpoints with our own <code>oauth2_resource</code> firewall rule, so you may issue a GET request for fetching first scope as below:</p>
<pre><code class="http">GET /api/scope/1.json?access_token={access_token} HTTP/1.1
Host: server.example.com</code></pre>
<p>The response of the API call is in JSON array, for example:</p>
<pre><code class="json">{
"id": 1,
"scope": "demoscope1"
}</code></pre>
</div>
</div>
</div>
{% endblock %}