OAuth2 routes for use within a Slim Framework API
Clone or download
chadicus Merge pull request #44 from chadicus/dev/composer
 Implement composer best practices
Latest commit d69d4e3 Jan 8, 2018



Build Status Code Quality Code Coverage

Latest Stable Version Latest Unstable Version License

Total Downloads Daily Downloads Monthly Downloads


OAuth2 Server route callbacks for use within a Slim 3 Framework API


Chadicus\Slim\OAuth2\Routes requires PHP 5.6 (or later).


To add the library as a local, per-project dependency use Composer! Simply add a dependency on chadicus/slim-oauth2-routes to your project's composer.json file such as:

composer require chadicus/slim-oauth2-routes


Developers may be contacted at:

Project Build

With a checkout of the code get Composer in your PATH and run:

./composer install

A Note on Using Views

The authorize and receive-code route require view objects. The given view object must implement a render method such as the one found in slim/twig-view and slim/php-view. It would be best if there was a common ViewInterface which both implementing but as of now such an interface does not exist.



Example Usage

use Chadicus\Slim\OAuth2\Routes;
use OAuth2;
use OAuth2\GrantType;
use OAuth2\Storage;
use Slim;
use Slim\Views;

//Set-up the OAuth2 Server
$storage = new Storage\Pdo(array('dsn' => $dsn, 'username' => $username, 'password' => $password));
$server = new OAuth2\Server($storage);
$server->addGrantType(new GrantType\AuthorizationCode($storage));
$server->addGrantType(new GrantType\ClientCredentials($storage));

//Set-up the Slim Application
$app = new Slim\App(
        'view' => new Views\PhpRenderer('/path/to/chadicus/slim-oauth2-routes/templates'),

$container = $app->getContainer();

$app->map(['GET', 'POST'], Routes\Authorize::ROUTE, new Routes\Authorize($server, $container['view']))->setName('authorize');
$app->post(Routes\Token::ROUTE, new Routes\Token($server))->setName('token');
$app->map(['GET', 'POST'], Routes\ReceiveCode::ROUTE, new Routes\ReceiveCode($container['view']))->setName('receive-code');
$app->post(Routes\Revoke::ROUTE, new Routes\Revoke($server))->setName('revoke');

//Add custom routes
$slim->get('/foo', function($request, $response, $args) {
    $authorization = $request->getHeaderLine('Authorization');

    //validate access token against your storage

    return $response->withStatus(200);

//run the app

Authorize and The UserIdProvider

Within the Authorization route, you can define a UserIdProviderInterface to extract the user_id from the incoming request. By default the route will look in the GET query params.

class ArgumentUserIdProvider implements UserIdProviderInterface
	public function getUserId(ServerRequestInterface $request, array $arguments)
		return isset($arguments['user_id']) ? $arguments['user_id'] : null;

//middleware to add user_id to route parameters
$loginMiddelware = function ($request, $response, $next) {
	// Validate the user credentials
	$userId = MyUserService::getUserIdIfValidCredentials($request);
	if ($userId === false) {
		return $response->withStatus(303);

	//Put user_id into the route parameters
	$route = $request->getAttribute('route');
	$route->setArgument('user_id', $userId);

	//Credentials are valid, continue so the authorization code can be sent to the clients callback_uri
	return $next($request, $response);

$authorizeRoute = new Routes\Authorize($server, $view, 'authorize.phtml', new ArgumentUserIdProvider());
	['GET', 'POST'],