PSR-7 support

[peteraba]

Hi @davidbyoung,

Thought I'd kick off a discussion regarding PSR-7. Since I'm using the Oauth2 library, I'd benefit greatly from using PSR-7 compatible HTTP Request and Response objects.

I'm currently using a set of converters which really only covers my needs.

I know this would likely be a major change, but I'd definitely recommend you to consider this for Opulence 2.0 or any new framework(s) you might be building...

[davidbyoung]

I very much understand the desire for PSR-7, but I don't think it's something I plan on supporting. IMO, it was poorly implemented (eg semi-immutability that is prone to causing bugs, clunky syntax, etc), and didn't really gain traction with the largest frameworks. I do wish PHP provided native wrappers for HTTP requests and responses, but since it doesn't, I'm left with two choices - adopt another HTTP library, or write my own. I've been working on a project that attempts to provide a simpler, more feature-full REST API foundation. It contains an HTTP wrapper library that will be used by Aphiria libraries going forward. I wrote it in an attempt to improve on the short-comings of PSR-7, while introducing expanded functionality, eg content negotiation, header parsing and formatting, and a few other things.

[peteraba]

Sounds interesting and well thought out. I can't really argue with it pro or contra, nor is it a great pain to do the conversion.

What is your take on Oauth2 though? Are you going to provide an easy way to implement that or any other access delegation layers? If it's an API oriented framework, I'm sure you have something.

[davidbyoung]

A few years ago, I set out to implement a full OAuth 2.0 solution for authorization, which brought up having to do something like OpenID Connect for authentication. I becand disillusioned with the over complexity with implementing the entire spec, which is especially difficult to support without forcing some sort of front end implementation on developers. Even the original author of OAuth dropped out of the project because he felt it had become much too complicated to be implemented properly except for by "Enterprise" clients.

I'm hesitant to release my home grown solution for authentication and authorization only because I take on the responsibility for ensuring it is 100% secure, which is very difficult for a bespoke solution.

I do wish OAuth were simpler to implement in its entirety. If a better thing came around, I'd jump on implementing that.

[peteraba]

Well, I don't really have a problem at the moment so I will close this issue. However I expect that if my CMS or any other Opulence projects ever picks up traction, it will come up again, likely more pressing.