Skip to content

phpway/OneAuth-Server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
assets
assets
 
 
db-config
db-config
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 

Repository files navigation

OneAuth Server

OneAuth server is very simple OAuth2 server implementation with limited functionality specifically designed for authenticating single page applications (SPA) according to the workflow described below with exclusive use of reference tokens only.

If you need a fully-featured OAuth2 server implementation, you can look up the official OAuth page https://oauth.net/code/php/.

Features

At the moment, OneAuth server provides 2 controllers:

  • AuthorizeController - handle requests for obtaining the Authorization Code which is one-time use, short-lived random code to be used by SPA for obtaining the Access Token.
  • TokenController - handle requests for obtaining the Access Token.

Request data required for each controller together with response details are described in the workflow below.

Since OneAuth server designed for authenticating SPAs, all communication between OneAuth server and the client app is transparent to the user (either via url search params, or via sending form data in POST requests), meaning there is no back channel for exchanging data between these two entities.

Thus, there is no client secret in the workflow as the SPA has no mechanism to hide it. But it uses PKCE protection that requires the client app sending code verifier (random string) hash in the initial request for the authorization code, and then sending code verifier in plain text when exchanging this authorization code for the access token.

PSR-7 Request / Response

OneAuth server uses PSR-7 compatible request and response objects for handling requests to obtain authorization codes and/or access tokens. Thus, you will need to provide a PSR-7 implementation that best first your application. Few options you can choose from:

To send the response to the client, you will also need to implement a response emitter, or use an existing one (for example ResponseEmitter.php from the Slim framework).

SPA Workflow

SPA workflow diagram

TODOs

  • Add resource controller for protecting APIs
    • Recognize token in headers
    • Recognize token in GET
    • Recognize token in POST
  • Add endpoint to return user profile
  • Implement revoking tokens
    • Individual token
    • All for given user
  • Add functionality for refresh tokens

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages