Merge 8ce837d into 5234612

CHANGELOG.md

@@ -1,5 +1,24 @@
 OAuth 2.0 Google Provider Changelog
 
+## 3.0.0 - ???
+
+### Changed
+
+- Update to latest version of Google OAuth
+- Use only OpenID Connect for user details
+
+### Fixed
+
+- Correct handling of selecting from multiple user accounts, #45
+
+### Added
+
+- Support additional scopes at construction
+
+### Removed
+
+- Dropped support for Google+ user details, #34 and #63
+
 ## 2.2.0 - 2018-03-19
 
 ### Added

CONTRIBUTING.md

@@ -28,15 +28,15 @@ We accept contributions via Pull Requests on [Github](https://github.com/thephpl
 
 ## Running Tests
 
-``` bash
-$ ./vendor/bin/phpunit
+```sh
+composer test
 ```
 
 
 ## Running PHP Code Sniffer
 
-``` bash
-$ ./vendor/bin/phpcs src --standard=psr2 -sp
+```sh
+composer check
 ```
 
 **Happy coding**!

README.md

@@ -20,20 +20,28 @@ a patch via pull request.
 
 The following versions of PHP are supported.
 
-* PHP 5.6
 * PHP 7.0
 * PHP 7.1
-* HHVM
+* PHP 7.2
+* PHP 7.3
 
-[Google Sign In](https://developers.google.com/identity/sign-in/web/sign-in) will also need to be set up, which will provide you with the `{google-app-id}` and `{google-app-secret}` required (see [Usage](#usage) below).
+This package uses [OpenID Connect][openid-connect] to authenticate users with
+Google accounts.
 
-If you're using the default [scopes](#scopes) then you'll also need to enable the [Google+ API](https://developers.google.com/+/web/api/rest/) for your project.
+To use this package, it will be necessary to have a Google client ID and client
+secret. These are referred to as `{google-client-id}` and `{google-client-secret}`
+in the documentation.
+
+Please follow the [Google instructions][oauth-setup] to create the required credentials.
+
+[openid-connect]: https://developers.google.com/identity/protocols/OpenIDConnect
+[oauth-setup]: https://developers.google.com/identity/protocols/OpenIDConnect#registeringyourapp
 
 ## Installation
 
 To install, use composer:
 
-```
+```sh
 composer require league/oauth2-google
 ```
 
@@ -42,9 +50,11 @@ composer require league/oauth2-google
 ### Authorization Code Flow
 
 ```php
-$provider = new League\OAuth2\Client\Provider\Google([
-    'clientId'     => '{google-app-id}',
-    'clientSecret' => '{google-app-secret}',
+use League\OAuth2\Client\Provider\Google;
+
+$provider = new Google([
+    'clientId'     => '{google-client-id}',
+    'clientSecret' => '{google-client-secret}',
     'redirectUri'  => 'https://example.com/callback-url',
     'hostedDomain' => 'example.com', // optional; used to restrict access to users on your G Suite/Google Apps for Business accounts
 ]);
@@ -102,14 +112,48 @@ if (!empty($_GET['error'])) {
 }
 ```
 
+#### Available Options
+
+The `Google` provider has the following [options][auth-params]:
+
+- `accessType` to use online or offline access
+- `hostedDomain` to authenticate G Suite users
+- `prompt` to modify the prompt that the user will see
+- `scopes` to request access to additional user information
+
+[auth-params]: https://developers.google.com/identity/protocols/OpenIDConnect#authenticationuriparameters
+
+#### Accessing Token JWT
+
+Google provides a [JSON Web Token][jwt] (JWT) with all access tokens. This token
+[contains basic information][openid-jwt] about the authenticated user. The JWT
+can be accessed from the `id_token` value of the access token:
+
+```php
+/** @var League\OAuth2\Client\Token\AccessToken $token */
+$values = $token->getValues();
+
+/** @var string */
+$jwt = $values['id_token'];
+```
+
+Parsing the JWT will require a [JWT parser][jwt-parsers]. Refer to parser
+documentation for instructions.
+
+[jwt]: https://jwt.io/
+[openid-jwt]: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+[jwt-parsers]: https://packagist.org/search/?q=jwt
+
 ### Refreshing a Token
 
 Refresh tokens are only provided to applications which request offline access. You can specify offline access by setting the `accessType` option in your provider:
 
 ```php
-$provider = new League\OAuth2\Client\Provider\Google([
-    'clientId'     => '{google-app-id}',
-    'clientSecret' => '{google-app-secret}',
+use League\OAuth2\Client\Provider\Google;
+
+$provider = new Google([
+    'clientId'     => '{google-client-id}',
+    'clientSecret' => '{google-client-secret}',
     'redirectUri'  => 'https://example.com/callback-url',
     'accessType'   => 'offline',
 ]);
@@ -135,43 +179,46 @@ $authUrl = $provider->getAuthorizationUrl(['approval_prompt' => 'force']);
 Now you have everything you need to refresh an access token using a refresh token:
 
 ```php
-$provider = new League\OAuth2\Client\Provider\Google([
-    'clientId'     => '{google-app-id}',
-    'clientSecret' => '{google-app-secret}',
+use League\OAuth2\Client\Provider\Google;
+use League\OAuth2\Client\Grant\RefreshToken;
+
+$provider = new Google([
+    'clientId'     => '{google-client-id}',
+    'clientSecret' => '{google-client-secret}',
     'redirectUri'  => 'https://example.com/callback-url',
 ]);
 
-$grant = new League\OAuth2\Client\Grant\RefreshToken();
+$grant = new RefreshToken();
 $token = $provider->getAccessToken($grant, ['refresh_token' => $refreshToken]);
 ```
-## Resource Owner Attributes
-
-By default the Google plus API is used to load profile information. If you want to use the OpenIDConnect
-user info endpoint to load profile information then add `useOidcMode => true` to your configuration.
-
-The two endpoints provide attributes with different names and structures. The `GoogleUser` class hides
-these differences for the most common attributes.
 
 ## Scopes
 
-If needed, you can include an array of scopes when getting the authorization url. Example:
+Additional [scopes][scopes] can be set by using the `scope` parameter when
+generating the authorization URL:
 
-```
+```php
 $authorizationUrl = $provider->getAuthorizationUrl([
     'scope' => [
-        'https://www.googleapis.com/auth/drive',
-    ]
+        'scope-url-here'
+    ],
 ]);
-header('Location: ' . $authorizationUrl);
-exit;
 ```
 
-Note that the default scopes include `email` and `profile`, which require that the [Google+ API](https://developers.google.com/+/web/api/rest/) is enabled for your project.
+[scopes]: https://developers.google.com/identity/protocols/googlescopes
 
 ## Testing
 
-``` bash
-$ ./vendor/bin/phpunit
+Tests can be run with:
+
+```sh
+composer test
+```
+
+Style checks can be run with:
+
+```sh
+composer check
 ```
 
 ## Contributing

examples/user.php

@@ -2,6 +2,10 @@
 
 $provider = require __DIR__ . '/provider.php';
 
+if (isset($_GET['logout']) && $_GET['logout'] = 1) {
+    unset($_SESSION['token']);
+}
+
 if (!empty($_SESSION['token'])) {
     $token = unserialize($_SESSION['token']);
 }
@@ -12,25 +16,24 @@
 }
 
 try {
-
     // We got an access token, let's now get the user's details
     $userDetails = $provider->getResourceOwner($token);
 
     // Use these details to create a new profile
     printf('Hello %s!<br/>', $userDetails->getFirstname());
-
 } catch (Exception $e) {
-
     // Failed to get user details
     exit('Something went wrong: ' . $e->getMessage());
-
 }
 
 // Use this to interact with an API on the users behalf
-echo $token->getToken()."<br/>";
+echo "Token is: <tt>", $token->getToken(), "</tt><br/>";
 
 // Use this to get a new access token if the old one expires
-echo $token->getRefreshToken()."<br/>";
+echo "Refresh token is: <tt>", $token->getRefreshToken(), "</tt><br/>";
 
 // Number of seconds until the access token will expire, and need refreshing
-echo $token->getExpires()."<br/>";
+echo "Expires in ", $token->getExpires(), " seconds <br/>";
+
+// Allow the user to logout
+echo '<a href="?logout=1">Logout</a><br/>';