Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

273 lines (201 sloc) 9.38 KB

OAuth 2.0 Client plugin for Craft CMS 3

This plugin provides developers with an easy centralized approach to managing and storing OAuth 2.0 clients and tokens.

It exposes an easy to use API and frontend for authorizing tokens for internal business logic. What it does not do is act as an authentication provider for users to login to the CMS.


  • Simple API for integrating League OAuth Providers
  • Lots of events for developers
  • CLI for refreshing tokens
  • Project config support
  • 1-line Twig helper for generating authentication UI in your module

Example Use Cases

  • Building a custom CRM integration
  • Reading from and writing to Google Sheets
  • Querying data on a business' Facebook page

Example Non-Use Cases

  • Logging-in users on the frontend
  • Allowing users to access the CP via social accounts
  • Keeping track of many CMS users' social accounts


This plugin should work on Craft CMS or later


To install the plugin, follow these instructions.

  1. Open your terminal and go to your Craft project:

     cd /path/to/project
  2. Then tell Composer to load the plugin:

     composer require venveo/craft-oauthclient
  3. In the Control Panel, go to Settings → Plugins and click the “Install” button for OAuth 2.0 Client.

  4. Configure on Craft settings page


A provider in this context is an OAuth 2.0 server that is exposing an API via token authorization. Out of the box, this plugin ships with the following providers:

  • Google
  • Facebook
  • GitHub

The plugin utilizes the widely used oauth2-client project by thephpleague in order to make adding providers as painless as possible. We add an additional layer to this abstraction in order to mix in requirements for Craft.

Creating a Provider

Assuming a League provider already exists for your service, you can easily create your own implementation. In your module or plugin, create a file for the provider and follow this outline:

use League\OAuth2\Client\Provider\YOUR_PROVIDER_CLASS as LeagueProvider;
use venveo\oauthclient\base\Provider;
class MyProvider extends Provider
     * @inheritDoc
    public static function displayName(): string
        // This is what is displayed in the CP when registering an App
        return 'My Provider';

    public static function getProviderClass(): string
        // Return the class name for the league provider
        return LeagueProvider::class;

And now you need only register it in your plugin or module's init function:

use venveo\oauthclient\services\Providers;
use craft\events\RegisterComponentTypesEvent;
use MyProvider;
// [...]
Event::on(Providers::class, Providers::EVENT_REGISTER_PROVIDER_TYPES, function (RegisterComponentTypesEvent $event) {
    $event->types[] = MyProvider:class;

Once you have registered the provider, it will appear in the provider dropdown list when you click "Register New App" in the Control Panel.

The example above is the bare-minimum for registering a provider. Should you need to, there are many methods you can override and implement in order to customize the authorization flow of your provider as needed.

See venveo\oauthclient\base\Provider for information on the possibilities here.


In this plugin, an App represents the implementation of a provider with a registered OAuth provider. Most people will probably only need one or two, but you can create as many as needed. To register an app, you'll need to start on the providers website developer options and create an OAuth 2.0 application. At some point, you'll be asked for the redirect URI of the login flow. This URI is generated by the plugin once an app is registered. You'll need to set it to something temporary until you've saved the app - at which point you'll need to update it with the provider.

After an app is registered, you should be able to visit the OAuth Apps overview page and click the "+" button to the right of the app listing to create your first token.

API Usage

This plugin assumes you're performing your actual logic in your module or plugin.

The plugin has the following services available:

  • venveo\oauthclient\services\Apps - used for retrieving an Apps and their configuration
  • venveo\oauthclient\services\Credentials - used for retrieving and managing tokens for apps
  • venveo\oauthclient\services\Providers - used for managing available providers
  • venveo\oauthclient\services\Tokens - used for managing tokens

Generally, you'll only find yourself using the Apps and Credentials services.

Controlling Authentication Flow

Often, you'll find yourself needing to tweak the parameters of the authentication process providers depending on the situation. For example, in some cases, you may want to force Google to prompt for consent so you can acquire a refresh token on previously authenticated individuals. This may also be useful if you'd like to tweak the requested scopes as the user makes their way through the app.

Typically, this might mean writing a lot of repetitive code; however, we've approached this problem by introducing "contexts" to an authentication process. For example, I might use the Twig helper to render a connector in my module and want to ensure the user has offline access to Google. I would first render my connector with the context parameter set and then register an event handler in my module to tweak the authentication URL depending on the context.

See Example



    • venveo\oauthclient\events\AppEvent
    • venveo\oauthclient\events\AppEvent
    • venveo\oauthclient\events\AppEvent
    • venveo\oauthclient\events\AppEvent
    • venveo\oauthclient\events\AuthorizationUrlEvent


    • venveo\oauthclient\events\TokenEvent
    • venveo\oauthclient\events\TokenEvent


    • venveo\oauthclient\events\TokenEvent
    • venveo\oauthclient\events\TokenEvent
    • venveo\oauthclient\events\TokenEvent

Twig Variable

There's a helpful Twig variable, craft.oauth exposed by the OAuth Client plugin to help you build your UI.

craft.oauth.getAppByHandle('handle') returns an App model if it exists

Command Line Interface (CLI)

If you would like to refresh all tokens, you can utilize the CLI to automate the process.

./craft oauthclient/apps/refresh-tokens <app handle>

Returns status code 1 if there were errors and 0 if successful


Interact with Google Sheets

If you wanted to manage some data in your Google Sheets account, you could easily require the Google_Client composer package and make the necessary requests; however, token management adds a lot of overhead and complexity. That's where this plugin comes in. Assuming you've already required the Google_Client, you could utilize this plugin like so:

use venveo\oauthclient\Plugin;
// [...]

// Get the plugin instance. Note: make sure you do this after the application has been inited, such as in a route or
// event.
$plugin = Plugin::$plugin;
// Let's grab a valid token - we could pass the current user ID in here to limit it
$tokens = $plugin->credentials->getValidTokensForAppAndUser('google');
// Get the app from the apps service
$app = $plugin->apps->getAppByHandle('google');

// Show time! Note: you should add some error checking.
$client = new \Google_Client();

$service = new \Google_Service_Sheets($client);
$sheet = $service->spreadsheets->get('some-google-sheet');

Using the Twig variable to check if the current user is connected

{% set app = craft.oauth.getAppByHandle('google') %}
{% if app %}
    {{ }}
    {% set tokens = app.getValidTokensForUser() %}
    {% if tokens|length %}
    {% else %}
        {# This will render some boilerplate UI to connect the app #}
        {{ app.renderConnector() }}
    {% endif %}
{% else %}
    Could not find app
{% endif %}

Modifying the authentication flow conditionally

In this example, we'll render the connector with a context and register an event to modify the authorization parameters before the connection URL is rendered.

{% set app = craft.oauth.getAppByHandle('google') %}
{{ app.renderConnector('cp') }}

{# I can also just render the link URL #}
<a href="{{ app.getRedirectUrl('cp') }}">Login</a>
use venveo\oauthclient\events\AuthorizationUrlEvent;
use venveo\oauthclient\services\Apps;
use yii\base\Event;
// [...]
Event::on(Apps::class, Apps::EVENT_GET_URL_OPTIONS, function (AuthorizationUrlEvent $e) {
    if ($e->context === 'cp' && $e->app->handle === 'google') {
        // Force re-consent during OAuth 
        $e->options['prompt'] = 'consent';
        $e->options['access_type'] = 'offline';
        $e->options['approval_prompt'] = null;

Brought to you by Venveo

You can’t perform that action at this time.