oauth2-php | standard compliant OAuth2.0 library | OAuth library

by authbucket PHP Version: Current License: MIT

X-Ray Key Features Code Snippets Community Discussions(1)Vulnerabilities Install Support

kandi X-RAY | oauth2-php Summary

oauth2-php is a PHP library typically used in Security, OAuth, Symfony applications. oauth2-php has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

The standard compliant OAuth2.0 library based on the Symfony Components.

Support

Quality

Security

License

Reuse

Support

oauth2-php has a low active ecosystem.

It has 82 star(s) with 23 fork(s). There are 9 watchers for this library.

It had no major release in the last 6 months.

There are 2 open issues and 13 have been closed. On average issues are closed in 44 days. There are 12 open pull requests and 0 closed requests.

It has a neutral sentiment in the developer community.

The latest version of oauth2-php is current.

Quality

oauth2-php has 0 bugs and 0 code smells.

Security

oauth2-php has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

oauth2-php code analysis shows 0 unresolved vulnerabilities.

There are 0 security hotspots that need review.

License

oauth2-php is licensed under the MIT License. This license is Permissive.

Permissive licenses have the least restrictions, and you can use them in most projects.

Reuse

oauth2-php releases are not available. You will need to build from source code and install.

Installation instructions, examples and code snippets are available.

oauth2-php saves you 2973 person hours of effort in developing the same functionality from scratch.

It has 7054 lines of code, 475 functions and 203 files.

It has low code complexity. Code complexity directly impacts maintainability of the code.

Top functions reviewed by kandi - BETA

kandi has reviewed oauth2-php and discovered the below as its top functions. This is intended to give you an instant insight into oauth2-php implemented functionality, and help decide if they suit your requirements.

Register the service provider .
Check the refresh token .
Handle an access token .
Check scope .
Check redirect_uri .
Handle exceptions .
Authenticates the given token .
Read models by criteria .
Get a JSON response .
Get the grant type handler .

Get all kandi verified functions for this library.

oauth2-php Key Features

No Key Features are available at this moment for oauth2-php.

oauth2-php Examples and Code Snippets

No Code Snippets are available at this moment for oauth2-php.

Community Discussions

Trending Discussions on oauth2-php

OAuth 2: authorization_code Grant - Is client_secret param neccesary?

QUESTION

OAuth 2: authorization_code Grant - Is client_secret param neccesary?

Asked 2018-Jul-31 at 17:58

With regards to OAuth 2.0, my previous understanding is that client_secret should be used for authorization_code grant, which is supposed to be "more secure" (client_secret was required for some tutorial out here 1 2)

However I saw a library when using authorization_code, didn't brother to check client_secret if not provided. Which makes me wonder the usage of client_secret and dig deeper into the spec of OAuth2.

I then looked into the RFC for OAuth 2 (https://tools.ietf.org/html/rfc6749#section-4.1), and found that client_secret is not required at all for authorization_code grant flow.

If you scroll down to the required param for authorization_code flow https://tools.ietf.org/html/rfc6749#section-4.1.1, you will see that client_secret is not even mentioned

So my question is:

Is client_secret required for authorization_code grant type?
If it is suggested to have client_secret instead of required, will there be any official documentation that tell us that client_secret is suggested?

Thanks!

...

ANSWER

Answered 2018-Jul-31 at 17:58

Good question and one of the things I find most annoying about OAuth2.0 - understanding the security protocol around public clients.

To answer your questions as best I can:-

Is client_secret required for authorization_code grant type?

No. If the client is a public client then it should be allowed to use this grant type without authenticating itself (providing it registers a redirection endpoint). The problem is that there seem to be several implementations of OAuth2.0 Servers that don't allow public clients for this grant type.

If it is suggested to have client_secret instead of required, will there be any official documentation that tell us that client_secret is suggested?

You probably need to look at the documentation of the actual OAuth2.0 provider you use, rather than the generic IETF specification as they may specify rules around public clients outside of the RFC.

The 6749 RFC pretty much just says that the the Auth Server SHOULD deal with the fact public clients are more insecure, without giving the exact details of how to.

e.g. Section 10.1 says:

Source https://stackoverflow.com/questions/51611294

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install oauth2-php

Simply add a dependency on authbucket/oauth2-php to your project’s composer.json file if you use [Composer](http://getcomposer.org/) to manage the dependencies of your project.

Support

OAuth2’s documentation is built with [Sami](https://github.com/fabpot/Sami) and publicly hosted on [GitHub Pages](http://authbucket.github.io/oauth2-php).

Find more information at: