oauth2-server-php | A library for implementing an OAuth2 Server in php | OAuth library
kandi X-RAY | oauth2-server-php Summary
kandi X-RAY | oauth2-server-php Summary
A library for implementing an OAuth2 Server in php
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Grant an access token
- Validate the request
- Get the SQL to create the database .
- Get an access token parameter
- Get headers from server
- Add a storage
- Verify resource request
- Create the JWT payload
- Generate an access token
- Set a redirection
oauth2-server-php Key Features
oauth2-server-php Examples and Code Snippets
Community Discussions
Trending Discussions on oauth2-server-php
QUESTION
Recently I unignored composer.lock along with package-lock.json (likely unrelated), and I changed our gulp deploy script to use composer install instead of composer update. Before pushing new code to prod servers I updated the lock files to the latest using composer update and npm update to make sure there was nothing weird in there from branch merges.
However the gulp deployment script hit various issues, the most problematic of which was: "Requirements could not be resolved to an installable set of packages"
gulp-tasks/deploy.js in its current state:
...ANSWER
Answered 2018-Oct-15 at 09:45You should install and enable php-soap extension.
QUESTION
I'm considering to use id token instead of id token for authorization, so that resource servers can validate its sign and extract user id out of it. Is there any dowside to this method which I'm not aware of?
I guess I cannot use verify endpoint if I throw away access token. For us, it doesn't matter which scope the user granted access to since both client app and OIDC's identity provider is owned by us.
I'm using this library to implement an OAuth2 and OpenID server. https://github.com/bshaffer/oauth2-server-php
...ANSWER
Answered 2018-Sep-07 at 09:38Usage of ID Token is intended for the client application. Client uses it to authenticate the end user. All this is made possible through claims ID Token transfer. And these claims are built into an JWT. In simple terms, ID Token is a self-contained token.
Now, sharing of ID Token outside of client is okay if you control all intended parties. Think about a scenario in which you leak sensitive user information through ID Token. For example if ID Token contain a claim about gender which only intended for client to use. But when you share ID Token with a third party, you expose those sensitive information. It could be a crime if there are legal barriers.
Another point is on ID Token validation. Hence ID Token targets the client, important claims such as aud is set accordingly. When you pass ID Token to a backend to be used, such validation could fail.
There are two solutions. First is to use self contained access tokens. These days it is common to use JWT based access tokens. With them, you get the same solution. It will contain end user identity, scope values as well as token validation information. Azure AD use such approach - check this link.
Second one is to use ID Token. Given that you control both front end and backend, my opinion is you are okay to use it. But be mindful about future extensions. Specially not to expose it to other parties.
QUESTION
I want to protect my REST API by using an oauth2 authentication. I'm using bshaffer/oauth2-server-php in combination with zend 3.
I've the following config:
ANSWER
Answered 2018-Feb-07 at 08:14There's no build-in system to make this. You will create a listener which's listens MvcEvent::Event_ROUTE and place it after router then check if there's a routematch. If there's one, check if it's protected route. If it's apply authentication logic.
QUESTION
I'm using the bshaffer/oauth2-server-php module to authenticate my rest api. Everything works fine but meanwhile I have over 20,000 access tokens in the database.
As I read, the framework will not delete expired tokens automatically or by config parameter. So I'm trying to do the job by my own.
I know the tables which hold the tokens and I already built the delete statements. But I can't find the right place (the right class/method) to hook with my cleanup routine.
ANSWER
Answered 2017-Nov-28 at 13:37I didn't read the complete source off bshaffer oauth server.
But want you can try is to create your own class by extending from class Server.
And use the __destruct() function to be executed when the object customServer is destroyed by PHP
QUESTION
oauth2 library:
https://github.com/Filsh/yii2-oauth2-server
https://github.com/bshaffer/oauth2-server-php
please notice that, user id in my system is a integer not a string.
my purpose just hide system user id.
the steps for id token :
http://bshaffer.github.io/oauth2-server-php-docs/overview/openid-connect/
{
"iss": "localhost",
"sub": 2,
"aud": "-7IloKCawcvBwRijJeo7nsLxx1chC68L",
"iat": 1514518157,
"exp": 1514521757,
"auth_time": 1514518157,
"nonce": "dfsdsdsd"
}
md5('-7IloKCawcvBwRijJeo7nsLxx1chC68L' + 2) = 3C86CBBFF35AD3B6E609F5622D776531
i wanna replace subject to md5(client_id + subject)
{
"iss": "localhost",
"sub": "3C86CBBFF35AD3B6E609F5622D776531",
"aud": "-7IloKCawcvBwRijJeo7nsLxx1chC68L",
"iat": 1514516044,
"exp": 1514519644,
"auth_time": 1514516044,
"nonce": "dfsdsdsd"
}
ANSWER
Answered 2018-Jan-02 at 11:04IF I understand your desire, the OpenID Provider can provide anything for the Subject as long as it is Unique at that OpenID Provider for a specific relying party.
OpenID Connect Identity Token Sub is a Subject Identifier is a locally unique and never re-assigned identifier within the Issuer for the Authenticated Entity, which is intended to be consumed by the OAuth Client.
Two Subject Identifier types (subject_types_supported) are defined by OpenID Connect and are Required to be present in the OpenID Provider Metadata:
public - provides the same sub (subject) value to all OAuth Client. It is the default if the provider has no subject_types_supported element in its discovery document.
pairwise - provides a different Sub value to each OAuth Client, so as not to enable OAuth Client to correlate the End-User's activities without permission.
The OpenID Connect Provider's OpenID Connect Discovery document SHOULD list its supported Subject Identifier types in the subject_types_supported element.
If there is more than one type listed in the array, the OAuth Client MAY elect to provide its preferred identifier type using the subject_type parameter during Registration.
Sub MUST NOT exceed 255 ASCII characters in length.
Sub Sub value is a Case-sensitive string.
QUESTION
I followed JWT tutorial https://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/
I have created the access_token as follows:
...ANSWER
Answered 2017-Nov-07 at 10:01I was able to achieve desired functionality following this guide: https://bshaffer.github.io/oauth2-server-php-docs/grant-types/jwt-bearer/
QUESTION
Using this oauth2 library for PHP, I am validating a user via client_credentials like this:
server.php
...ANSWER
Answered 2017-Apr-01 at 23:17You must specify accessType: 'offline' in the OAuth2 options to receive a refresh token. If the former does not work try access_type: 'offline'.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install oauth2-server-php
PHP requires the Visual C runtime (CRT). The Microsoft Visual C++ Redistributable for Visual Studio 2019 is suitable for all these PHP versions, see visualstudio.microsoft.com. You MUST download the x86 CRT for PHP x86 builds and the x64 CRT for PHP x64 builds. The CRT installer supports the /quiet and /norestart command-line switches, so you can also script it.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
