You are here

Home » API reference » OAuth2 Client 7

README.txt in OAuth2 Client 7

Same filename and directory in other branches
  1. 8 README.txt
  2. 7.2 README.txt
This module is a a complement to the module oauth2_server.

*Note:* The modules oauth2_server and oauth2_client have conflicts
with the module oauth2, so they should not be installed at the same
time.

* How to use it

  Define oauth2 clients in your code like this:
  #+BEGIN_EXAMPLE
  /**
   * Implements hook_oauth2_clients().
   */
  function MYMODULE_oauth2_clients() {
    $server_url = 'https://oauth2_server.example.org';
    $client_url = 'https://oauth2_client.example.org';

    // user-password flow
    $oauth2_clients['test1'] = array(
      'token_endpoint' => $server_url . '/oauth2/token',
      'auth_flow' => 'user-password',
      'client_id' => 'test1',
      'client_secret' => 'test1',
      'username' => 'user1',
      'password' => 'user1',
    );

    // client-credentials flow
    $oauth2_clients['test2'] = array(
      'token_endpoint' => $server_url . '/oauth2/token',
      'auth_flow' => 'client-credentials',
      'client_id' => 'test2',
      'client_secret' => 'test2',
    );

    // server-side flow
    $oauth2_clients['test3'] = array(
      'token_endpoint' => $server_url . '/oauth2/token',
      'auth_flow' => 'server-side',
      'client_id' => 'test1',
      'client_secret' => 'test1',
      'authorization_endpoint' => $server_url . '/oauth2/authorize',
      'redirect_uri' => $client_url . '/oauth2/authorized',
    );

    return $oauth2_clients;
  }
  #+END_EXAMPLE

  Then use them like this:
  #+BEGIN_EXAMPLE
    try {
      $oauth2_client = oauth2_client_load('test1');
      $access_token = $oauth2_client->getAccessToken();
    }
    catch (Exception $e) {
      drupal_set_message($e->getMessage(), 'error');
    }
  #+END_EXAMPLE

  The only thing that oauth2_client does is to get an access_token
  from the oauth2_server, so that it can be used for accessing web
  services.


* More about using it

  Another form of usage is like this:
  #+BEGIN_EXAMPLE
    $oauth2_config = array(
      'token_endpoint' => $server_url . '/oauth2/token',
      'auth_flow' => 'user-password',
      'client_id' => 'test1',
      'client_secret' => '12345',
      'username' => $username,
      'password' => $password,
    );
    try {
      $oauth2_client = new OAuth2\Client($oauth2_config, $client_id);
      $access_token = $oauth2_client->getAccessToken();
    }
    catch (Exception $e) {
      drupal_set_message($e->getMessage(), 'error');
    }
  #+END_EXAMPLE

* Custom usage

  Sometimes (or rather often) oauth2 servers have special requirements
  that are different from the OAuth2 standard and different from other
  oauth2 implementations. This client cannot possibly cover all these
  special requirements. In such a case, a possible solution can be to
  extend the class *OAuth2\Client* like this:
  #+BEGIN_EXAMPLE
    <?php
    namespace OAuth2;

    class MyClient extends Client {
      protected function getToken($data) {
        // Implement the custom logic that is needed by the oauth2 server.
      }
    }
  #+END_EXAMPLE

  And then use it like this:
  #+BEGIN_EXAMPLE
    try {
      $oauth2_client = new OAuth2\MyClient($oauth2_config);
      $access_token = $oauth2_client->getAccessToken();
    }
    catch (Exception $e) {
      drupal_set_message($e->getMessage(), 'error');
    }
  #+END_EXAMPLE

* How it works

  An access token and its related data are stored on the session
  ($_SESSION['oauth2_client']['token'][$client_id]), so that it can be
  reused while it is not expired yet. The data that are stored for
  each token are: access_token, expires_in, token_type, scope,
  refresh_token and expiration_time. They are the values that come
  from the oauth2 server, except the last one, which is calculated as
  (REQUEST_TIME + expires_in).

  When the token has expired (expiration_time > time() + 10), a new
  token is requested from the oauth2 server, using the refresh_token.
  If the refresh token fails for some reason (maybe refresh_token
  expired or any other reason), then the whole process of
  authorization is performed from the beginning.

  For the client-credentials and user-password authorization flows
  this does not involve a user interaction with the oauth2 server.

  However, for the server-side flow the user has to authorize again
  the application. This is done in these steps, first the user is
  redirected to the oauth2 server to authorize the application again,
  from there it is redirected back to the application with an
  authorization code, then the application uses the authorization code
  to request a new access token.

  In order to remember the part of the client application that
  initiated the authorization request, a session variable is used:
  $_SESSION['oauth2_client']['redirect'][$state]['uri'].  Then,
  drupal_goto() is used to jump again to that path of the application.

* Integrating with other oauth2 clients

  Other oauth2 clients for Drupal can integrate with oauth2_client.
  This means that they can use the same client that is registered on
  the oauth2_server for the oauth2_client.

  The oauth2_server sends the authorization reply to the redirect_uri
  that is registered for the client. If this client has been
  registered for being used by the module oauth2_client, then its
  redirect_uri is like this:
  https://server.example.org/oauth2/authorized . A reply sent to this
  redirect_uri will be routed to the callback function supplied by
  oauth2_client. So, in general, the other oauth2 clients cannot use
  the same client_id and client_secret that are registered in the
  server. They will have to register their own client_id,
  client_secret and redirect_uri.

  However this is not very convenient. That's why oauth2_client allows
  the other oauth2 clients to use the same client_id and
  client_secret, but the reply has to pass through oauth2_client,
  since redirect_uri sends it there.

  It works like this: Suppose that another oauth2 client starts the
  authentication workflow.  On the parameters of the request it sets
  redirect_uri to the one belonging to oauth2_client (since this is
  the one that is reckognized and accepted by the server). However at
  the same time it notifies oauth2_client that the reply of this
  request should be forwarded to it. It does it by calling the
  function: oauth2_client_set_redirect($state, $redirect).

  The parameter $state is the random parameter that is used on the
  authentication url in order to mittigate CSRF attacks. In this case
  it is used as a key for identifying the authentication request.  The
  parameter $redirect is an associative array that contains the keys:
    - uri: the uri of the oauth2 client that is requesting a
      redirect
    - params: associative array of other parameters that should be
      appended to the uri, along with the $_REQUEST comming from the
      server

  Once another oauth2 client that has been successfully authenticated
  and has received an access_token, it can share it with the
  oauth2_client, so that oauth2_client does not have to repeat the
  authentication process again. It can be done by calling the
  function: oauth2_client_set_token($client_id, $token).

File

README.txt
View source 
  1. 

  2. This module is a a complement to the module oauth2_server.

  3. 

  4. *Note:* The modules oauth2_server and oauth2_client have conflicts

  5. with the module oauth2, so they should not be installed at the same

  6. time.

  7. 

  8. * How to use it

  9. 

  10.   Define oauth2 clients in your code like this:

  11.   #+BEGIN_EXAMPLE

  12.   /**

  13.    * Implements hook_oauth2_clients().

  14.    */

  15.   function MYMODULE_oauth2_clients() {

  16.     $server_url = 'https://oauth2_server.example.org';

  17.     $client_url = 'https://oauth2_client.example.org';

  18. 

  19.     // user-password flow

  20.     $oauth2_clients['test1'] = array(

  21.       'token_endpoint' => $server_url . '/oauth2/token',

  22.       'auth_flow' => 'user-password',

  23.       'client_id' => 'test1',

  24.       'client_secret' => 'test1',

  25.       'username' => 'user1',

  26.       'password' => 'user1',

  27.     );

  28. 

  29.     // client-credentials flow

  30.     $oauth2_clients['test2'] = array(

  31.       'token_endpoint' => $server_url . '/oauth2/token',

  32.       'auth_flow' => 'client-credentials',

  33.       'client_id' => 'test2',

  34.       'client_secret' => 'test2',

  35.     );

  36. 

  37.     // server-side flow

  38.     $oauth2_clients['test3'] = array(

  39.       'token_endpoint' => $server_url . '/oauth2/token',

  40.       'auth_flow' => 'server-side',

  41.       'client_id' => 'test1',

  42.       'client_secret' => 'test1',

  43.       'authorization_endpoint' => $server_url . '/oauth2/authorize',

  44.       'redirect_uri' => $client_url . '/oauth2/authorized',

  45.     );

  46. 

  47.     return $oauth2_clients;

  48.   }

  49.   #+END_EXAMPLE

  50. 

  51.   Then use them like this:

  52.   #+BEGIN_EXAMPLE

  53.     try {

  54.       $oauth2_client = oauth2_client_load('test1');

  55.       $access_token = $oauth2_client->getAccessToken();

  56.     }

  57.     catch (Exception $e) {

  58.       drupal_set_message($e->getMessage(), 'error');

  59.     }

  60.   #+END_EXAMPLE

  61. 

  62.   The only thing that oauth2_client does is to get an access_token

  63.   from the oauth2_server, so that it can be used for accessing web

  64.   services.

  65. 

  66. 

  67. * More about using it

  68. 

  69.   Another form of usage is like this:

  70.   #+BEGIN_EXAMPLE

  71.     $oauth2_config = array(

  72.       'token_endpoint' => $server_url . '/oauth2/token',

  73.       'auth_flow' => 'user-password',

  74.       'client_id' => 'test1',

  75.       'client_secret' => '12345',

  76.       'username' => $username,

  77.       'password' => $password,

  78.     );

  79.     try {

  80.       $oauth2_client = new OAuth2\Client($oauth2_config, $client_id);

  81.       $access_token = $oauth2_client->getAccessToken();

  82.     }

  83.     catch (Exception $e) {

  84.       drupal_set_message($e->getMessage(), 'error');

  85.     }

  86.   #+END_EXAMPLE

  87. 

  88. * Custom usage

  89. 

  90.   Sometimes (or rather often) oauth2 servers have special requirements

  91.   that are different from the OAuth2 standard and different from other

  92.   oauth2 implementations. This client cannot possibly cover all these

  93.   special requirements. In such a case, a possible solution can be to

  94.   extend the class *OAuth2\Client* like this:

  95.   #+BEGIN_EXAMPLE

  96.     
  97.     namespace OAuth2;

  98. 

  99.     class MyClient extends Client {

  100.       protected function getToken($data) {

  101.         // Implement the custom logic that is needed by the oauth2 server.

  102.       }

  103.     }

  104.   #+END_EXAMPLE

  105. 

  106.   And then use it like this:

  107.   #+BEGIN_EXAMPLE

  108.     try {

  109.       $oauth2_client = new OAuth2\MyClient($oauth2_config);

  110.       $access_token = $oauth2_client->getAccessToken();

  111.     }

  112.     catch (Exception $e) {

  113.       drupal_set_message($e->getMessage(), 'error');

  114.     }

  115.   #+END_EXAMPLE

  116. 

  117. * How it works

  118. 

  119.   An access token and its related data are stored on the session

  120.   ($_SESSION['oauth2_client']['token'][$client_id]), so that it can be

  121.   reused while it is not expired yet. The data that are stored for

  122.   each token are: access_token, expires_in, token_type, scope,

  123.   refresh_token and expiration_time. They are the values that come

  124.   from the oauth2 server, except the last one, which is calculated as

  125.   (REQUEST_TIME + expires_in).

  126. 

  127.   When the token has expired (expiration_time > time() + 10), a new

  128.   token is requested from the oauth2 server, using the refresh_token.

  129.   If the refresh token fails for some reason (maybe refresh_token

  130.   expired or any other reason), then the whole process of

  131.   authorization is performed from the beginning.

  132. 

  133.   For the client-credentials and user-password authorization flows

  134.   this does not involve a user interaction with the oauth2 server.

  135. 

  136.   However, for the server-side flow the user has to authorize again

  137.   the application. This is done in these steps, first the user is

  138.   redirected to the oauth2 server to authorize the application again,

  139.   from there it is redirected back to the application with an

  140.   authorization code, then the application uses the authorization code

  141.   to request a new access token.

  142. 

  143.   In order to remember the part of the client application that

  144.   initiated the authorization request, a session variable is used:

  145.   $_SESSION['oauth2_client']['redirect'][$state]['uri'].  Then,

  146.   drupal_goto() is used to jump again to that path of the application.

  147. 

  148. * Integrating with other oauth2 clients

  149. 

  150.   Other oauth2 clients for Drupal can integrate with oauth2_client.

  151.   This means that they can use the same client that is registered on

  152.   the oauth2_server for the oauth2_client.

  153. 

  154.   The oauth2_server sends the authorization reply to the redirect_uri

  155.   that is registered for the client. If this client has been

  156.   registered for being used by the module oauth2_client, then its

  157.   redirect_uri is like this:

  158.   https://server.example.org/oauth2/authorized . A reply sent to this

  159.   redirect_uri will be routed to the callback function supplied by

  160.   oauth2_client. So, in general, the other oauth2 clients cannot use

  161.   the same client_id and client_secret that are registered in the

  162.   server. They will have to register their own client_id,

  163.   client_secret and redirect_uri.

  164. 

  165.   However this is not very convenient. That's why oauth2_client allows

  166.   the other oauth2 clients to use the same client_id and

  167.   client_secret, but the reply has to pass through oauth2_client,

  168.   since redirect_uri sends it there.

  169. 

  170.   It works like this: Suppose that another oauth2 client starts the

  171.   authentication workflow.  On the parameters of the request it sets

  172.   redirect_uri to the one belonging to oauth2_client (since this is

  173.   the one that is reckognized and accepted by the server). However at

  174.   the same time it notifies oauth2_client that the reply of this

  175.   request should be forwarded to it. It does it by calling the

  176.   function: oauth2_client_set_redirect($state, $redirect).

  177. 

  178.   The parameter $state is the random parameter that is used on the

  179.   authentication url in order to mittigate CSRF attacks. In this case

  180.   it is used as a key for identifying the authentication request.  The

  181.   parameter $redirect is an associative array that contains the keys:

  182.     - uri: the uri of the oauth2 client that is requesting a

  183.       redirect

  184.     - params: associative array of other parameters that should be

  185.       appended to the uri, along with the $_REQUEST comming from the

  186.       server

  187. 

  188.   Once another oauth2 client that has been successfully authenticated

  189.   and has received an access_token, it can share it with the

  190.   oauth2_client, so that oauth2_client does not have to repeat the

  191.   authentication process again. It can be done by calling the

  192.   function: oauth2_client_set_token($client_id, $token).