protected function Client::getTokenServerSide in OAuth2 Client 7

Same name and namespace in other branches

1. 7.2 src/Client.php \OAuth2\Client::getTokenServerSide()

Get an access_token using the server-side (authorization code) flow.

This is done in two steps:

• First, a redirection is done to the authentication endpoint, in order to request an authorization code.
• Second, using this code, an access_token is requested.

There are lots of redirects in this case and this part is the most tricky and difficult to understand of the oauth2_client, so let me try to explain how it is done.

Suppose that in the controller of the path 'test/xyz' we try to get an access_token: $client = oauth2_client_load('server-side-test'); $access_token = $client->getAccessToken(); or: $client = new OAuth2\Client(array( 'token_endpoint' => 'https://oauth2_server/oauth2/token', 'client_id' => 'client1', 'client_secret' => 'secret1', 'auth_flow' => 'server-side', 'authorization_endpoint' => 'https://oauth2_server/oauth2/authorize', 'redirect_uri' => 'https://oauth2_client/oauth2/authorized', )); $access_token = $client->getAccessToken();

From getAccessToken() we come to this function, getTokenServerSide(), and since there is no $_GET['code'], we redirect to the authentication url, but first we save the current path in the session: $_SESSION['oauth2_client']['redirect'][$state]['uri'] = 'test/xyz';

Once the authentication and authorization is done on the server, we are redirected by the server to the redirect uri: 'oauth2/authorized'. In the controller of this path we redirect to the saved path 'test/xyz' (since $_SESSION['oauth2_client']['redirect'][$state] exists), passing along the query parameters sent by the server (which include 'code', 'state', and maybe other parameters as well.)

Now the code: $access_token = $client->getAccessToken(); is called again and we come back for a second time to the function getTokenServerSide(). However this time we do have a $_GET['code'], so we get a token from the server and return it.

Inside the function getAccessToken() we save the returned token in session and then, since $_SESSION['oauth2_client']['redirect'][$state] exists, we delete it and make another redirect to 'test/xyz'. This third redirect is in order to have in browser the original url, because from the last redirect we have something like this: 'test/xyz?code=8557&state=3d7dh3&....'

We come again for a third time to the code $access_token = $client->getAccessToken(); But this time we have a valid token already saved in session, so the $client can find and return it without having to redirect etc.

1 call to Client::getTokenServerSide()

Client::getAccessToken in ./oauth2_client.inc

Get and return an access token.

File

./oauth2_client.inc, line 325

Class OAuth2\Client

Class

Client

The class OAuth2\Client is used to get authorization from an oauth2 server. Its only goal is to get an access_token from the oauth2 server, so the only public function (besides the constructor) is getAccessToken().

Namespace

OAuth2

Code

protected function getTokenServerSide() {
  if (!isset($_GET['code'])) {
    $url = $this
      ->getAuthenticationUrl();
    header('Location: ' . $url, TRUE, 302);
    drupal_exit($url);
  }

  // Check the query parameter 'state'.
  if (!isset($_GET['state']) || !isset($_SESSION['oauth2_client']['redirect'][$_GET['state']])) {
    throw new \Exception(t("Wrong query parameter 'state'."));
  }

  // Get and return a token.
  return $this
    ->getToken(array(
    'grant_type' => 'authorization_code',
    'code' => $_GET['code'],
    'redirect_uri' => $this->params['redirect_uri'],
  ));
}