A demo application for running an OAuth2 server

Last update: Jun 5, 2022

OAuth2 Demo PHP

This application is designed to demo the workflow between OAuth2.0 Clients and Servers.

If this is your first time here, try experimenting with the live demo to get a better feel for OAuth2.0 flows.

This library is running the OAuth2 Server PHP library.

Installation

Use Composer to install this application:

$ git clone git://github.com/bshaffer/oauth2-demo-php.git
$ cd oauth2-demo-php
$ curl -s http://getcomposer.org/installer | php
$ ./composer.phar install

WebHost Configuration

Configure a Web Server

Silex requires you to configure your web server to run it.

Be sure to run the command $ chmod -R 777 data/ in the project root so that the web server can create the sqlite file.

Using PHP's built-in Web Server

You can use php's built-in web server, however, you will need to spin up two instances and specify one of them in data/parameters.json in order to prevent the server from locking up. The client will issue a request to the server, and because PHP's built-in web server is single-threaded, this will result in deadlock.

$ cd oauth2-demo-php
$ cp data/parameters.json.dist data/parameters.json
$ sed -i '' 's?"grant"?"http://localhost:8081/lockdin/token"?g' data/parameters.json
$ sed -i '' 's?"access"?"http://localhost:8081/lockdin/resource"?g' data/parameters.json

Now all you have to do is spin up two separate web servers in the web directory

$ cd web
$ php -S localhost:8080 & php -S localhost:8081

Browse to http://localhost:8080 in your browser and you're all set!

What Does This App Do??

This application simulates the interaction between an OAuth2 Client (Demo App) and OAuth2 Server (Lock'd In). To get started, access the Demo App homepage:

Demo Application Homepage

Clicking Authorize will send you to Lock'd In, which mimics a data provider (such as twitter, facebook, etc). Lock'd In assumes you are already signed in, and asks if you'd like to grant the Demo app access to your information:

Lock'd In Authorization Request

Once you click Yes, I Authorize this Request, you will be redirected back to Demo App with an authorization code, which the client then exchanges for an Access Token. Demo App then makes another call to the Lock'd In APIs and uses the Access Token to retrieve the data on your behalf.

If all is successful, your data from Lock'd In will be displayed on the final page:

Demo Application Granted

The OAuth2 Client can be used to test ANY OAuth2.0 server, and can be configured to do so using the the configuration file defined below.

The OAuth2 Server

The OAuth2 Server is created (see the setup method) and then used in the Controller Classes, which implement the following endpoints:

  • /authorize - endpoint which grants the Demo App an authorization code
  • /token - endpoint which grants the Demo App an access_token when supplied with the authorization code above
  • /resource - endpoint which grants the Demo App access to your protected resources (in this case, your friends) when supplied the access token above

These are the three main functions of the OAuth2 server (authorize the user, grant the user tokens, and validate api calls). When you write your OAuth2-compatible servers, your interface will be similar.

Note: the above urls are prefixed with /server to namespace the application.

Test Your Own OAuth2 Server!

You can test this application against your own OAuth application with ease. Just copy over the parameters.json.dist file to parameters.json:

$ cd /path/to/oauth2-demo-php
$ cp data/parameters.json.dist data/parameters.json

Open the parameters.json file, and notice the default configuration:

{
  "client_id": "demoapp",
  "client_secret": "demopass",
  "token_route": "grant",
  "authorize_route": "authorize",
  "resource_route": "access",
  "resource_method": "GET",
  "resource_params": {},
  "curl_options": {}
}

This is the configuration for the default Lock'd In OAuth2 server. To test against your own, change those parameters to fit the api server you want to test against:

{
  "client_id": "OAuth Demo Application",
  "client_secret": "a3b4b74330724a927bec",
  "token_route": "https://api.myapp.com/token",
  "authorize_route": "https://myapp.com/authorize",
  "resource_route": "https://api.myapp.com/profile",
  "resource_method": "POST",
  "resource_params": { "debug": true },
  "curl_options": { "http_port": 443, "verifyssl": false }
}

The above example uses a new client to authenticate against a fictional oauth server at myapp.com. This is very useful when testing your application in production

Note: The curl options are set to ignore an SSL certificate, and the resource_params define a fictional debug parameter. These are not required for your APIs, but is meant as an example what can be done with the configuration

###Test in multiple environments

In addition, you can create multiple environments using the parameters.json file, and switch between them:

{
    "LockdIn": {
      "client_id": "demoapp",
      "client_secret": "demopass",
      "token_route": "grant",
      "authorize_route": "authorize",
      "resource_route": "access",
      "resource_method": "GET",
      "resource_params": {},
      "curl_options": {}
    },
    "My App": {
      "client_id": "OAuth Demo Application",
      "client_secret": "a3b4b74330724a927bec",
      "token_route": "https://api.myapp.com/token",
      "authorize_route": "https://myapp.com/authorize",
      "resource_route": "https://api.myapp.com/profile",
      "resource_method": "POST",
      "resource_params": { "debug": true },
      "curl_options": { "http_port": 443, "verifyssl": false }
    }
}

This will provide a dropdown at the top which will allow you to switch environments and test multiple OAuth servers

Demo Application With Environment Select

Contact

Please contact Brent Shaffer (bshafs <at> gmail <dot> com) for more information

GitHub

https://github.com/bshaffer/oauth2-demo-php
Comments
  • 1. Add example usage of refresh token.

    Support for the refresh token grant type is added to the client controllers and the views. It is presented to the user with ability to renew the access token via the refresh token.

    Reviewed by hkdobrev at 2014-08-24 16:17
  • 2. Problem creating token

    I downloaded your OAuth 2 API server a little while ago. When I try to your user client and server, I get to the first page, click the authorize button. I get to the next page, click the “Yes…” button. I then get to the next page and click the “make a token request” button, and this is where things go wrong. On the next page, I get the following error: Catchable fatal error: Argument 2 passed to GuzzleHttp\Client::post() must be of the type array, null given, called in F:\Work\Programming\PHP\Front End\oauth_server\src\OAuth2Demo\Client\Controllers\RequestToken.php on line 56 and defined in F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\Client.php on line 148

    I traced the problem to a line of code in the request token script: $response = $http->post($endpoint, null, $query, $config['http_options'])->send(); I also printed out the variable to see if I could figure out what is happening, and the values for the above call are string(41) "http://www.oauth_server.loc/lockdin/token"

    array(5) { ["grant_type"]=> string(18) "authorization_code" ["code"]=> string(40) "c2d57abd35492642016e4a14b0252578bb95a173" ["client_id"]=> string(7) "demoapp" ["client_secret"]=> string(8) "demopass" ["redirect_uri"]=> string(51) "http://www.oauth_server.loc/client/receive_authcode" }

    array(1) { ["exceptions"]=> bool(false) }

    After trying your client, I tried to create my own client, and get to the same point again. I’ve tried all sorts of things, but as soon as I create a post request to the /lockdin/token page, I get the following error message: Fatal error: Uncaught exception 'GuzzleHttp\Exception\ClientException' with message 'Client error response [url] http://www.oauth_server.loc/lockdin/token [status code] 400 [reason phrase] Bad Request' in F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\Exception\RequestException.php:89 Stack trace: #0 F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\Subscriber\HttpError.php(33): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Message\Request), Object(GuzzleHttp\Message\Response)) #1 F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\Event\Emitter.php(109): GuzzleHttp\Subscriber\HttpError->onComplete(Object(GuzzleHttp\Event\CompleteEvent), 'complete') #2 F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\RequestFsm.php(91): GuzzleHttp\Event\Emitter->emit('complete', Object(GuzzleHttp\Event\CompleteEvent)) #3 F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\RequestFsm.php(132): Guzzl in F:\Work\Programming\PHP\Back End\lib\composer\vendor\guzzlehttp\guzzle\src\Exception\RequestException.php on line 89 Basically, bad request. This is the most basic request that I tried: $o_request = $o_client -> post('http://www.oauth_server.loc/lockdin/token');

    Any chance you can help me here? Do you know how I can fix this?

    Regards Daniel

    Reviewed by Daniel290499 at 2016-01-25 07:23
  • 3. Missing Implementation in Storage Classes

    I have noticed that all of the demonstration Storage classes leave out the implementation of 4 methods which are required by the various interfaces that they implement:

    1. AuthorizationCodeInterface::enforceRedirect
    2. AuthorizationCodeInterface::createAuthorizationCode
    3. AccessTokenInterface::createAccessToken
    4. ResponseTypeInterface::getAuthorizeResponse (also redefined in AuthorizationCodeInterface)

    Am I missing something? There's no mention of this in the otherwise very verbose and high quality documentation.

    Reviewed by yankeeinlondon at 2013-07-03 08:54
  • 4. Setup improvements

    We've been trying to get this code running and here are a few improvements up front.

    We are also in the process of trying to figure out why the final request to /grant times out - no luck yet and probably also a PR for bshaffer/oauth2-server-php.


    Changelog

    Switch to dev-master (since dev-develop contains bugs).

    rebuild_db.php

    • move rebuild_db.php to a bin directory and adjust the path to the database
    • make it executable and add a shebang

    Fixes by @dazz:

    • Add missing table to rebuild_db.php script.
    • Add some sample data (note: the code requires to run on port 80 - somewhere.)

    The piece about port 80 may or may not be a bug. It took me a while to debug this with the custom curl code in there and it just said that it timed out while trying to request something on localhost:80 and I had the code running on localhost:8002 (through PHP's internal web server).

    Reviewed by till at 2012-12-20 20:11
  • 5. cookbook misses id_token column

    Following http://bshaffer.github.io/oauth2-server-php-docs/cookbook/ the step at Create_an_Authorize_Controller fails, until you run ALTER TABLE oauth_authorization_codes ADD COLUMN id_token VARCHAR(80); [not sure about 80 as size] Be sure to update the CREATE TABLE at the start of the cookbook. Note that you must display errors in php.ini, to see the problem (or view log).

    Reviewed by bingalls at 2014-03-31 17:04
  • 6. Replace hard-coded port 80 by $_SERVER['SERVER_PORT']

    In order for the demo to work out of the box on a test server (often on a port different from 80 such as 8080), here is a suggestion to default to $_SERVER['SERVER_PORT'] instead of a hard-coded port 80. Of course, the explicit configuration in parameters.json still has precedence.

    Reviewed by Alkarex at 2013-10-15 08:23
  • 7. Missing column in examples

    I am going throught Step-By-Step Walkthrough and default_scope column is missing in oauth_clients table got this error:

    File:
        C:\wamp\www\oauth2.local\vendor\bshaffer\oauth2-server-php\src\OAuth2\Storage\Pdo.php:252
    
    Message:
        SQLSTATE[42S22]: Column not found: 1054 Unknown column 'default_scope' in 'field list'
    

    I think that this https://github.com/bshaffer/oauth2-server-php/pull/217 pull request caused this.

    Reviewed by svycka at 2013-08-26 14:49
  • 8. Need warning: SQLite database directory must be writeable

    SQLite database directory must be writeable. Otherwise the oauth2-server-demo/web/demo/authorized fails with obscure error:

    SQLSTATE[HY000]: General error: 14 unable to open database file
    

    Please add checks for file and folder permission and issue a bold warning if they are insufficient.

    The best place i see for this is in index.php before

    return new OAuth2_Storage_Pdo(array('dsn' => 'sqlite:'.$sqliteDir));
    

    Sadly i do not know Silex enough to implement this in graceful manner ;(

    This error is quite nasty and non-obvious and surely robbed many people like me of their precious man-hours, summing up to man-months across all potential user base.

    Reviewed by mcd-php at 2013-04-24 13:01
  • 9. Username as a primary key?

    Was curious why the username field is being used as a primary key instead of an integer UID. What if a user is updating their username, is there logic to make said change across all of the tables utilizing that key (user_id) ?

    Thanks!

    Reviewed by joshtronic at 2014-10-15 17:46
  • 10. How Can I change the expire value for the acces token

    Hello all,

    I want to change the expire value when the new acces token will create. Can someone tell me how can I change the default value to the new one?

    Reviewed by Deep21 at 2014-09-04 17:42
  • 11. Issue with Windows and Apache Wampserver

    from Marcel Dupont:

    Hi Brent,

    I'm trying to install and use your OAuth2 Demo PHP from github. You did a great work !

    I would like to implement the oauth protocol for a project. And i use the demo to learn this protocol.

    I work on Windows Vista + Wamperserver (Appache; PHP and Mysql) on it.

    The demo is installed and i can access the home page "Demo App". But when i click on the button Authorize, an error occurs:

    "The requested URL /oauth2/src/OAuth2Demo/Server/Controllers/authorize was not found on this server."

    The authorize.php file exists but it's no correctly processed...

    I've made a lot of changes but nothing works (i'm not a great specialist of PHP)...

    Maybe , have you an idea about what is wrong ?

    Thank you in advance.

    Reviewed by bshaffer at 2013-12-31 04:00
  • 12. Library very poorly supported, a personal opinion

    I'm trying to implement an OAuth2 server, and I have to say that I'm having a lot of difficulties, the various officially provided libraries are badly documented, the examples are explained really badly and the Step-By-Step https://bshaffer.github.io/oauth2-server-php-docs/cookbook/ is anything but a Step-By-Step. Am I the only one who thinks so?

    Regards GMG

    Reviewed by gmgunderground at 2019-02-17 21:28
  • 13. failed to open stream auto-load error

    PS C:\xampp-5\htdocs\myoauth> curl -u testclient:testpass http://localhost/myoauth/token.php -d 'grant_type=client_credentials'
    <br />
    <b>Warning</b>:  require_once(oauth2-server-php/src/OAuth2/Autoloader.php): failed to open stream: No such file or directory in <b>C:\xampp-5\htdocs\myoauth\server.php</b> on line <b>12</b><br />
    <br />
    <b>Fatal error</b>:  require_once(): Failed opening required 'oauth2-server-php/src/OAuth2/Autoloader.php' (include_path='C:\xampp-5\php\PEAR') in <b>C:\xampp-5\htdocs\myoauth\server.php</b> on line <b>12</b><br />
    PS C:\xampp-5\htdocs\myoauth>
    

    This error persisting from 2013 now it's 2018, How to fix it? Is this deprecated library ? This Issue (require autoload.php #18) is closed but problem still exist.

    Reviewed by freddy-daniel at 2019-01-21 10:04
  • 14. getting `Parameter must be an array or an object that implements Countable`

    When clicking Yes, I Authorize This Request i get Warning: count(): Parameter must be an array or an object that implements Countable in /srv/vendor/bshaffer/oauth2-server-php/src/OAuth2/Server.php on line 478 in screen shot 2018-02-19 at 11 40 18 pm

    https://brentertainment.com/oauth2/lockdin/authorize?client_id=demoapp&redirect_uri=http%3A%2F%2Fbrentertainment.com%2Foauth2%2Fclient%2Freceive_authcode&response_type=code&state=b43d72aa5fb8d4c70635ee1e9cce29e7

    Reviewed by rrubiorr81 at 2018-02-20 04:40
  • 15. SQLSTATE[HY000]: General error: 8 attempt to write a readonly database

    Hey you have an error in your demo app, when I tried the implicit authorization this happened.

    P.S. The docs on your site are amazing, thanks for all the good work.

    screen shot 2018-02-03 at 3 49 06 pm

    Reviewed by sasa-b at 2018-02-03 14:52
  • 16. How to integrate with backend and pass custom OAuth claims back to the client

    While I am comfortable with PHP in general, I am not familiar with the PHP framework your code uses.

    I would like to customize the OpenID connect sample implementation on the server side to authenticate against our own backend system and to provide custom Oauth claims back to the client in the output Token.

    Where do I go about doing this?

    I can see references to $params['scope'] as possibly referring to custom data to be added but I cannot see where this ever gets set. Perhaps it is totally unrelated.

    It would be useful to add high level instructions for the integration points in the readme referring to the modules to modify, and to add some commented out pseudo code where the integration should be done, and in what format the data should be returned by the backend so as to be usable by the library.

    Are there flags/settings that determine whether the Token is Signed and/or Encrypted?

    Thanks in advance. And apologies if these are basic questions.

    Reviewed by vjs-xx at 2017-05-09 08:40
documentation for the oauth2-server-php library

OAuth2 Server PHP Documentation This repository hosts the documentation for the oauth2-server-php library. All submissions are welcome! To submit a ch

Jun 3, 2022
This is a basic Oauth2 authorization/authentication server implemented using Mezzio.
This is a basic Oauth2 authorization/authentication server implemented using Mezzio.

Mezzio-OAuth2-Authorization-Authentication-Server This is a basic OAuth2 authorization/authentication server implemented using Mezzio. I have found so

Nov 14, 2021
A plugin for implementing an OAuth2 server in CakePHP 3

OAuth2 Server for CakePHP 3 A plugin for implementing an OAuth2 server in CakePHP 3. Built on top of the PHP League's OAuth2 Server. Currently we supp

Mar 15, 2022
Static utilitiy classes to bridge PSR-7 http messages to OAuth2 Server requests and responses.

Static utilitiy classes to bridge PSR-7 http messages to OAuth2 Server requests and responses. While this libray is entended for use with Slim 3, it should work with any PSR-7 compatible framework.

Jul 12, 2021
Routes and Middleware for Using OAuth2 Server within a Slim Framework API

Chadicus\Slim\OAuth2 A collection of OAuth2 Server routes, middleware and utilities for use within a Slim 3 Framework API Requirements Chadicus\Slim\O

May 31, 2022
Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Introduction Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use. Official Documentation Documenta

Jun 17, 2022
:atom: Social (OAuth1\OAuth2\OpenID\OpenIDConnect) sign with PHP :shipit:

SocialConnect Auth Getting Started :: Documentation :: Demo Open source social sign on PHP. Connect your application(s) with social network(s). Code e

Jun 22, 2022
:atom: Social (OAuth1\OAuth2\OpenID\OpenIDConnect) sign with PHP :shipit:

SocialConnect Auth Getting Started :: Documentation :: Demo Open source social sign on PHP. Connect your application(s) with social network(s). Code e

Apr 1, 2021
:octocat: Socialite is an OAuth2 Authentication tool. It is inspired by laravel/socialite, you can easily use it without Laravel.

Socialite Socialite is an OAuth2 Authentication tool. It is inspired by laravel/socialite, You can easily use it in any PHP project. 中文文档 This tool no

Jun 28, 2022
OAuth client integration for Symfony. Supports both OAuth1.0a and OAuth2.

HWIOAuthBundle The HWIOAuthBundle adds support for authenticating users via OAuth1.0a or OAuth2 in Symfony. Note: this bundle adds easy way to impleme

Jun 23, 2022
Cliente OAuth2 para Gov.br

Cliente OAuth2 para Gov.br Este pacote fornece suporte OAuth 2.0 para Gov.br usando a biblioteca cliente do League PHP. Requisitos Versões suportadas

Jun 3, 2022
EvaOAuth provides a standard interface for OAuth1.0(a) / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few lines code.

EvaOAuth EvaOAuth provides a standard interface for OAuth1.0 / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few

Jun 5, 2022
EvaOAuth provides a standard interface for OAuth1.0(a) / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few lines code.

EvaOAuth EvaOAuth provides a standard interface for OAuth1.0 / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few

Jan 17, 2022
This plugin integrates OAuth2 functionality into Guzzle Bundle

Guzzle Bundle OAuth2 Plugin This plugin integrates OAuth2 functionality into Guzzle Bundle, a bundle for building RESTful web service clients. Prerequ

Jan 13, 2022
SPA authentication demo with Laravel Sanctum and Nuxt.js (Buefy components)

laravel-sanctum-nuxt-spa SPA authentication demo with Laravel Sanctum and Nuxt.js (Buefy components) Project structure Backend: Cookie-based authentic

May 10, 2022
PHP Client and Router Library for Autobahn and WAMP (Web Application Messaging Protocol) for Real-Time Application Messaging

Thruway is an open source client and router implementation of WAMP (Web Application Messaging Protocol), for PHP. Thruway uses an event-driven, non-blocking I/O model (reactphp), perfect for modern real-time applications.

Jun 7, 2022
A spec compliant, secure by default PHP OAuth 2.0 Server

PHP OAuth 2.0 Server league/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes work

Jun 23, 2022
A support-rich server software for Minecraft Bedrock Edition based on PocketMine-MP.
A support-rich server software for Minecraft Bedrock Edition based on PocketMine-MP.

A support-rich server software for Minecraft Bedrock Edition based on PocketMine-MP. Credits @ItzLightyHD -> Adding features to OpenTouch (new API, mo

Aug 31, 2021