delboy1978uk / bone-oauth2
OAuth2 functionality for Bone Framework
Requires
- php: ^8.2
- ext-curl: *
- ext-json: *
- boneframework/bone: ^3.11
- delboy1978uk/bone-doctrine: ^2.0
- delboy1978uk/bone-user: ^2.4
- laminas/laminas-diactoros: ^3.3
- laminas/laminas-uri: ^2.11
- league/oauth2-server: ^8.5
Requires (Dev)
- delboy1978uk/dev-tools: ^1.0
- roave/security-advisories: dev-master
Suggests
- delboy1978uk/bone-open-api: Open API documentation
- dev-master
- v1.8.8
- v1.8.7
- v1.8.6
- v1.8.5
- v1.8.4
- v1.8.3
- v1.8.2
- v1.8.1
- v1.8.0
- v1.7.8
- v1.7.7
- v1.7.6
- v1.7.5
- v1.7.4
- v1.7.3
- v1.7.2
- v1.7.1
- v1.7.0
- v1.6.2
- v1.6.1
- v1.6.0
- v1.5.3
- v1.5.2
- v1.5.1
- v1.5.0
- v1.4.12
- v1.4.11
- v1.4.5
- v1.4.4
- v1.4.3
- v1.4.2
- v1.4.1
- v1.4.0
- v1.3.5
- v1.3.4
- v1.3.3
- v1.3.2
- v1.3.1
- v1.3.0
- v1.2.6
- v1.2.5
- v1.2.4
- v1.2.3
- v1.2.2
- v1.2.1
- v1.2.0
- v1.1.2
- v1.1.1
- v1.1.0
- v1.0.9
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0
- v0.7.0
- v0.6.0
- v0.5.0
- v0.4.0
- v0.3.0
- v0.2.0
- v0.1.3
- v0.1.2
- v0.1.1
- v0.1.0
- v0.0.3
- v0.0.2
- v0.0.1
- dev-7-v2-use-attributes
This package is auto-updated.
Last update: 2024-12-13 16:10:38 UTC
README
OAuth2 Authorization and Resource Server functionality for Bone MVC Framework
installation
Install via composer from the root of your Bone Framework project
composer require delboy1978uk/bone-oauth2
configuration
Simply add the Package to Bone's packages config
<?php // use statements here use Bone\OAuth2\BoneOAuth2Package; use Bone\User\BoneUserPackage; return [ 'packages' => [ // packages here (order is important)..., BoneUserPackage::class, BoneOAuth2Package::class, ], // ... ];
generate a public and private key
Firstly go into the data/keys
directory.
cd data/keys
Use openssl to generate a private key, then extract the public key from the private key:
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
chmod 660 public.key
chmod 660 private.key
If you want to provide a passphrase for your private key run these commands instead:
openssl genrsa -passout pass:_passphrase_ -out private.key 2048
openssl rsa -in private.key -passin pass:_passphrase_ -pubout -out public.key
chmod 660 public.key
chmod 660 private.key
If a passphrase has been used to generate private key it must be provided to the authorization server.
The public key should be distributed to any services (for example resource servers) that validate access tokens.
generate an encryption key
Go back to the project root.
cd ../..
Run this command and add to your config.
vendor/bin/generate-defuse-key
Run database migrations to generate the tables
vendor/bin/bone migrant:diff
vendor/bin/bone migrant:migrate
vendor/bin/bone migrant:generate-proxies
required config values
Keys can be stored out of the config array and fetched as an environment variable for better security, but these are the config settings you need.
<?php return [ 'oauth2' => [ 'clientCredentialsTokenTTL' => 'PT1H', // 1hour 'authCodeTTL' => 'PT1M', // 1 minute 'accessTokenTTL' => 'PT5M', // 5 minutes 'refreshTokenTTL' => 'P1M', // 1 month 'privateKeyPath' => '/path/to/private.key', 'publicKeyPath' => '/path/to/private.key', 'encryptionKey' => 'generatedKeyString', ], ];
usage
server side
You can create a client using the vendor/bin/bone
command. You can also create scopes, and grant scopes to clients.
To lock down an endpoint to require an access token, simply add the ResourceServerMiddleware
to the route or route
group in your Bone Framework Package class
$router->map('GET', '/ping', [ExampleController::class, 'pingAction'])->middleware($c->get(ResourceServerMiddleware::class));
In your controller, you will have access to the user, which is now an instance of OAuthUser
. You can also get the
scopes granted for the request.
/** * @param $request * @param array $args * @return ResponseInterface * @throws \Exception */ public function someAction(ServerRequestInterface $request, array $args) : ResponseInterface { /** @var \Bone\OAuth2\Entity\OAuthUser $user */ $user = $request->getAttribute('user'); if (!in_array('email', $request->getAttribute('oauth_scopes'))) { throw new Exception('How dare you!', 403); } return new JsonResponse(['random' => 'data']); }
client side
Clients connect using the standard OAuth2 flow described in RFC6749, the two endpoints in your Bone App are
- /oauth2/authorize
- /oauth2/token
site users
Logged in users now have an additional end point which they can go to, /user/api-keys
, where they can get a new API key, or delete existing ones.
console
You also have access to more bone
command options:
bone client:create
bone client:create
bone scope:create
bone scope:list