chillerlan / php-oauth Goto Github PK
View Code? Open in Web Editor NEWA fully transparent, framework agnostic PSR-18 OAuth client.
License: MIT License
A fully transparent, framework agnostic PSR-18 OAuth client.
License: MIT License
To get the User Access Token from Garmin Connect Api, I've used the public method getAccessToken in OAuth1Provider.php. In the public method getRequestAuthorization I've added oauth_verifier in the params:
public function getRequestAuthorization(RequestInterface $request, AccessToken|null $token = null):RequestInterface{
$token ??= $this->storage->getAccessToken($this->name);
if($token->isExpired()){
throw new InvalidAccessTokenException;
}
$params = [
'oauth_consumer_key' => $this->options->key,
'oauth_nonce' => $this->nonce(),
'oauth_signature_method' => 'HMAC-SHA1',
'oauth_timestamp' => time(),
'oauth_token' => $token->accessToken,
'oauth_version' => '1.0',
'oauth_verifier' => $verifier,
];
$params['oauth_signature'] = $this->getSignature(
$request->getUri(),
$params,
$request->getMethod(),
$token->accessTokenSecret,
);
return $request->withHeader('Authorization', sprintf('OAuth %s', QueryUtil::build($params, null, ', ', '"')));
}
Because without oauth_verifier I got an error in the response from Guzzle.
Describe the feature
The feature is documented in RFC-9449.
Right now I don't see the need to implement abstract support for this, as there are currently no major services out in the wild that support it (as it is a relatively new proposal).
Further, the underlying protocol has a lot of dependencies (RFCs 7515, 7516, 7517, 7518, 7519, 7520, 7521, 7523) that translate into one or more additional libraries, such as firebase/php-jwt
or web-token/jwt-framework
for example, which is not justifiable at this point.
Bluesky's upcoming OAuth2 support might be the first implementation that makes use of it, and once it is rolled out, I'll figure out implementation details and whether to depend on external libraries or just roll a minimum JWT implementation for this specific provider.
Code sample (if applicable)
DPoP introduces the concept of a DPoP proof, which is a JWT created by the client and sent with an HTTP request using the DPoP header field. Each HTTP request requires a unique DPoP proof.
The DPoP proof is sent with the access token request, hence it should be created once the authorization code is received, so in OAuth2Provider::getAccessToken()
. Ideal is probably OAuth2Provider::sendAccessTokenRequest()
which is called in the aforementioned method and which has direct access to the PSR-7 RequestInterface
instance:
protected function sendAccessTokenRequest(string $url, array $body):ResponseInterface{
$request = $this->requestFactory
->createRequest('POST', $url)
->withHeader('Accept', 'application/json')
->withHeader('Accept-Encoding', 'identity')
->withHeader('Content-Type', 'application/x-www-form-urlencoded')
->withBody($this->streamFactory->createStream(QueryUtil::build($body, PHP_QUERY_RFC1738)))
;
foreach($this::HEADERS_AUTH as $header => $value){
$request = $request->withHeader($header, $value);
}
if($this::USES_BASIC_AUTH_IN_ACCESS_TOKEN_REQUEST){
$request = $this->addBasicAuthHeader($request);
}
// as with all additional features, an interface will be added
if($this instanceof DPoP){
$dpopProof = $this->createDpopProof(/* ... */);
$request = $request->withHeader('DPoP', $dpopProof);
}
return $this->http->sendRequest($request);
}
During creation of the proof, the generated private key should be saved for the current user, which requires additional methods in the storage interface as the key is required for subsequent proofs:
OAuthStorageInterface::storeDpopPrivateKey(string $key, string $provider):static
No changes are required to the token response parser or the AccessToken
class as the only difference here is that the access token is a JWT that contains data instead of a random string.
The request authorization boils down to:
public function getRequestAuthorization(RequestInterface $request, AccessToken|null $token = null):RequestInterface{
$token ??= $this->storage->getAccessToken($this->name);
if($token->isExpired()){
if(!$this instanceof TokenRefresh || $this->options->tokenAutoRefresh !== true){
throw new InvalidAccessTokenException;
}
$token = $this->refreshAccessToken($token);
}
return $request
// the "Bearer" changes to "DPoP" as per spec (or whatever the service doc says)
->withHeader('Authorization', 'DPoP '.$token->accessToken)
// additionally, a DPoP proof is attached
->withHeader('DPoP', $this->createDpopProof(/* ... */))
;
}
Are you (the requester) willing to submit a pull request for that feature?
[YES] (I guess I'll have to!?)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.