README

This Flow package provides an OAuth 2.0 server, based on The PHP League OAuth Server.

Setup

Installation

The installation is done with composer:

composer require punktde/oauth2-server

Run the doctrine migrations

./flow doctrine:migrate

Optional: Define position of routes

Routes are per default included without any position parameter. If routes are positioned wrong adjust the position accordig to the [Flow Route documentation](https://flowframework.readthedocs.io/en/stable/TheDefinitiveGuide/PartIII/Routing.html#subroutes-from-settings)

Configuration

Enable the required grant types within your settings:

PunktDe:
  OAuth2:
    Server:
      grantTypes:
        client_credentials:
          enabled: false
        authorization_code:
          enabled: false

Have a look at Settings.PunktDe.yaml for further configuration values.

Generate server keys:

./flow oauthserver:generateserverkeys

Create client credentials:

./flow oauthserver:createclientcredentials <identifier> <name> <grant-type>

Implemented Grants

There is a good listing at thephpleague.com of all grant types of OAuth2 which should help you to find the type that fits to your application.

The following OAuth 2.0 grant types are implemented:

Client credentials Grant

If you are authorizing a machine to access resources and you don’t require the permission of a user to access said resources you should implement the client credential grant.

Authorization code grant

If the client is a web application that has a server side component then you should implement the authorization code grant.

The urls to use are:

• Access Token URL: <YourDomain>/oauth/token
• Authorization URL: <YourDomain>/oauth/authorize
• Authorization approval URL: oauth/approveauthorization

The Authorization code grant is currently implemented with an implicit authorization of the requesting application.

Authenticating users during authorization process

If /oauth/authorize is called without an authenticated Flow account, the user is automatically redirected to a configurable URL. After authentication, the user should be forwarded to /oauth/approveauthorization to approve the previously started authorization session.

Custom authorization request approval

Authentication request approval can be extended to fit your projects needs. You can put your custom logic into a class implementing the ApprovalStrategyInterface.