This is a plugin for implementing an OAuth Server/Provider in CakePHP, built on quizlets oauth2-php library
- A lovely OAuth component that allows cakey access to the oauth library
- The required models with super safe automatic beforeSave token hashing
- AuthComponent'ish interface for action allow/deny's
- Convenience functions for retrieving the current user and adding clients
- An example controller with authorize and token end points
A clone of oauth2-php in your Vendors folder
$ git clone git://github.com/quizlet/oauth2-php.git Vendor/oauth2-php
Or via submodule:
$ git submodule add git://github.com/quizlet/oauth2-php.git Vendor/oauth2-php
First we need to populate the database with the right tables.
Two ways: use schema.sql or Migrations using Migrations Plugin from CakeDC
Go to Config/Schema/schema.sql to grab the tables
OR
$ cake Migrations.migration all --plugin OAuth
Then clone this repo into a "OAuth" folder in your Plugins folder:
$ git clone git://github.com/thomseddon/cakephp-oauth-server.git Plugin/OAuth
Or via submodule:
$ git submodule add git://github.com/thomseddon/cakephp-oauth-server.git Plugin/OAuth
Load the plugin
CakePlugin::loadAll(); // Loads all plugins at once
CakePlugin::load('OAuth'); //Just load OAuth
And include the component in your controller:
$components = array('OAuth.OAuth');
A good understanding of the OAuth protocol should be considered a prerequisite of using this plugin. Good documentation explaining various OAuth2 flows is provided by Google, Facebook and in the official spec. For reference, this plugin currently supports the following grant types:
- Authorization Code Grant
- Refresh Token Grant
- Resource Owner Password Credentials Grant (requires setup, see below)
If you need any others please build them into the base oauth2-php library and let me know :)
It should be noted here that most OAuth methods support both GET and POST, so you can test your setup straight from the browser.
To use the "Resource Owner Password Credentials Grant" you need to configure the plugin so it knows where to look for your users username/password combinations. By default it will try a "Users" model with "username" and "password" fields, you can change this in your controllers beforeFilter like so:
$this->OAuth->authenticate = array(
'userModel' => 'Members',
'fields' => array(
'username' => 'email'
)
);
You can control what actions can be accessed using an OAuth access token in the same way you control access with the AuthComponent, so for example placing this in a controller's beforeFilter:
$this->OAuth->allow(array('userinfo', 'example'));
Would allow access to the "userinfo" and "example" actions.
An OAuth client is an application that can access resources on behalf of resource owner, i.e. someone who can use your API.
This plugin ships with all required models, including the "Clients" model for adding and accessing OAuth clients. You may wish to handle adding clients yourself, see the tables.sql for the schema, or you can use the convenience method included in the model, like so:
$client = $this->OAuth->Client->add('http://www.return_url.com')
Which will generate then client_id and client_secret and return something like:
Array(
[client_id] => NGYcZDRjODcxYzFkY2Rk
[client_secret] => 8e7ff3208eed06d101bf3da2473fc92ac1c6d2e7
[redirect_uri] => http://www.return_url.com
)
The method includes various schemes for generating client id's, pick your favourite.
NOTE: This convenience method will generate a random client secret
and encrypt it for security before storage using Security::rijndael()
method. The default behavior is to use Security.salt
as encryption key.
Thus, it's important to treat it as extremely sensitive data.
Use OAuthUtility::decrypt()
to obtain the client_secret.
This plugin ships with an example controller that provides the necessary endpoints to generate access tokens. Routes are also included to give you sexy URL's like: "/oauth/token", you can fire them up by placing this in your bootstrap.php:
CakePlugin::loadAll(array(
'OAuth' => array('routes' => true)
));
As an example, once you have registered a client, you could then use the Authorization Code Grant like so:
- Get an Authorization code
/oauth/authorize?response_type=code&client_id=xxxx&redirect_url=http%3a%2f%2flocalhost
- (note the URL encoding on the redirect_uri)
- Swap code for access token
/oauth/token?grant_type=authorization_code&code=from_above&client_id=xxxx&client_secret=xxxx
- Use access token
/oauth/userinfo?access_token=from_above
There is quite a bit of documentation through the code, so dive in, get your hands dirty and submit any issues here!