Documentation

OAuth2
in package
implements FetchAuthTokenInterface

OAuth2 supports authentication by OAuth2 2-legged flows.

It primary supports

  • service account authorization
  • authorization where a user already has an access token

Table of Contents

Interfaces

FetchAuthTokenInterface
An interface implemented by objects that can fetch auth tokens.

Constants

DEFAULT_EXPIRY_SECONDS  = 3600
DEFAULT_SKEW_SECONDS  = 60
JWT_URN  = 'urn:ietf:params:oauth:grant-type:jwt-bearer'

Properties

$knownGrantTypes  : array<string|int, mixed>
The well known grant types.
$knownSigningAlgorithms  : mixed
TODO: determine known methods from the keys of JWT::methods.
$accessToken  : string
The current access token.
$additionalClaims  : mixed
When using the toJwt function, these claims will be added to the JWT payload.
$audience  : string
The target audience for assertions.
$authorizationUri  : UriInterface
- authorizationUri The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
$clientId  : string
A unique identifier issued to the client to identify itself to the authorization server.
$clientSecret  : string
A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
$code  : string
The authorization code issued to this client.
$expiresAt  : int
The expiration time of the access token as a number of seconds since the unix epoch.
$expiresIn  : int
The lifetime in seconds of the current access token.
$expiry  : int
The number of seconds assertions are valid for.
$extensionParams  : mixed
When using an extension grant type, this is the set of parameters used by that extension.
$grantType  : string
The current grant type.
$idToken  : string
The current ID token.
$issuedAt  : int
The issue time of the access token as a number of seconds since the unix epoch.
$issuer  : string
The issuer ID when using assertion profile.
$password  : string
The resource owner's password.
$redirectUri  : string
The redirection URI used in the initial request.
$refreshToken  : string
The refresh token associated with the access token to be refreshed.
$scope  : array<string|int, mixed>
The scope of the access request, expressed either as an Array or as a space-delimited string.
$signingAlgorithm  : string
The signing algorithm when using an assertion profile.
$signingKey  : string
The signing key when using assertion profile.
$signingKeyId  : string
The signing key id when using assertion profile. Param kid in jwt header
$state  : string
An arbitrary string designed to allow the client to maintain state.
$sub  : string
The target sub when issuing assertions.
$tokenCredentialUri  : UriInterface
- tokenCredentialUri The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
$username  : string
The resource owner's username.

Methods

__construct()  : mixed
Create a new OAuthCredentials.
buildFullAuthorizationUri()  : UriInterface
Builds the authorization Uri that the user should be redirected to.
fetchAuthToken()  : array<string|int, mixed>
Fetches the auth tokens based on the current state.
generateCredentialsRequest()  : RequestInterface
Generates a request for token credentials.
getAccessToken()  : mixed
Gets the current access token.
getAdditionalClaims()  : array<string|int, mixed>
Gets the additional claims to be included in the JWT token.
getAudience()  : mixed
Gets the target audience when issuing assertions.
getAuthorizationUri()  : UriInterface
Gets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
getCacheKey()  : string
Obtains a key that can used to cache the results of #fetchAuthToken.
getClientId()  : mixed
Sets a unique identifier issued to the client to identify itself to the authorization server.
getClientName()  : string
Get the client ID.
getClientSecret()  : mixed
Gets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
getCode()  : mixed
Gets the authorization code issued to this client.
getExpiresAt()  : int
Gets the time the current access token expires at.
getExpiresIn()  : mixed
Gets the lifetime of the access token in seconds.
getExpiry()  : mixed
Gets the number of seconds assertions are valid for.
getExtensionParams()  : mixed
Gets the set of parameters used by extension when using an extension grant type.
getGrantType()  : string
Gets the current grant type.
getIdToken()  : mixed
Gets the current ID token.
getIssuedAt()  : mixed
Gets the time the current access token was issued at.
getIssuer()  : mixed
Gets the Issuer ID when using assertion profile.
getLastReceivedToken()  : array<string|int, mixed>|null
The expiration of the last received token.
getPassword()  : mixed
Gets the resource owner's password.
getRedirectUri()  : string
Gets the redirection URI used in the initial request.
getRefreshToken()  : mixed
Gets the refresh token associated with the current access token.
getScope()  : string
Gets the scope of the access requests as a space-delimited String.
getSigningAlgorithm()  : string
Gets the signing algorithm when using an assertion profile.
getSigningKey()  : mixed
Gets the signing key when using an assertion profile.
getSigningKeyId()  : string
Gets the signing key id when using an assertion profile.
getState()  : string
Gets an arbitrary string designed to allow the client to maintain state.
getSub()  : mixed
Gets the target sub when issuing assertions.
getTokenCredentialUri()  : string
Gets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
getUsername()  : mixed
Gets the resource owner's username.
isExpired()  : bool
Returns true if the acccess token has expired.
parseTokenResponse()  : array<string|int, mixed>
Parses the fetched tokens.
setAccessToken()  : mixed
Sets the current access token.
setAdditionalClaims()  : mixed
Sets additional claims to be included in the JWT token
setAudience()  : mixed
Sets the target audience when issuing assertions.
setAuthorizationUri()  : mixed
Sets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
setClientId()  : mixed
Sets a unique identifier issued to the client to identify itself to the authorization server.
setClientSecret()  : mixed
Sets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
setCode()  : mixed
Sets the authorization code issued to this client.
setExpiresAt()  : mixed
Sets the time the current access token expires at.
setExpiresIn()  : mixed
Sets the lifetime of the access token in seconds.
setExpiry()  : mixed
Sets the number of seconds assertions are valid for.
setExtensionParams()  : mixed
Sets the set of parameters used by extension when using an extension grant type.
setGrantType()  : mixed
Sets the current grant type.
setIdToken()  : mixed
Sets the current ID token.
setIssuedAt()  : mixed
Sets the time the current access token was issued at.
setIssuer()  : mixed
Sets the Issuer ID when using assertion profile.
setPassword()  : mixed
Sets the resource owner's password.
setRedirectUri()  : mixed
Sets the redirection URI used in the initial request.
setRefreshToken()  : mixed
Sets the refresh token associated with the current access token.
setScope()  : mixed
Sets the scope of the access request, expressed either as an Array or as a space-delimited String.
setSigningAlgorithm()  : mixed
Sets the signing algorithm when using an assertion profile.
setSigningKey()  : mixed
Sets the signing key when using an assertion profile.
setSigningKeyId()  : mixed
Sets the signing key id when using an assertion profile.
setState()  : mixed
Sets an arbitrary string designed to allow the client to maintain state.
setSub()  : mixed
Sets the target sub when issuing assertions.
setTokenCredentialUri()  : mixed
Sets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
setUsername()  : mixed
Sets the resource owner's username.
toJwt()  : string
Obtains the encoded jwt from the instance data.
updateToken()  : mixed
Updates an OAuth 2.0 client.
verifyIdToken()  : null|object
Verifies the idToken if present.
addClientCredentials()  : array<string|int, mixed>
coerceUri()  : null|UriInterface
isAbsoluteUri()  : bool
Determines if the URI is absolute based on its scheme and host or path (RFC 3986).
jwtDecode()  : object
jwtEncode()  : mixed

Constants

DEFAULT_EXPIRY_SECONDS

public mixed DEFAULT_EXPIRY_SECONDS = 3600

DEFAULT_SKEW_SECONDS

public mixed DEFAULT_SKEW_SECONDS = 60

JWT_URN

public mixed JWT_URN = 'urn:ietf:params:oauth:grant-type:jwt-bearer'

Properties

$knownGrantTypes

The well known grant types.

public static array<string|int, mixed> $knownGrantTypes = array('authorization_code', 'refresh_token', 'password', 'client_credentials')

$knownSigningAlgorithms

TODO: determine known methods from the keys of JWT::methods.

public static mixed $knownSigningAlgorithms = array('HS256', 'HS512', 'HS384', 'RS256')

$accessToken

The current access token.

private string $accessToken

$additionalClaims

When using the toJwt function, these claims will be added to the JWT payload.

private mixed $additionalClaims

$audience

The target audience for assertions.

private string $audience

$authorizationUri

- authorizationUri The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

private UriInterface $authorizationUri

$clientId

A unique identifier issued to the client to identify itself to the authorization server.

private string $clientId

$clientSecret

A shared symmetric secret issued by the authorization server, which is used to authenticate the client.

private string $clientSecret

$code

The authorization code issued to this client.

private string $code

Only used by the authorization code access grant type.

$expiresAt

The expiration time of the access token as a number of seconds since the unix epoch.

private int $expiresAt

$expiresIn

The lifetime in seconds of the current access token.

private int $expiresIn

$expiry

The number of seconds assertions are valid for.

private int $expiry

$extensionParams

When using an extension grant type, this is the set of parameters used by that extension.

private mixed $extensionParams

$grantType

The current grant type.

private string $grantType

$idToken

The current ID token.

private string $idToken

$issuedAt

The issue time of the access token as a number of seconds since the unix epoch.

private int $issuedAt

$issuer

The issuer ID when using assertion profile.

private string $issuer

$password

The resource owner's password.

private string $password

$redirectUri

The redirection URI used in the initial request.

private string $redirectUri

$refreshToken

The refresh token associated with the access token to be refreshed.

private string $refreshToken

$scope

The scope of the access request, expressed either as an Array or as a space-delimited string.

private array<string|int, mixed> $scope

$signingAlgorithm

The signing algorithm when using an assertion profile.

private string $signingAlgorithm

$signingKey

The signing key when using assertion profile.

private string $signingKey

$signingKeyId

The signing key id when using assertion profile. Param kid in jwt header

private string $signingKeyId

$state

An arbitrary string designed to allow the client to maintain state.

private string $state

$sub

The target sub when issuing assertions.

private string $sub

$tokenCredentialUri

- tokenCredentialUri The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

private UriInterface $tokenCredentialUri

$username

The resource owner's username.

private string $username

Methods

__construct()

Create a new OAuthCredentials.

public __construct(array<string|int, mixed> $config) : mixed

The configuration array accepts various options

  • authorizationUri The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

  • tokenCredentialUri The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

  • clientId A unique identifier issued to the client to identify itself to the authorization server.

  • clientSecret A shared symmetric secret issued by the authorization server, which is used to authenticate the client.

  • scope The scope of the access request, expressed either as an Array or as a space-delimited String.

  • state An arbitrary string designed to allow the client to maintain state.

  • redirectUri The redirection URI used in the initial request.

  • username The resource owner's username.

  • password The resource owner's password.

  • issuer Issuer ID when using assertion profile

  • audience Target audience for assertions

  • expiry Number of seconds assertions are valid for

  • signingKey Signing key when using assertion profile

  • signingKeyId Signing key id when using assertion profile

  • refreshToken The refresh token associated with the access token to be refreshed.

  • accessToken The current access token for this client.

  • idToken The current ID token for this client.

  • extensionParams When using an extension grant type, this is the set of parameters used by that extension.

Parameters
$config : array<string|int, mixed>

Configuration array

buildFullAuthorizationUri()

Builds the authorization Uri that the user should be redirected to.

public buildFullAuthorizationUri([array<string|int, mixed> $config = [] ]) : UriInterface
Parameters
$config : array<string|int, mixed> = []

configuration options that customize the return url

Tags
throws
InvalidArgumentException
Return values
UriInterface

the authorization Url.

fetchAuthToken()

Fetches the auth tokens based on the current state.

public fetchAuthToken([callable $httpHandler = null ]) : array<string|int, mixed>
Parameters
$httpHandler : callable = null

callback which delivers psr7 request

Return values
array<string|int, mixed>

the response

getAccessToken()

Gets the current access token.

public getAccessToken() : mixed

getAdditionalClaims()

Gets the additional claims to be included in the JWT token.

public getAdditionalClaims() : array<string|int, mixed>
Return values
array<string|int, mixed>

getAudience()

Gets the target audience when issuing assertions.

public getAudience() : mixed

getAuthorizationUri()

Gets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

public getAuthorizationUri() : UriInterface
Return values
UriInterface

getCacheKey()

Obtains a key that can used to cache the results of #fetchAuthToken.

public getCacheKey() : string

The key is derived from the scopes.

Return values
string

a key that may be used to cache the auth token.

getClientId()

Sets a unique identifier issued to the client to identify itself to the authorization server.

public getClientId() : mixed

getClientName()

Get the client ID.

public getClientName([callable $httpHandler = null ]) : string

Alias of OAuth2::getClientId().

Parameters
$httpHandler : callable = null
Tags
access

private

Return values
string

getClientSecret()

Gets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.

public getClientSecret() : mixed

getCode()

Gets the authorization code issued to this client.

public getCode() : mixed

getExpiresAt()

Gets the time the current access token expires at.

public getExpiresAt() : int
Return values
int

getExpiresIn()

Gets the lifetime of the access token in seconds.

public getExpiresIn() : mixed

getExpiry()

Gets the number of seconds assertions are valid for.

public getExpiry() : mixed

getExtensionParams()

Gets the set of parameters used by extension when using an extension grant type.

public getExtensionParams() : mixed

getGrantType()

Gets the current grant type.

public getGrantType() : string
Return values
string

getIdToken()

Gets the current ID token.

public getIdToken() : mixed

getIssuedAt()

Gets the time the current access token was issued at.

public getIssuedAt() : mixed

getIssuer()

Gets the Issuer ID when using assertion profile.

public getIssuer() : mixed

getLastReceivedToken()

The expiration of the last received token.

public getLastReceivedToken() : array<string|int, mixed>|null
Return values
array<string|int, mixed>|null

getPassword()

Gets the resource owner's password.

public getPassword() : mixed

getRedirectUri()

Gets the redirection URI used in the initial request.

public getRedirectUri() : string
Return values
string

getRefreshToken()

Gets the refresh token associated with the current access token.

public getRefreshToken() : mixed

getScope()

Gets the scope of the access requests as a space-delimited String.

public getScope() : string
Return values
string

getSigningAlgorithm()

Gets the signing algorithm when using an assertion profile.

public getSigningAlgorithm() : string
Return values
string

getSigningKey()

Gets the signing key when using an assertion profile.

public getSigningKey() : mixed

getSigningKeyId()

Gets the signing key id when using an assertion profile.

public getSigningKeyId() : string
Return values
string

getState()

Gets an arbitrary string designed to allow the client to maintain state.

public getState() : string
Return values
string

getSub()

Gets the target sub when issuing assertions.

public getSub() : mixed

getTokenCredentialUri()

Gets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

public getTokenCredentialUri() : string
Return values
string

getUsername()

Gets the resource owner's username.

public getUsername() : mixed

isExpired()

Returns true if the acccess token has expired.

public isExpired() : bool
Return values
bool

parseTokenResponse()

Parses the fetched tokens.

public parseTokenResponse(ResponseInterface $resp) : array<string|int, mixed>
Parameters
$resp : ResponseInterface

the response.

Tags
throws
Exception
Return values
array<string|int, mixed>

the tokens parsed from the response body.

setAccessToken()

Sets the current access token.

public setAccessToken(string $accessToken) : mixed
Parameters
$accessToken : string

setAdditionalClaims()

Sets additional claims to be included in the JWT token

public setAdditionalClaims(array<string|int, mixed> $additionalClaims) : mixed
Parameters
$additionalClaims : array<string|int, mixed>

setAudience()

Sets the target audience when issuing assertions.

public setAudience(string $audience) : mixed
Parameters
$audience : string

setAuthorizationUri()

Sets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

public setAuthorizationUri(string $uri) : mixed
Parameters
$uri : string

setClientId()

Sets a unique identifier issued to the client to identify itself to the authorization server.

public setClientId(mixed $clientId) : mixed
Parameters
$clientId : mixed

setClientSecret()

Sets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.

public setClientSecret(mixed $clientSecret) : mixed
Parameters
$clientSecret : mixed

setCode()

Sets the authorization code issued to this client.

public setCode(string $code) : mixed
Parameters
$code : string

setExpiresAt()

Sets the time the current access token expires at.

public setExpiresAt(int $expiresAt) : mixed
Parameters
$expiresAt : int

setExpiresIn()

Sets the lifetime of the access token in seconds.

public setExpiresIn(int $expiresIn) : mixed
Parameters
$expiresIn : int

setExpiry()

Sets the number of seconds assertions are valid for.

public setExpiry(int $expiry) : mixed
Parameters
$expiry : int

setExtensionParams()

Sets the set of parameters used by extension when using an extension grant type.

public setExtensionParams(mixed $extensionParams) : mixed
Parameters
$extensionParams : mixed

setGrantType()

Sets the current grant type.

public setGrantType(mixed $grantType) : mixed
Parameters
$grantType : mixed
Tags
throws
InvalidArgumentException

setIdToken()

Sets the current ID token.

public setIdToken(mixed $idToken) : mixed
Parameters
$idToken : mixed

setIssuedAt()

Sets the time the current access token was issued at.

public setIssuedAt(int $issuedAt) : mixed
Parameters
$issuedAt : int

setIssuer()

Sets the Issuer ID when using assertion profile.

public setIssuer(string $issuer) : mixed
Parameters
$issuer : string

setPassword()

Sets the resource owner's password.

public setPassword(mixed $password) : mixed
Parameters
$password : mixed

setRedirectUri()

Sets the redirection URI used in the initial request.

public setRedirectUri(string $uri) : mixed
Parameters
$uri : string

setRefreshToken()

Sets the refresh token associated with the current access token.

public setRefreshToken(mixed $refreshToken) : mixed
Parameters
$refreshToken : mixed

setScope()

Sets the scope of the access request, expressed either as an Array or as a space-delimited String.

public setScope(string|array<string|int, mixed> $scope) : mixed
Parameters
$scope : string|array<string|int, mixed>
Tags
throws
InvalidArgumentException

setSigningAlgorithm()

Sets the signing algorithm when using an assertion profile.

public setSigningAlgorithm(string $signingAlgorithm) : mixed
Parameters
$signingAlgorithm : string

setSigningKey()

Sets the signing key when using an assertion profile.

public setSigningKey(string $signingKey) : mixed
Parameters
$signingKey : string

setSigningKeyId()

Sets the signing key id when using an assertion profile.

public setSigningKeyId(string $signingKeyId) : mixed
Parameters
$signingKeyId : string

setState()

Sets an arbitrary string designed to allow the client to maintain state.

public setState(string $state) : mixed
Parameters
$state : string

setSub()

Sets the target sub when issuing assertions.

public setSub(string $sub) : mixed
Parameters
$sub : string

setTokenCredentialUri()

Sets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

public setTokenCredentialUri(string $uri) : mixed
Parameters
$uri : string

setUsername()

Sets the resource owner's username.

public setUsername(string $username) : mixed
Parameters
$username : string

toJwt()

Obtains the encoded jwt from the instance data.

public toJwt([array<string|int, mixed> $config = [] ]) : string
Parameters
$config : array<string|int, mixed> = []

array optional configuration parameters

Return values
string

updateToken()

Updates an OAuth 2.0 client.

public updateToken(array<string|int, mixed> $config) : mixed

Example:

$oauth->updateToken([
    'refresh_token' => 'n4E9O119d',
    'access_token' => 'FJQbwq9',
    'expires_in' => 3600
]);
Parameters
$config : array<string|int, mixed>

The configuration parameters related to the token.

  • refresh_token The refresh token associated with the access token to be refreshed.

  • access_token The current access token for this client.

  • id_token The current ID token for this client.

  • expires_in The time in seconds until access token expiration.

  • expires_at The time as an integer number of seconds since the Epoch

  • issued_at The timestamp that the token was issued at.

verifyIdToken()

Verifies the idToken if present.

public verifyIdToken([string $publicKey = null ][, array<string|int, mixed> $allowed_algs = array() ]) : null|object
  • if none is present, return null
  • if present, but invalid, raises DomainException.
  • otherwise returns the payload in the idtoken as a PHP object.

The behavior of this method varies depending on the version of firebase/php-jwt you are using. In versions lower than 3.0.0, if $publicKey is null, the key is decoded without being verified. In newer versions, if a public key is not given, this method will throw an \InvalidArgumentException.

Parameters
$publicKey : string = null

The public key to use to authenticate the token

$allowed_algs : array<string|int, mixed> = array()

List of supported verification algorithms

Tags
throws
DomainException

if the token is missing an audience.

throws
DomainException

if the audience does not match the one set in the OAuth2 class instance.

throws
UnexpectedValueException

If the token is invalid

throws
SignatureInvalidException

If the signature is invalid.

throws
BeforeValidException

If the token is not yet valid.

throws
ExpiredException

If the token has expired.

Return values
null|object

addClientCredentials()

private addClientCredentials(array<string|int, mixed> &$params) : array<string|int, mixed>
Parameters
$params : array<string|int, mixed>
Return values
array<string|int, mixed>

coerceUri()

private coerceUri(string $uri) : null|UriInterface
Parameters
$uri : string
Tags
todo

handle uri as array

Return values
null|UriInterface

isAbsoluteUri()

Determines if the URI is absolute based on its scheme and host or path (RFC 3986).

private isAbsoluteUri(string $uri) : bool
Parameters
$uri : string
Return values
bool

jwtDecode()

private jwtDecode(string $idToken, string|array<string|int, mixed>|null $publicKey, array<string|int, mixed> $allowedAlgs) : object
Parameters
$idToken : string
$publicKey : string|array<string|int, mixed>|null
$allowedAlgs : array<string|int, mixed>
Return values
object

jwtEncode()

private jwtEncode(mixed $assertion, mixed $signingKey, mixed $signingAlgorithm[, mixed $signingKeyId = null ]) : mixed
Parameters
$assertion : mixed
$signingKey : mixed
$signingAlgorithm : mixed
$signingKeyId : mixed = null 
Loading…
On this page

Search results