Oauth2 in PHP Practice

Source: Internet
Author: User
Tags oauth
This article is about oauth2 in PHP practice content, here to share to everyone, but also for those who need to refer to the people, now let's have a look


Oauth2 Solve the problem:

    1. For example, third access to some services, if through the user account and password, will easily lead to leakage

    2. How long does it take to resolve the authorization timeframe and how large is the scope of this authorization?

    3. There are other third party applications that are authorized by themselves, and if the user modifies the password, the third party function fails

Oauth2 four kinds of authorization methods:


The client must be authorized by the user (authorization grant) to get the token (access token). OAuth 2.0 defines four ways of authorizing.

    • Authorization Code mode (authorization code)

    • Simplified mode (implicit)

    • Password Mode (resource owner password credentials) We use this kind of

    • Client mode (credentials)

The OAUHT2 process

    1. User access client, client requesting authorization from user

    2. User agrees to authorize

    3. Authorization obtained from the previous step, the client requests a token from the server

    4. When the server confirms the error, the token is issued to the client

    5. Once the client has received the token, it can request the corresponding resource from the server

    6. When the server determines if token is correct, open the resource to client access

Summary: In fact, the 2nd step above is 4 kinds of authorization, and the use of password authorization, this authorization requires the client to very high trust, in fact, take the user account and password to the server to apply for the token, the correct return token to the client.

A problem occurred:

1. Client certificate invalidation

{"Error": "Invalid_client", "error_description": "The client credentials is invalid"}

Workaround:

    1. There are two parameters, client_id and Client_screct, in the database.

    2. Request the body with the value of these two parameters

2. Prevent front-end app concurrent Request invalidation method

1. Set the configuration of the Refreshtoken class:

$grantType 1 = new Refreshtoken ($storage, Array (            ' always_issue_new_refresh_token ' = False  # This can prevent each generation of new Refresh_token        );

Reference resources:

Official documents

GitHub Web site

Implementation logic of OAuth

Oauth2 Solve the problem:

    1. For example, third access to some services, if through the user account and password, will easily lead to leakage

    2. How long does it take to resolve the authorization timeframe and how large is the scope of this authorization?

    3. There are other third party applications that are authorized by themselves, and if the user modifies the password, the third party function fails

Oauth2 four kinds of authorization methods:

The client must be authorized by the user (authorization grant) to get the token (access token). OAuth 2.0 defines four ways of authorizing.

    • Authorization Code mode (authorization code)

    • Simplified mode (implicit)

    • Password Mode (resource owner password credentials) We use this kind of

    • Client mode (credentials)

The OAUHT2 process

    1. User access client, client requesting authorization from user

    2. User agrees to authorize

    3. Authorization obtained from the previous step, the client requests a token from the server

    4. When the server confirms the error, the token is issued to the client

    5. Once the client has received the token, it can request the corresponding resource from the server

    6. When the server determines if token is correct, open the resource to client access

Summary: In fact, the 2nd step above is 4 kinds of authorization, and the use of password authorization, this authorization requires the client to very high trust, in fact, take the user account and password to the server to apply for the token, the correct return token to the client.

A problem occurred:

1. Client certificate invalidation

{"Error": "Invalid_client", "error_description": "The client credentials is invalid"}

Workaround:

    1. There are two parameters, client_id and Client_screct, in the database.

    2. Request the body with the value of these two parameters

2. Prevent front-end app concurrent Request invalidation method

1. Set the configuration of the Refreshtoken class:

$grantType 1 = new Refreshtoken ($storage, Array (            ' always_issue_new_refresh_token ' = False  # This can prevent each generation of new Refresh_token        );

Reference resources:

Official documents

GitHub Web site

Implementation logic of OAuth

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.