Oauth2 in PHP Practice

This article is about oauth2 in PHP practice content, here to share to everyone, but also for those who need to refer to the people, now let's have a look

Oauth2 Solve the problem:

1. For example, third access to some services, if through the user account and password, will easily lead to leakage

2. How long does it take to resolve the authorization timeframe and how large is the scope of this authorization?

3. There are other third party applications that are authorized by themselves, and if the user modifies the password, the third party function fails

Oauth2 four kinds of authorization methods:

The client must be authorized by the user (authorization grant) to get the token (access token). OAuth 2.0 defines four ways of authorizing.

• Authorization Code mode (authorization code)

• Simplified mode (implicit)

• Password Mode (resource owner password credentials) We use this kind of

• Client mode (credentials)

The OAUHT2 process

1. User access client, client requesting authorization from user

2. User agrees to authorize

3. Authorization obtained from the previous step, the client requests a token from the server

4. When the server confirms the error, the token is issued to the client

5. Once the client has received the token, it can request the corresponding resource from the server

6. When the server determines if token is correct, open the resource to client access

Summary: In fact, the 2nd step above is 4 kinds of authorization, and the use of password authorization, this authorization requires the client to very high trust, in fact, take the user account and password to the server to apply for the token, the correct return token to the client.

A problem occurred:

1. Client certificate invalidation

{"Error": "Invalid_client", "error_description": "The client credentials is invalid"}

Workaround:

1. There are two parameters, client_id and Client_screct, in the database.

2. Request the body with the value of these two parameters

2. Prevent front-end app concurrent Request invalidation method

1. Set the configuration of the Refreshtoken class:

$grantType 1 = new Refreshtoken ($storage, Array (            ' always_issue_new_refresh_token ' = False  # This can prevent each generation of new Refresh_token        );

Reference resources:

Official documents

GitHub Web site

Implementation logic of OAuth

Oauth2 Solve the problem:

1. For example, third access to some services, if through the user account and password, will easily lead to leakage

2. How long does it take to resolve the authorization timeframe and how large is the scope of this authorization?

3. There are other third party applications that are authorized by themselves, and if the user modifies the password, the third party function fails

Oauth2 four kinds of authorization methods:

The client must be authorized by the user (authorization grant) to get the token (access token). OAuth 2.0 defines four ways of authorizing.

• Authorization Code mode (authorization code)

• Simplified mode (implicit)

• Password Mode (resource owner password credentials) We use this kind of

• Client mode (credentials)

The OAUHT2 process

1. User access client, client requesting authorization from user

2. User agrees to authorize

3. Authorization obtained from the previous step, the client requests a token from the server

4. When the server confirms the error, the token is issued to the client

5. Once the client has received the token, it can request the corresponding resource from the server

6. When the server determines if token is correct, open the resource to client access

Summary: In fact, the 2nd step above is 4 kinds of authorization, and the use of password authorization, this authorization requires the client to very high trust, in fact, take the user account and password to the server to apply for the token, the correct return token to the client.

A problem occurred:

1. Client certificate invalidation

{"Error": "Invalid_client", "error_description": "The client credentials is invalid"}

Workaround:

1. There are two parameters, client_id and Client_screct, in the database.

2. Request the body with the value of these two parameters

2. Prevent front-end app concurrent Request invalidation method

1. Set the configuration of the Refreshtoken class:

$grantType 1 = new Refreshtoken ($storage, Array (            ' always_issue_new_refresh_token ' = False  # This can prevent each generation of new Refresh_token        );

Reference resources:

Official documents

GitHub Web site

Implementation logic of OAuth