PHPackages codewiser/oauth2-resource-server - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. codewiser/oauth2-resource-server AbandonedArchivedLibrary codewiser/oauth2-resource-server ================================ OAuth 2.0 Resource Server 0.4(5y ago)6244MITPHP Since Sep 17Pushed 5y ago2 watchersCompare [ Source](https://github.com/C0deWiser/oauth2-resource-server)[ Packagist](https://packagist.org/packages/codewiser/oauth2-resource-server)[ RSS](/packages/codewiser-oauth2-resource-server/feed)WikiDiscussions master Synced 1w ago READMEChangelog (4)Dependencies (3)Versions (5)Used By (0) Description =========== [](#description) OAuth is an authorization server. It provides and validates tokens. It is the best solution to build distributed api infrastructure. Infrastructure may consist of many api servers, called Resource Server. Every request those servers accept must contain authorization information — an `access_token` issued by authorization server. Every resource server is an OAuth client. It has `client_id` and `client_secret`and may issue its own `access_token` using `client credentials` grant. Otherhand, it may be a personal `access_token`, issued by a user in a traditional way. After issuing `access_token` the server will use it to make requests to the neighbors (other resource servers in the same infrastructure), or to provide access to the local resources. When server receives request with authorization information, it will introspect (see [rfc7662](https://tools.ietf.org/html/rfc7662)) `access_token` from request. Api server calls OAuth server and receives from it information about given `access_token`. If token is valid and has appropriate scopes, the server will handle the request. If it is not, the server will reply with an error. RFC --- [](#rfc) - Token Introspection - Bearer Token Usage The package based on league/oauth2-client Prerequisite ------------ [](#prerequisite) Your OAuth server must implement rfc7662 (token introspection endpoint). Take a look at [ipunkt/laravel-oauth-introspection](https://packagist.org/packages/ipunkt/laravel-oauth-introspection). Installation ------------ [](#installation) ``` composer require codewiser/oauth2-resource-server ``` Publish package config. ``` php artisan vendor:publish --provider="Codewiser\ResourceServer\Providers\ResourceServerServiceProvider" ``` Setup ----- [](#setup) An environment requires all standard OAuth client properties. ``` OAUTH_SERVER=https://oauth.example.com CLIENT_ID=123 CLIENT_SECRET=*** SCOPE="read write" ``` `SCOPE` is for default scopes for requested access tokens. Next are optional and has default values. ``` REDIRECT_URI=oauth/callback AUTHORIZE_ENDPOINT=oauth/authorize TOKEN_ENDPOINT=oauth/token RESOURCE_OWNER_ENDPOINT=api/user INTROSPECTION_ENDPOINT=oauth/introspect ``` You may provide full URLs or only paths. Facades and Middlewares ----------------------- [](#facades-and-middlewares) ### ResourceServer [](#resourceserver) `ResourceServer` is a layer of OAuth-client, that takes responsibility to keep `Client Credentials Access Token`and to protect API resources. ``` $accessToken = ResourceServer::getAccessToken(); ``` This will return cached (or newly issued) Client Access Token. Use it call other API servers. Token may be sent as `Athorization` header (see [rfc6750#section-2.1](https://tools.ietf.org/html/rfc6750#section-2.1)), as `access_token` body parameter (see [rfc6750#section-2.2](https://tools.ietf.org/html/rfc6750#section-2.2)) or as `access_token` query parameter (see [rfc6750#section-2.3](https://tools.ietf.org/html/rfc6750#section-2.3)). Then your server receives API request with Bearer token, it should introspect token on OAuth-server. ``` $introspected = ResourceServer::getIntrospectedToken($request->bearerToken()); ``` In a simple way you may protect the routes with `ResourceServerMiddleware`. Define it in `app/Http/Kernel.php` in way you like. ``` protected $routeMiddleware = [ 'scope' => \Codewiser\ResourceServer\Http\Middleware\ResourceServerMiddleware::class, ]; ``` And than protect you route. ``` Route::get('resource', 'ApiController@list')->middleware('scope:read'); class ApiController extends Controller { public function list(Request $request) { // Get user profile from OAuth server $owner = ResourceServer::getTokenOwner($request); // Your code here } } ``` Otherwise you may protect group of routes with middleware and validate scope in controllers. ``` Route::get('resource', 'ApiController@list')->middleware('scope'); class ApiController extends Controller { public function list(Request $request) { ResourceServer::introspect($request) ->validateScope('read'); // Your code here } } ``` If request were not validated, the throwed exception renders proper response (according to [rfc6750](https://tools.ietf.org/html/rfc6750)). ### OAuthClient [](#oauthclient) `OAuthClient` is a layer of OAuth-client, that takes responsibility to authorize users and keeps their `Personal Access Token`. ``` if (!OAuthClient::hasAccessToken()) { // Will remeber current page to get user back here. OAuthClient::setReturnUrl($request->fullUrl()); // Set required scopes OAuthClient::setScope('read write email etc'); return redirect(OAuthClient::getAuthorizationUrl()) } ``` Authorization server will return user back to `CallbackController`. You may use built-in or define new one. ``` try { // Callback will exchange authorization_code to access_token and stores it into session. OAuthClient::callback($request); // Then return user back to the page we previously stores. return redirect(OAuthClient::getReturnUrl('/')); } catch (\Throwable $e) { } ``` So, if we have `Personal Access Token` we should provide requested information to the user. ``` if (OAuthClient::hasAccessToken()) { ResourceServer::getIntrospectedToken(OAuthClient::getAccessToken()) ->validateScope('read'); // Your code here } ``` In a simple way you may protect the routes with `PersonalAccessMiddleware`. Define it in `app/Http/Kernel.php` in way you like. ``` protected $routeMiddleware = [ 'private' => \Codewiser\ResourceServer\Http\Middleware\PersonalAccessMiddleware::class, ]; ``` And than protect you route. ``` Route::get('profile', 'PersonalController@show')->middleware('private:read') ``` If user has no `Personal Access Token` he or she will be redirected to Authorization Server. Cache ----- [](#cache) All tokens are cached locally for a limited time. ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity17 Limited adoption so far Community8 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~17 days Total 4 Last Release 2019d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/ce23eaf7ae48d79d2b07efc83ff7cecb2664f428bd531b167b90169423f1453d?d=identicon)[Cellard](/maintainers/Cellard) --- Top Contributors [![Cellard](https://avatars.githubusercontent.com/u/1220316?v=4)](https://github.com/Cellard "Cellard (13 commits)") --- Tags laraveloauth 2.0oauth-clientresource serverrfc-6750RFC 7662 ### Embed Badge ![Health badge](/badges/codewiser-oauth2-resource-server/health.svg) ``` [![Health](https://phpackages.com/badges/codewiser-oauth2-resource-server/health.svg)](https://phpackages.com/packages/codewiser-oauth2-resource-server) ``` ### Alternatives [anourvalar/eloquent-serialize Laravel Query Builder (Eloquent) serialization 11320.2M21](/packages/anourvalar-eloquent-serialize)[api-platform/laravel API Platform support for Laravel 59126.4k6](/packages/api-platform-laravel)[authlete/authlete-laravel Authlete Library for Laravel 4226.0k](/packages/authlete-authlete-laravel) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)