PHPackages deadmantfa/yii2-oauth2-server - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. deadmantfa/yii2-oauth2-server ActiveLibrary[Authentication & Authorization](/categories/authentication) deadmantfa/yii2-oauth2-server ============================= OAuth 2.0 server for Yii 2.0 with MAC tokens support. 1.0.2(1y ago)0443—0%MITPHPPHP >=8.1 Since Jan 3Pushed 1y agoCompare [ Source](https://github.com/deadmantfa/yii2-oauth2-server)[ Packagist](https://packagist.org/packages/deadmantfa/yii2-oauth2-server)[ RSS](/packages/deadmantfa-yii2-oauth2-server/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (5)Versions (4)Used By (0) Yii2 OAuth2 Server (PHP 8+ & League v9 Ready) ================================================= [](#yii2-oauth2-server-php-8--league-v9-ready) This is a fork of the original [`chervand/yii2-oauth2-server`](https://github.com/chervand/yii2-oauth2-server) plugin, updated for **PHP 8+**, **league/oauth2-server ^9.1**, and additional custom grants (including optional support for MAC tokens, token revocation, and more). It provides: - A **standards-compliant** [OAuth2.0 Server](https://tools.ietf.org/html/rfc6749) for Yii2 - **Refresh token** support (RFC6749 / [RFC7009](https://tools.ietf.org/html/rfc7009)) - **MAC token** support (experimental, [draft-ietf-oauth-v2-http-mac-05](https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05)) - **Token revocation** endpoints - **Flexible** DB-based migrations for storing OAuth2 clients, tokens, scopes, etc. - Easy integration with your **Yii2 `user` component** so you can unify login states and roles. 1. Installation --------------- [](#1-installation) Add this package to your project: ``` composer require deadmantfa/yii2-oauth2-server ``` ### 1.1 Apply DB Migrations [](#11-apply-db-migrations) Run: ``` ./yii migrate --migrationPath="@vendor/deadmantfa/yii2-oauth2-server/migrations" ``` This creates the default OAuth2-related tables (clients, tokens, scopes, etc.). ### 1.2 Generate Public & Private Keys [](#12-generate-public--private-keys) Follow [League’s official](https://oauth2.thephpleague.com/installation/) instructions for generating private/public keys. Typically: ``` openssl genrsa -out private.key 2048 openssl rsa -in private.key -pubout -out public.key ``` Store them somewhere safe (e.g. @app/oauth2/private.key, @app/oauth2/public.key). 2. Basic Configuration ---------------------- [](#2-basic-configuration) Below is a simple example of how to configure the module in your config/main.php (or similar file). ``` return [ // ... 'bootstrap' => [ 'oauth2', // ensures module is bootstrapped // ... ], 'modules' => [ 'oauth2' => [ 'class' => \deadmantfa\yii2\oauth2\server\Module::class, // Your key file paths: 'privateKey' => __DIR__ . '/../oauth2/private.key', 'publicKey' => __DIR__ . '/../oauth2/public.key', // Encryption key used for JWT, typically 32+ bytes 'encryptionKey' => 'some-random-binary-string', // Example: define any custom Repositories or model classes 'components' => [ 'accessTokenRepository' => [ 'class' => \deadmantfa\yii2\oauth2\server\components\Repositories\AccessTokenRepository::class, ], 'refreshTokenRepository' => [ 'class' => \deadmantfa\yii2\oauth2\server\components\Repositories\RefreshTokenRepository::class, ], 'clientRepository' => [ 'class' => \deadmantfa\yii2\oauth2\server\components\Repositories\ClientRepository::class, ], 'scopeRepository' => [ 'class' => \deadmantfa\yii2\oauth2\server\components\Repositories\ScopeRepository::class, ], // ... ], // Optional caching logic for repositories 'cache' => [ \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface::class => [ 'cacheDuration' => 3600, 'cacheDependency' => new \yii\caching\FileDependency(['fileName' => 'AccessTokenRepoCache.txt']), ], // ... ], // Register the grant types you want 'enableGrantTypes' => static function (\deadmantfa\yii2\oauth2\server\Module $module) { $server = $module->authorizationServer; // Password + Refresh Token Grant $passwordGrant = new \League\OAuth2\Server\Grant\PasswordGrant( $module->getComponent('userRepository'), $module->getComponent('refreshTokenRepository') ); $passwordGrant->setRefreshTokenTTL(new \DateInterval('P1M')); $server->enableGrantType($passwordGrant, new \DateInterval('PT1H')); // Client Credentials $server->enableGrantType(new \League\OAuth2\Server\Grant\ClientCredentialsGrant()); // Refresh Token $refreshGrant = new \League\OAuth2\Server\Grant\RefreshTokenGrant( $module->getComponent('refreshTokenRepository') ); $refreshGrant->setRefreshTokenTTL(new \DateInterval('P1M')); $server->enableGrantType($refreshGrant, new \DateInterval('PT1H')); // (Optional) Revoke Grant $server->enableGrantType(new \deadmantfa\yii2\oauth2\server\components\Grant\RevokeGrant( $module->getComponent('refreshTokenRepository'), $module->publicKey )); }, ], ], // ... ]; ``` That’s enough to spin up the Authorization Server portion. You’ll have endpoints like: - `POST /oauth2/token` (to exchange credentials for tokens) - `POST /oauth2/revoke` (to revoke a token, if you enabled RevokeGrant) 3. Integrating with Your user Component --------------------------------------- [](#3-integrating-with-your-user-component) ### 3.1 Provide a `UserRepositoryInterface` [](#31-provide-a-userrepositoryinterface) In League OAuth2, you need a repository that implements `UserRepositoryInterface`. Typically, you can have your user model implement `UserEntityInterface` and provide a `getUserEntityByUserCredentials()` method: ``` class MyUserRepository implements UserRepositoryInterface { public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity) { $user = User::findOne(['username' => $username]); if (!$user || !Yii::$app->security->validatePassword($password, $user->password_hash)) { return null; } return $user; // which implements UserEntityInterface } } ``` ### 3.2 Linking to Your `Identity` in Yii2 [](#32-linking-to-your-identity-in-yii2) If you want to unify your “OAuth2 user ID” with your standard Yii user identity: 1. In `config/main.php`, set `'identityClass' => MyUser::class` in your user component. 2. Ensure your model has `getId()` returning the correct user identifier. 3. Make sure the above repository uses that same model. 4. Resource Server (Protecting Your API) ---------------------------------------- [](#4-resource-server-protecting-your-api) To validate tokens in your controllers, attach an authenticator that checks the `Authorization: Bearer ` header. For example: ``` class MyApiController extends \yii\rest\ActiveController { public function behaviors() { $behaviors = parent::behaviors(); unset($behaviors['authenticator']); unset($behaviors['rateLimiter']); /** @var \deadmantfa\yii2\oauth2\server\Module $auth */ $auth = Yii::$app->getModule('oauth2'); $behaviors['authenticator'] = [ 'class' => \yii\filters\auth\CompositeAuth::class, 'authMethods' => [ [ 'class' => \deadmantfa\yii2\oauth2\server\components\AuthMethods\HttpBearerAuth::class, 'publicKey' => $auth->publicKey, 'cache' => $auth->cache, ], // or add Mac tokens: // [ // 'class' => \deadmantfa\yii2\oauth2\server\components\AuthMethods\HttpMacAuth::class, // ], ], ]; $behaviors['rateLimiter'] = [ 'class' => \yii\filters\RateLimiter::class, ]; return $behaviors; } } ``` Any requests with an invalid or no token get a 401 response. 5. MAC Tokens (Optional) ------------------------ [](#5-mac-tokens-optional) If you want [MAC tokens](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac-05) (still a draft), you can enable them by adding: ``` use \deadmantfa\yii2\oauth2\server\components\AuthMethods\HttpMacAuth; $behaviors['authenticator'] = [ 'class' => \yii\filters\auth\CompositeAuth::class, 'authMethods' => [ [ 'class' => HttpMacAuth::class, 'publicKey' => $auth->publicKey, 'cache' => $auth->cache, ], ], ]; ``` And in your module’s `enableGrantTypes`, you can enable a `MacTokenResponse` instead of `BearerTokenResponse`. 6. Revoke Tokens (RFC7009) -------------------------- [](#6-revoke-tokens-rfc7009) Add the `RevokeGrant` in `enableGrantTypes`: ``` $server->enableGrantType( new \deadmantfa\yii2\oauth2\server\components\Grant\RevokeGrant( $module->refreshTokenRepository, $module->publicKey ) ); ``` Then request: ``` POST /oauth2/revoke Authorization: Basic Content-Type: application/json { "token": "" } ``` The plugin revokes tokens in the DB. The next time the resource server checks that token, it’s marked invalid. 7. Optional CORS Support ------------------------ [](#7-optional-cors-support) If you want to handle CORS within this plugin (e.g. for /oauth2/token calls in front-end apps), you can either: - (A) Configure CORS globally in your Yii2 app (recommended for most setups), or - (B) Enable a built-in CORS filter inside this module’s controllers. ### 7.1 Sample Global CORS [](#71-sample-global-cors) In your main `config/main.php`: ``` 'on beforeRequest' => function ($event) { Yii::$app->attachBehavior('globalCors', [ 'class' => \yii\filters\Cors::class, 'cors' => [ 'Origin' => ['https://yourfrontend.com'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Allow-Headers' => ['Authorization', 'Content-Type', 'X-Requested-With', 'Accept', 'Origin', 'Cache-Control', 'Pragma'], 'Access-Control-Allow-Methods' => ['GET','POST','OPTIONS','PUT','DELETE'], 'Access-Control-Max-Age' => 3600, ], ]); }, ``` ### 7.2 Built-in CORS in Module [](#72-built-in-cors-in-module) If you want the plugin to handle it internally, you can define a property like: ``` 'modules' => [ 'oauth2' => [ 'class' => \deadmantfa\yii2\oauth2\server\Module::class, 'enableCors' => true, 'corsConfig' => [ 'class' => \yii\filters\Cors::class, 'cors' => [ 'Origin' => ['*'], 'Access-Control-Allow-Credentials' => true, 'Access-Control-Allow-Methods' => ['POST','OPTIONS'], 'Access-Control-Allow-Headers' => ['Authorization','Content-Type','X-Requested-With','Accept','Origin','Cache-Control','Pragma'], 'Access-Control-Max-Age' => 3600, ], ], // ... ], ], ``` 8. Additional Notes ------------------- [](#8-additional-notes) - For custom grants (like a `FirebaseGrant` or a `PasswordlessGrant`), implement `GrantTypeInterface` or extend `AbstractGrant` and register it in `enableGrantTypes`. - You can store user IDs as UUID strings or integers. Just ensure your `UserEntityInterface::getIdentifier()` returns a string that the library can embed in the token. - The library handles JWT signing/verification, so you just need to provide your private/public RSA keys. ### Health Score 31 — LowBetter than 68% of packages Maintenance42 Moderate activity, may be stable Popularity15 Limited adoption so far Community9 Small or concentrated contributor base Maturity49 Maturing project, gaining track record Bus Factor1 Top contributor holds 58.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~6 days Total 3 Last Release 483d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/273b16723bec678f1ab9863eb3de2b31f2aa2390b5d872e547fda0dcfc427e61?d=identicon)[deadmantfa](/maintainers/deadmantfa) --- Top Contributors [![deadmantfa](https://avatars.githubusercontent.com/u/1812611?v=4)](https://github.com/deadmantfa "deadmantfa (79 commits)")[![chervand](https://avatars.githubusercontent.com/u/450972?v=4)](https://github.com/chervand "chervand (56 commits)")[![bu4ak](https://avatars.githubusercontent.com/u/17143820?v=4)](https://github.com/bu4ak "bu4ak (1 commits)") --- Tags apileagueauthAuthenticationserveroauthoauth2authorizationoauth 2.0secureresourceprotectauthorisationoauth 2hmacMACthephpleague ### Code Quality Static AnalysisRector ### Embed Badge ![Health badge](/badges/deadmantfa-yii2-oauth2-server/health.svg) ``` [![Health](https://phpackages.com/badges/deadmantfa-yii2-oauth2-server/health.svg)](https://phpackages.com/packages/deadmantfa-yii2-oauth2-server) ``` ### Alternatives [chervand/yii2-oauth2-server OAuth 2.0 server for Yii 2.0 with MAC tokens support. 1524.2k1](/packages/chervand-yii2-oauth2-server)[league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k136.0M248](/packages/league-oauth2-server)[ezralazuardy/heimdall Painless OAuth 2.0 Server for CodeIgniter 4 454.2k](/packages/ezralazuardy-heimdall)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M68](/packages/auth0-auth0-php)[auth0/login Auth0 Laravel SDK. Straight-forward and tested methods for implementing authentication, and accessing Auth0's Management API endpoints. 2745.0M3](/packages/auth0-login)[auth0/symfony Symfony SDK for Auth0 Authentication and Management APIs. 128738.1k](/packages/auth0-symfony) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)