PHPackages isigar/oauth2 - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [DevOps & Deployment](/categories/devops) 4. / 5. isigar/oauth2 ActiveLibrary[DevOps & Deployment](/categories/devops) isigar/oauth2 ============= Nette OAuth2 Provider bundle 1.1(7y ago)0673BSD-3-ClausePHPPHP >= 5.3.0 Since May 18Pushed 7y ago1 watchersCompare [ Source](https://github.com/Isigar/OAuth2)[ Packagist](https://packagist.org/packages/isigar/oauth2)[ Docs](http://www.drahak.eu)[ RSS](/packages/isigar-oauth2/feed)WikiDiscussions master Synced 2mo ago READMEChangelog (2)Dependencies (3)Versions (3)Used By (0) OAuth2 Provider =============== [](#oauth2-provider) This repository is being developed and it's highly unstable. Requirements ------------ [](#requirements) Drahak/OAuth2 requires PHP version 5.3.0 or higher. The only production dependency is [Nette framework 2.0.x](http://www.nette.org). Installation & setup ------------------------ [](#installation--setup) The easist way is to use [Composer](http://doc.nette.org/en/composer) ``` $ composer require drahak/oauth2:@dev ``` Then add following code to your app bootstrap file before creating container: ``` Drahak\OAuth2\DI\Extension::install($configurator); ``` or register it in config.neon: ``` extensions: restful: Drahak\Restful\DI\RestfulExtension ``` Neon configuration ------------------ [](#neon-configuration) ``` oauth2: accessTokenLifetime: 3600 # 1 hour refreshTokenLifetime: 36000 # 10 hours authorizationCodeLifetime: 360 # 6 minutes storage: 'ndb' # allowed values: 'ndb', 'dibi' accessTokenStorage: 'Drahak\OAuth2\Storage\NDB\AccessTokenStorage' authorizationCodeStorage: 'Drahak\OAuth2\Storage\NDB\AuthorizationCodeStorage' clientStorage: 'Drahak\OAuth2\Storage\NDB\ClientStorage' refreshTokenStorage: 'Drahak\OAuth2\Storage\NDB\RefreshTokenStorage' ``` - `accessTokenLifetime` - access token life time in seconds - `refreshTokenLifetime` - refresh token life time in seconds - `authorizationCodeLifetime` - authorization code life time in seconds - `storage` - storage will switch between default NDB and dibi storage. You can use your storage for each storage part. OAuth2 ------ [](#oauth2) #### [Abstract protocol flow](http://tools.ietf.org/html/rfc6749#section-1.2) [](#abstract-protocol-flow) ``` +--------+ +---------------+ | |------ Authorization Request ->| Resource | | | | Owner | | || Authorization | | Client | | Server | | || Resource | | | | Server | | |user->isLoggedIn()) { $this->redirect('AnyUser:login', array('backlink' => $this->storeRequest())); } if ($response_type == 'code') { $this->issueAuthorizationCode($response_type, $redirect_uri, $scope); } else if ($response_type == 'token') { $this->issueAccessToken(IGrant::IMPLICIT, $redirect_uri); } } /** * Access token provider */ public function actionToken() { try { $this->issueAccessToken(); } catch (OAuthException $e) { $this->oauthError($e); } } } ``` Method `issueAccessToken` determines correct grant type from `grant_type` parameter. In case of error throws some `OAuthException` which can be handled by `oauthError` method in default implementation. Action `authorize` is more complex. This is used for generating Authorization code (see below - [Authorization code](#authorization-code)) but for Implicit grant type it's necessary to generate access token here. In case if user is not logged in, redirect user to some login page and then restore authorization request using backlink. Grant types ----------- [](#grant-types) Are determined by `grant_type` parameter. There is support of base grant types as defined in OAuth2 specification: Authorization Code, Implicit, Password, Client Credentials and Refresh token. 1. Authorization code --- This grant type is great for third-party applications which can secure client secret code. To generate access token, you'll need to get authorization code first. You can obtain it from `IOAuthPresenter` by calling `issueAuthorizationCode` ##### Request for authorization code: [](#request-for-authorization-code) ``` GET //oauth.presenter.url/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email ``` - \[REQUIRED\] **response\_type** - you want to generate authorization `code` - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token - \[REQUIRED\] **redirect\_uri** - URL address whereto redirect in case of success or error - \[OPTIONAL\] **scope** - specify the scope of access request ##### Authorization code response: [](#authorization-code-response) In any case (error or success) Resource owner redirects back to the client using `redirect_uri` with authorization code as a query parameter: ``` //redirect_uri/?code=AnlSCIWYbchsCc5sdc5ac4caca8a2 ``` Or ``` //redirect_uri/?error=unauthorized_client&error_description=Client+is+not+found ``` Since you have authorization code you can make access token request (data provided as `application/x-www-form-urlencoded`) ##### Request for access token: [](#request-for-access-token) ``` POST //oauth.presenter.url/token grant_type=authorization_code &code=AUTHORIZATION_CODE &client_id=CLIENT_ID &client_secret=CLIENT_SECRET ``` - \[REQUIRED\] **grant\_type** - this parameter says OAuth to use Authorization code - \[REQUIRED\] **code** - authorization code which you got from Resource owner - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token - \[REQUIRED\] **client\_secret** - client (e.g. application) secret key that requests for access token ##### Access token response [](#access-token-response) ``` { "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" } ``` In case or error, provides JSON response: ``` { "error": "invalid_request", "error_description": "Invalid authorization code" } ``` 2. Implicit --- Is used for browser-based (web) or mobile applications, where you can't secure client secret so yopu can't use it to obtain access token. ##### Request for access token: [](#request-for-access-token-1) ``` GET //oauth.presenter.url/authorization?response_type=token&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email ``` - \[REQUIRED\] **response\_type** - since you request access token from Resource owner, you must tell you want an access token (not authorization code) - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token - \[REQUIRED\] **redirect\_uri** - URL where to redirect in case of success or error - \[OPTIONAL\] **scope** - specify the scope of access request ##### Access token response [](#access-token-response-1) Redirect to `redirect_uri` ``` //redirect_uri/#access_token=AnlSCIWYbchsCc5sdc5ac4caca8a2&expires_in=3600&token_type=bearer ``` In case or error, redirects to: ``` //redirect_uri/#error=unauthorized_client&error_description=Client+is+not+found ``` 3. Password --- Is used for trusted (usually first-party) applications, where you completely trust client because you generate access token from real user credentials (username, password) ##### Request for access token: [](#request-for-access-token-2) ``` POST //oauth.presenter.url/token grant_type=password &username=USERNAME &password=PASSWORD &client_id=CLIENT_ID ``` - \[REQUIRED\] **grant\_type** - Password grant type uses identifier (so unexpectedly) `password` - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token - \[REQUIRED\] **username** - real user's username - \[OPTIONAL\] **password** - real user's password ##### Access token response [](#access-token-response-2) ``` { "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" } ``` In case or error: ``` { "error": "invalid_request", "error_description": "Invalid authorization code" } ``` 4. Client credentials --- If application needs to get access token for their own account outside the context of any specific user this is probably the best way. ##### Request for access token: [](#request-for-access-token-3) ``` POST //oauth.presenter.url/token grant_type=client_credentials &client_id=CLIENT_ID &client_SECRET=CLIENT_SECRET ``` - \[REQUIRED\] **grant\_type** - Password grant type uses identifier (so unexpectedly) `password` - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token - \[REQUIRED\] **client\_secret** - client (e.g. application) secret key that requests for access token ##### Access token response [](#access-token-response-3) ``` { "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" } ``` In case or error: ``` { "error": "invalid_request", "error_description": "Invalid authorization code" } ``` 5. Refresh token --- Is used to restore (actually re-generate) access token without authentication process. Refresh token is provided with almost every grant type (excluding Implicit). ##### Request for refresh token: [](#request-for-refresh-token) ``` POST //oauth.presenter.url/token grant_type=refresh_token &refresh_token=DS6SA512ADCVa51adc54VDS51VD5 &client_id=CLIENT_ID ``` - \[REQUIRED\] **grant\_type** - Refresh token identifier - \[REQUIRED\] **refresh\_token** - refresh token itself, that you got from almost any access token - \[REQUIRED\] **client\_id** - client ID (e.g. application) that requests for access token ##### Access token response [](#access-token-response-4) ``` { "access_token": "AnlSCIWYbchsCc5sdc5ac4caca8a2", "token_type": "bearer", "expires_in": 3600, "refresh_token": "DS6SA512ADCVa51adc54VDS51VD5" } ``` In case or error: ``` { "error": "invalid_request", "error_description": "Invalid refresh token" } ``` ### Health Score 28 — LowBetter than 54% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity13 Limited adoption so far Community11 Small or concentrated contributor base Maturity59 Maturing project, gaining track record Bus Factor1 Top contributor holds 70% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 2918d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/37aaf75bfe348f2d3cc231f68c5447f7f1c7038cada926a11e4859450363eb6a?d=identicon)[Isigar](/maintainers/Isigar) --- Top Contributors [![drahak](https://avatars.githubusercontent.com/u/1215810?v=4)](https://github.com/drahak "drahak (35 commits)")[![marten-cz](https://avatars.githubusercontent.com/u/582397?v=4)](https://github.com/marten-cz "marten-cz (8 commits)")[![jspetrak](https://avatars.githubusercontent.com/u/146057?v=4)](https://github.com/jspetrak "jspetrak (4 commits)")[![Isigar](https://avatars.githubusercontent.com/u/7609408?v=4)](https://github.com/Isigar "Isigar (3 commits)") --- Tags netteserverprovideroauth2drahak ### Embed Badge ![Health badge](/badges/isigar-oauth2/health.svg) ``` [![Health](https://phpackages.com/badges/isigar-oauth2/health.svg)](https://phpackages.com/packages/isigar-oauth2) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)