OAuth2
class OAuth2 implements FetchAuthTokenInterface (View source)
OAuth2 supports authentication by OAuth2 2-legged flows.
It primary supports
- service account authorization
- authorization where a user already has an access token
Constants
| DEFAULT_EXPIRY_SECONDS |
|
| DEFAULT_SKEW_SECONDS |
|
| JWT_URN |
|
| STS_URN |
|
| private STS_REQUESTED_TOKEN_TYPE |
|
Properties
| static string[] | $knownSigningAlgorithms | TODO: determine known methods from the keys of JWT::methods. |
|
| static string[] | $knownGrantTypes | The well known grant types. |
Methods
Create a new OAuthCredentials.
Verifies the idToken if present.
Obtains the encoded jwt from the instance data.
Generates a request for token credentials.
Fetches the auth tokens based on the current state.
Obtains a key that can used to cache the results of #fetchAuthToken.
Parses the fetched tokens.
Updates an OAuth 2.0 client.
Builds the authorization Uri that the user should be redirected to.
No description
A cryptographically random string that is used to correlate the authorization request to the token request.
Generates a random 128-character string for the "code_verifier" parameter in PKCE for OAuth 2.0. This is a cryptographically random string that is determined using random_int, hashed using "hash" and sha256, and base64 encoded.
Sets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
Gets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
Gets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
Sets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
Gets the redirection URI used in the initial request.
Sets the redirection URI used in the initial request.
Gets the scope of the access requests as a space-delimited String.
Sets the scope of the access request, expressed either as an Array or as a space-delimited String.
Gets the current grant type.
Sets the current grant type.
Gets an arbitrary string designed to allow the client to maintain state.
Sets an arbitrary string designed to allow the client to maintain state.
Gets the authorization code issued to this client.
Sets the authorization code issued to this client.
Gets the resource owner's username.
Sets the resource owner's username.
Gets the resource owner's password.
Sets the resource owner's password.
Sets a unique identifier issued to the client to identify itself to the authorization server.
Sets a unique identifier issued to the client to identify itself to the authorization server.
Gets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
Sets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
Gets the Issuer ID when using assertion profile.
Sets the Issuer ID when using assertion profile.
Gets the target sub when issuing assertions.
Sets the target sub when issuing assertions.
Gets the target audience when issuing assertions.
Sets the target audience when issuing assertions.
Gets the signing key when using an assertion profile.
Sets the signing key when using an assertion profile.
Gets the signing key id when using an assertion profile.
Sets the signing key id when using an assertion profile.
Gets the signing algorithm when using an assertion profile.
Sets the signing algorithm when using an assertion profile.
Gets the set of parameters used by extension when using an extension grant type.
Sets the set of parameters used by extension when using an extension grant type.
Gets the number of seconds assertions are valid for.
Sets the number of seconds assertions are valid for.
Gets the lifetime of the access token in seconds.
Sets the lifetime of the access token in seconds.
Gets the time the current access token expires at.
Returns true if the acccess token has expired.
Sets the time the current access token expires at.
Gets the time the current access token was issued at.
Sets the time the current access token was issued at.
Gets the current access token.
Sets the current access token.
Gets the current ID token.
Sets the current ID token.
Get the granted space-separated scopes (if they exist) for the last fetched token.
Sets the current ID token.
Gets the refresh token associated with the current access token.
Sets the refresh token associated with the current access token.
Sets additional claims to be included in the JWT token
Gets the additional claims to be included in the JWT token.
Gets the additional claims to be included in the JWT token.
The expiration of the last received token.
Details
__construct(array $config)
Create a new OAuthCredentials.
The configuration array accepts various options
-
authorizationUri The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
-
tokenCredentialUri The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
-
clientId A unique identifier issued to the client to identify itself to the authorization server.
-
clientSecret A shared symmetric secret issued by the authorization server, which is used to authenticate the client.
-
scope The scope of the access request, expressed either as an Array or as a space-delimited String.
-
state An arbitrary string designed to allow the client to maintain state.
-
redirectUri The redirection URI used in the initial request.
-
username The resource owner's username.
-
password The resource owner's password.
-
issuer Issuer ID when using assertion profile
-
audience Target audience for assertions
-
expiry Number of seconds assertions are valid for
-
signingKey Signing key when using assertion profile
-
signingKeyId Signing key id when using assertion profile
-
refreshToken The refresh token associated with the access token to be refreshed.
-
accessToken The current access token for this client.
-
idToken The current ID token for this client.
-
extensionParams When using an extension grant type, this is the set of parameters used by that extension.
-
codeVerifier The code verifier for PKCE for OAuth 2.0.
-
resource The target service or resource where the client ntends to use the requested security token.
-
subjectTokenFetcher A fetcher for the "subject_token", which is a security token that represents the identity of the party on behalf of whom the request is being made.
-
subjectTokenType An identifier that indicates the type of the security token in the subjectToken parameter.
-
actorToken A security token that represents the identity of the acting party.
-
actorTokenType An identifier for the representation of the issued security token.
null|object
verifyIdToken(string|Key|Key[] $publicKey = null, string|string[] $allowed_algs = [])
Verifies the idToken if present.
- if none is present, return null
- if present, but invalid, raises DomainException.
- otherwise returns the payload in the idtoken as a PHP object.
The behavior of this method varies depending on the version of
firebase/php-jwt you are using. In versions 6.0 and above, you cannot
provide multiple $allowed_algs, and instead must provide an array of Key
objects as the $publicKey.
string
toJwt(array $config = [])
Obtains the encoded jwt from the instance data.
RequestInterface
generateCredentialsRequest(callable $httpHandler = null, array $headers = [])
Generates a request for token credentials.
array
fetchAuthToken(callable $httpHandler = null, array $headers = [])
Fetches the auth tokens based on the current state.
string
getCacheKey()
Obtains a key that can used to cache the results of #fetchAuthToken.
The key is derived from the scopes.
array
parseTokenResponse(ResponseInterface $resp)
Parses the fetched tokens.
void
updateToken(array $config)
Updates an OAuth 2.0 client.
Example:
$oauth->updateToken([
'refresh_token' => 'n4E9O119d',
'access_token' => 'FJQbwq9',
'expires_in' => 3600
]);
UriInterface
buildFullAuthorizationUri(array $config = [])
Builds the authorization Uri that the user should be redirected to.
string|null
getCodeVerifier()
No description
void
setCodeVerifier(string|null $codeVerifier)
A cryptographically random string that is used to correlate the authorization request to the token request.
The code verifier for PKCE for OAuth 2.0. When set, the authorization URI will contain the Code Challenge and Code Challenge Method querystring parameters, and the token URI will contain the Code Verifier parameter.
string
generateCodeVerifier()
Generates a random 128-character string for the "code_verifier" parameter in PKCE for OAuth 2.0. This is a cryptographically random string that is determined using random_int, hashed using "hash" and sha256, and base64 encoded.
When this method is called, the code verifier is set on the object.
void
setAuthorizationUri(string $uri)
Sets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
UriInterface
getAuthorizationUri()
Gets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
UriInterface
getTokenCredentialUri()
Gets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
void
setTokenCredentialUri(string $uri)
Sets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
?string
getRedirectUri()
Gets the redirection URI used in the initial request.
void
setRedirectUri(?string $uri)
Sets the redirection URI used in the initial request.
?string
getScope()
Gets the scope of the access requests as a space-delimited String.
void
setScope(string|string[]|null $scope)
Sets the scope of the access request, expressed either as an Array or as a space-delimited String.
?string
getGrantType()
Gets the current grant type.
void
setGrantType(string $grantType)
Sets the current grant type.
string
getState()
Gets an arbitrary string designed to allow the client to maintain state.
void
setState(string $state)
Sets an arbitrary string designed to allow the client to maintain state.
string
getCode()
Gets the authorization code issued to this client.
void
setCode(string $code)
Sets the authorization code issued to this client.
string
getUsername()
Gets the resource owner's username.
void
setUsername(string $username)
Sets the resource owner's username.
string
getPassword()
Gets the resource owner's password.
void
setPassword(string $password)
Sets the resource owner's password.
string
getClientId()
Sets a unique identifier issued to the client to identify itself to the authorization server.
void
setClientId(string $clientId)
Sets a unique identifier issued to the client to identify itself to the authorization server.
string
getClientSecret()
Gets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
void
setClientSecret(string $clientSecret)
Sets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.
?string
getIssuer()
Gets the Issuer ID when using assertion profile.
void
setIssuer(string $issuer)
Sets the Issuer ID when using assertion profile.
?string
getSub()
Gets the target sub when issuing assertions.
void
setSub(string $sub)
Sets the target sub when issuing assertions.
?string
getAudience()
Gets the target audience when issuing assertions.
void
setAudience(string $audience)
Sets the target audience when issuing assertions.
?string
getSigningKey()
Gets the signing key when using an assertion profile.
void
setSigningKey(string $signingKey)
Sets the signing key when using an assertion profile.
?string
getSigningKeyId()
Gets the signing key id when using an assertion profile.
void
setSigningKeyId(string $signingKeyId)
Sets the signing key id when using an assertion profile.
?string
getSigningAlgorithm()
Gets the signing algorithm when using an assertion profile.
void
setSigningAlgorithm(?string $signingAlgorithm)
Sets the signing algorithm when using an assertion profile.
array
getExtensionParams()
Gets the set of parameters used by extension when using an extension grant type.
void
setExtensionParams(array $extensionParams)
Sets the set of parameters used by extension when using an extension grant type.
int
getExpiry()
Gets the number of seconds assertions are valid for.
void
setExpiry(int $expiry)
Sets the number of seconds assertions are valid for.
int
getExpiresIn()
Gets the lifetime of the access token in seconds.
void
setExpiresIn(?int $expiresIn)
Sets the lifetime of the access token in seconds.
?int
getExpiresAt()
Gets the time the current access token expires at.
bool
isExpired()
Returns true if the acccess token has expired.
void
setExpiresAt(int $expiresAt)
Sets the time the current access token expires at.
?int
getIssuedAt()
Gets the time the current access token was issued at.
void
setIssuedAt(int $issuedAt)
Sets the time the current access token was issued at.
?string
getAccessToken()
Gets the current access token.
void
setAccessToken(string $accessToken)
Sets the current access token.
?string
getIdToken()
Gets the current ID token.
void
setIdToken(string $idToken)
Sets the current ID token.
string|null
getGrantedScope()
Get the granted space-separated scopes (if they exist) for the last fetched token.
void
setGrantedScope(string $grantedScope)
Sets the current ID token.
?string
getRefreshToken()
Gets the refresh token associated with the current access token.
void
setRefreshToken(string $refreshToken)
Sets the refresh token associated with the current access token.
void
setAdditionalClaims(array $additionalClaims)
Sets additional claims to be included in the JWT token
array
getAdditionalClaims()
Gets the additional claims to be included in the JWT token.
?string
getIssuedTokenType()
Gets the additional claims to be included in the JWT token.
null|array
getLastReceivedToken()
The expiration of the last received token.