Guide me implementing Oauth2 PHP server using thephpleague library

风格不统一 提交于 2019-12-04 09:07:56

OAuth 2.0 is very challenging to understand and use correctly. In fact, the lead of OAuth 2.0 famously walked away from the protocol after years of developing for it. According to Eran Hammer (the aforementioned lead developer):

When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.

To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.

So needless to say, there is some contention about OAuth 2.0. Alex Bilbie, the lead developer of the PHP League's OAuth 2.0-Server framework, appears to be one of the more knowledgeable developers for OAuth 2.0, although there are undoubtedly more. Still, keeping in mind one of Hammer's larger complaints - the lack of interoperability and completeness - you probably want to look for the following in an OAuth 2.0 implementation:

  • Active development
  • Full compliance with OAuth 2.0

I personally use and recommend Alex Bilbie's OAuth 2.0-Server, which now includes MAC bearer tokens and aims to be fully compliant. It is also under active development.

So, what does this mean for your project? Read up on the specifications. The package we are using claims to be fully compliant, which means that your best resource is OAuth 2.0's specification itself. There is also decent documentation under the PHP League website that can help you with this particular implementation.

That being said, you may be missing the Scope for your client/user combination. The way OAuth2.0 is structured, your user needs to accept scopes that the client requests. That means that your "scopes" need to be linked in your other tables. If "OK" is not approved by a user (in the DB) then it will not be approved.

Edit

Sounds like scopes are not the issue for you. This venue is not well suited for troubleshooting so I advise that you ensure you have the most current version of whatever framework you choose to use and report any bugs to the developer (with PHPLeague, it is via Github).

It's been quite a few years since this question was asked, but here are links to OAuth2 libraries for Slim 3:

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!