CakePHP OAuth Server/Provider

OAuth2 Server Plugin for CakePHP

View the Project on GitHub thomseddon/cakephp-oauth-server

CakePHP OAuth2 Server Plugin

This is a plugin for implementing an OAuth Server/Provider in CakePHP, built on quizlets oauth2-php library

What's inside?

Requirements

CakePHP 2.x

A clone of oauth2-php in your Vendors folder

Installation

First grab the tables.sql and get your tables going.

Then clone this repo into a "OAuth" folder in your Plugins folder:

$ git clone git://github.com/seddonmedia/cakephp-oauth-server.git Plugin/OAuth

Or via submodule:

$ git submodule add git://github.com/seddonmedia/cakephp-oauth-server.git Plugin/OAuth

Load the plugin

CakePlugin::loadAll(); // Loads all plugins at once
CakePlugin::load('OAuth'); //Just load OAuth

And include the component in your controller:

$components = array('OAuth.OAuth');

Getting Started

OAuth

A good understanding of the OAuth protocol should be considered a prerequisite of using this plugin. Good documentation explaining various OAuth2 flows is provided by Google, Facebook and in the official spec. For reference, this plugin currently supports the following grant types:

If you need any others please build them into the base oauth2-php library and let me know :)

It should be noted here that most OAuth methods support both GET and POST, so you can test your setup straight from the browser.

Controller Setup

To use the "Resource Owner Password Credentials Grant" you need to configure the plugin so it knows where to look for your users username/password combinations. By default it will try a "Users" model with "username" and "password" fields, you can change this in your controllers beforeFilter like so:

$this->OAuth->authenticate = array(
    'userModel' => 'Members',
    'fields' => array(
        'username' => 'email'
    )
);

You can control what actions can be accessed using an OAuth access token in the same way you control access with the AuthComponent, so for example placing this in a controller's beforeFilter:

$this->OAuth->allow(array('userinfo', 'example'));

Would allow access to the "userinfo" and "example" actions.

Adding OAuth Clients

An OAuth client is an application that can access resources on behalf of resource owner, i.e. someone who can use your API.

This plugin ships with all required models, including the "Clients" model for adding and accessing OAuth clients. You may wish to handle adding clients yourself, see the tables.sql for the schema, or you can use the convenience method included in the model, like so:

$client = $this->OAuth->Client->add('http://www.return_url.com')

Which will generate then client_id and client_secret and return something like:

Array(
    [client_id] => NGYcZDRjODcxYzFkY2Rk
    [client_secret] => 8e7ff3208eed06d101bf3da2473fc92ac1c6d2e7
    [redirect_uri] => http://www.return_url.com
)

The method includes various schemes for generating client id's, pick your favourite.

NOTE: This convenience method will generate a random client secret and hash it for security before storage. Although it will pass back the actual raw client secret when you first add a new client, it is not possible to ever determine this from the hash stored in the database. So if the client forgets their secret, a new one will have to be issued.

Included Endpoints

This plugin ships with an example controller that provides the necessary endpoints to generate access tokens. Routes are also included to give you sexy URL's like: "/oauth/token", you can fire them up by placing this in your bootstrap.php:

CakePlugin::loadAll(array(
    'OAuth' => array('routes' => true)
));

As an example, once you have registered a client, you could then use the Authorization Code Grant like so:

  1. Get an Authorization code
    • /oauth/authorize?response_type=code&client_id=xxxx&redirect_url=http%3a%2f%2flocalhost
    • (note the URL encoding on the redirect_uri)
  2. Swap code for access token
    • /oauth/token?grant_type=authorization_code&code=from_above&client_id=xxxx&client_secret=xxxx
  3. Use access token
    • /oauth/userinfo?access_token=from_above

There is quite a bit of documentation through the code, so dive in, get your hands dirty and submit any issues here!