oauth2 practice in php

This article introduces the practical content of oauth2 in PHP. It is shared here with everyone and also for reference by those in need. Now let’s take a look together

oauth2 solves the problem:

1. For example, if the third party obtains some services through the user account and password, it will easily lead to leakage

2. It is necessary to solve the problem of how long the authorization time range is and how big the scope of this authorization is

3. Also, it has authorized other third-party applications. If the user changes the password, the third-party function will become invalid

oauth2 four authorization methods:

The client must obtain the user's authorization (authorization grant) to obtain the token (access token) . OAuth 2.0 defines four authorization methods.

• Authorization code mode

• Simplified mode (implicit)

• Password mode (resource owner password credentials) We use this

• Client mode (client credentials)

oauht2 process

1. The user accesses the client, and the client applies for authorization from the user

2. The user agrees to authorize

3. obtained in the previous step Authorization, the client applies for a token from the server

4. After the server confirms that it is correct, it issues the token to the client

5. The client gets the token After that, you can apply for the corresponding resources from the server

6. After the server determines whether the token is confirmed, it opens the resources to the client for access

Summary: In fact, the second step above is the 4 authorization methods, and password authorization is used. This authorization requires a high level of trust from the client. In fact, it means taking the user account and password to the server to apply for a token, and returning the token after it is correct. to the client.

Problems occur:

1. The client certificate is invalid

{"error":"invalid_client","error_description":"The client credentials are invalid"}

Solution:

1. is required in the database There are two parameters, client_id and client_screct

2. When making a request, the body must bring the values ​​​​of these two parameters

2. Prevent front-end apps Concurrent request invalidation method

1. Set the configuration of the RefreshToken class:

 $grantType1 = new RefreshToken($storage, array(            'always_issue_new_refresh_token' => false  #这个可以防止每次生成新的refresh_token
        ));

Reference resources:

Official document

github URL

The implementation logic of oauth

oauth2 solves the problem:

1. For example, if the third party obtains some services through the user account and password, it will easily lead to leakage

2. Need to figure out how long the authorization time range is and how big the scope of authorization is

3. Also, it has authorized other third-party applications. If the user changes the password, the third-party application will be affected. The three-party function is invalid

oauth2 four authorization methods:

The client must obtain the user's authorization (authorization grant) to obtain the token (access token). OAuth 2.0 defines four authorization methods.

• Authorization code mode

• Simplified mode (implicit)

• Password mode (resource owner password credentials) We use this

• Client mode (client credentials)

oauht2 process

1. The user accesses the client, and the client applies for authorization from the user

2. The user agrees to authorize

3. obtained in the previous step Authorization, the client applies for a token from the server

4. After the server confirms that it is correct, it issues the token to the client

5. The client gets the token After that, you can apply for the corresponding resources from the server

6. After the server determines whether the token is confirmed, it opens the resources to the client for access

Summary: In fact, the second step above is the 4 authorization methods, and password authorization is used. This authorization requires a high level of trust from the client. In fact, it means taking the user account and password to the server to apply for a token, and returning the token after it is correct. to the client.

Problems occur:

1. The client certificate is invalid

{"error":"invalid_client","error_description":"The client credentials are invalid"}

Solution:

1. is required in the database There are two parameters, client_id and client_screct

2. When making a request, the body must bring the values ​​​​of these two parameters

2. Prevent front-end apps Concurrent request invalidation method

1. Set the configuration of the RefreshToken class:

 $grantType1 = new RefreshToken($storage, array(            'always_issue_new_refresh_token' => false  #这个可以防止每次生成新的refresh_token
        ));

Reference resources:

Official document

github URL

oauth implementation logic

Related recommendations:

PHP access QQ and log in to OAuth2.0 Problems encountered

The above is the detailed content of oauth2 practice in php. For more information, please follow other related articles on the PHP Chinese website!