Setting up a PHP OAuth Client

Setting up a PHP OAuth Client


Our firm usually recommends PHPLeague’s OAuth2 client for PHP integrations. There’s is sample code in the README.md, but basically

  • Include the relevant Client Key and Secret in the $Provider element, i.e.
  $provider = new \League\OAuth2\Client\Provider\GenericProvider([
  'clientId'                => 'fake-id-741648bdf4e3ffc8e1e3607898e16870',
  'clientSecret'            => 'fake-secret-548755e9e3717974f7a378cd25b24e85',
  'redirectUri'             => 'https://app.example.com/callback.php',
  'urlAuthorize'            => 'https://oauth.server.com/oauth2/authz/',
  'urlAccessToken'          => 'https://oauth.server.com/oauth2/access/',
  'urlResourceOwnerDetails' => 'https://oauth.server.com/userinfo/',
]);
  • Make the call to getAuthorizationURL() with the $Provider, which will redirect the user to the login page, and return back to your code with ?code=[stuff]. To include OIDC support, make sure you specify the OIDC scope (as well as any others that you care about):
$options = [
  'scope' => ['openid profile email']
];

and call getAuthorizationUrl with the $options array, like:

$authorizationUrl = $provider->getAuthorizationUrl($options);
  • You can then use the value in $_GET['code'] to get an access token from the identity provider, like:
$accessToken = $provider->getAccessToken('authorization_code', [
  'code' => $_GET['code']
]);
  • using that token you’ll be able to use getAuthenticatedRequest‘s along with the $accessToken as needed if you need to pull something from a secured API on the identity server:
$request = $provider->getAuthenticatedRequest(
  'GET',
  'https://oauth.server.com/some-api-endpoint',
  $accessToken
);
$entitlementResponse = $provider->getParsedResponse($request);
  • you can also just user information about the $resourceOwner that is returned (because of the scopes that we chose:
$resourceOwner = $provider->getResourceOwner($accessToken)->toArray();

The access token has expiry information, etc. and there are functions for refreshing the token as needed. All in all it’s really simple to do with PHP.

I avoid JS for OAuth, but I’m pretty sure that’s just a personal preference. There are good javascript libraries as well.

Note: Loosely based off of this StackOverflow answer from the author.