Uses parts of https://github.com/samdark/yii2-league-oauth2-server
Also inspired by https://github.com/chervand/yii2-oauth2-server
Add this to your composer.json
:
"niolab/yii2-oauth2-server": "~1.0"
You need a few things:
-
A UserRepository for this module to get its users from. The easiest is to take your existing
User
class, and make sure it also implements the following interfaces:yii\web\IdentityInterface
League\OAuth2\Server\Entities\UserEntityInterface
League\OAuth2\Server\Repositories\UserRepositoryInterface
- Make sure to validate the user in
UserRepositoryInterface::getUserEntityByUserCredentials()
- Make sure to validate the user in
Also make sure to implement
findIdentityByAccessToken()
, it's used byNIOLAB\oauth2\components\authMethods\HttpBearerAuth
to authenticate the user by access token. Example:<?php /** * {@inheritdoc} */ public static function findIdentityByAccessToken($token, $type = null) { return static::find() ->where(['user.status'=>static::STATUS_ACTIVE]) ->leftJoin('oauth_access_token', '`user`.`id` = `oauth_access_token`.`user_id`') ->andWhere(['oauth_access_token.identifier' => $token]) ->one(); }
And then pass the User class as the property
$userRepository
in the configuration array as below. -
An SSH key pair. See https://oauth2.thephpleague.com/installation/
$ openssl genrsa -out private.key 2048
$ openssl rsa -in private.key -pubout -out public.key
Make sure the file rights are 600 or 660 for the generated key files.
-
An encryption key (just a random string)
-
The migrations
$ php yii migrate --migrationPath=@vendor/niolab/yii2-oauth2-server/migrations
Add it as a yii2 module:
<?php
$config = [
'modules' => [
'oauth2' => [
'class' => NIOLAB\oauth2\Module::class,
'userRepository' => \app\models\User::class,
'privateKey' => '@common/data/keys/private.key',
'publicKey' => '@common/data/keys/public.key',
'encryptionKey' => 'put-a-nice-random-string-here',
],
],
];
?>
Also add the module to your application bootstrap:
...
'bootstrap' => ['log','api.v1',...,'oauth2'],
...
There's not a lot of configuration yet. Maybe the types of grants available will be dynamic someday.
Because the Client Credentials method creates access tokens that are not linked to a specific user, it uses a different filter to check the validity of the token.
Add the NIOLAB\oauth2\components\filters\CheckClientCredentials
to your behaviors to validate Client Credential access keys.
Add the NIOLAB\oauth2\components\authMethods\HttpBearerAuth
to your behaviors, for example:
<?php
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['authenticator'] = [
'class' => HttpBearerAuth::class,
];
$behaviors['contentNegotiator'] = [
'class' => 'yii\filters\ContentNegotiator',
'formats' => [
'application/json' => Response::FORMAT_JSON,
]
];
return $behaviors;
}
Create a custom client, with the following URLs:
- authorize URL:
<domain>/oauth2/authorize
- token URL:
<domain>/oauth2/token/create