WARNING: This repository is no longer maintained ⚠️

This repository will not be updated. The repository will be kept available in read-only mode.

ProcessWire Oauth2Server

Integration of Brent Shaffer's oauth2-server-php into ProcessWire 3.

Work in progress! Do not use in production!


  1. Install the module, it'll create some tables.
  2. Fill in module settings.
  3. Add the client directly to the database (table oauth_clients)
  4. Add necessary templates
    • settings:
      • set Content-Type to application/json
      • disable automatic prepend and append file (tab Files)
    • templates:
      • token
      • validate
      • authorize (optional)
  5. Create a page for each template.

Template content

Receive an access token (token.php)


Validate an access token (validate.php)

echo $modules->get('Oauth2Server')->validateAccessToken();

Get authorization code (authorize.php)

echo $modules->get('Oauth2Server')->generateAuthorizationCode();

This method redirects back to the client (redirect_uri from oauth_client) by sending the generated authorization code as well as the submitted state which should be compared at the client side.

If you want to test it server-side, create a page (and belonging template) to which the user gets redirected to.

for example: receive.php

echo $modules->get('Oauth2Server')->receiveAuthorizationCode();


@see: Cookbook


key value
base-url http://pw.local
client_id testclient
client_secret testpass
state xyz

– get access token using client credentials


curl -u testclient:testpass http://pw.local/token/ -d 'grant_type=client_credentials'


– get access token using user credentials


curl -u testclient:testpass http://pw.local/token/ -d 'grant_type=password&username={username}&password={password}'


If your client is public, you can omit the client_secret value in the request. (by default, this is true when no secret is associated with the client in storage)

curl http://pw.local/token/ -d 'grant_type=password&client_id=testclient2&username={username}&password={password}'


– use refresh token


curl -u testclient:testpass http://pw.local/token/ -d 'grant_type=refresh_token&refresh_token={inser-refresh_token}'


– validate access token


curl http://pw.local/validate/ -d 'access_token={your-token}'

{"success":true,"message":"You accessed my APIs!"}
{"error":"invalid_token","error_description":"The access token provided has expired"}
{"error":"invalid_token","error_description":"The access token provided is invalid"}


curl 'http://pw.local/validate/?access_token={your-token}'

{"success":true,"message":"You accessed my APIs!"}
{"error":"invalid_token","error_description":"The access token provided has expired"}
{"error":"invalid_token","error_description":"The access token provided is invalid"}

– get authorization code


curl 'http://pw.local/authorize/?response_type=code&client_id=testclient&state={state}'

// redirect back to the client

– receive authorization code (only for testing purposes!)


curl 'http://pw.local/receive/?code=10b0f51c6ae43e31226e01043cac1f257f058df4&state=test'

{"success":false,"error_description":"Invalid state."}

– get access token using authorization code


curl -u testclient:testpass http://pw.local/token/ -d 'grant_type=authorization_code&code={insert-code}'
