The OAuthServiceProvider integrates the lusitanian/oauth library with the Security component to provide social logins for the Silex microframework.
This library only provides the authentication system. You would have to supply your own user provider, or you can make use of the in-memory provider for testing.
- Supports most popular providers such as Facebook, Twitter, Google and GitHub
- Extensible via event hooks so you can plug in your own listeners and user providers
- Supports default CSRF protection mechanism
Use Composer to install the atphp/silex-oauth library by adding it to your composer.json
.
{
"require": {
"silex/silex": "~1.0",
"symfony/form": "~2.3",
"symfony/security": "~2.3",
"atphp/silex-oauth": "~2.0"
}
}
First, you need to register the service provider and configure it with the application keys, secrets, scopes and user API endpoints for each OAuth provider you wish to support. Some examples are shown below:
$app->register(new atphp\silex\oauth\OAuthServiceProvider(), array(
'oauth.services' => array(
'facebook' => array(
'key' => FACEBOOK_API_KEY,
'secret' => FACEBOOK_API_SECRET,
'scope' => array('email'),
'user_endpoint' => 'https://graph.facebook.com/me'
),
'twitter' => array(
'key' => TWITTER_API_KEY,
'secret' => TWITTER_API_SECRET,
'scope' => array(),
'user_endpoint' => 'https://api.twitter.com/1.1/account/verify_credentials.json'
),
'google' => array(
'key' => GOOGLE_API_KEY,
'secret' => GOOGLE_API_SECRET,
'scope' => array(
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'
),
'user_endpoint' => 'https://www.googleapis.com/oauth2/v1/userinfo'
),
'github' => array(
'key' => GITHUB_API_KEY,
'secret' => GITHUB_API_SECRET,
'scope' => array('user:email'),
'user_endpoint' => 'https://api.github.com/user',
'class' => 'OAuth\OAuth2\Service\GitHub'
)
)
));
Next, register the oauth
authentication provider in your firewall.
// Provides URL generation
$app->register(new Silex\Provider\UrlGeneratorServiceProvider());
// Provides CSRF token generation
$app->register(new Silex\Provider\FormServiceProvider());
// Provides session storage
$app->register(new Silex\Provider\SessionServiceProvider(), array(
'session.storage.save_path' => '/path/to/sessions'
))
$app->register(new Silex\Provider\SecurityServiceProvider(), array(
'security.firewalls' => array(
'default' => array(
'pattern' => '^/',
'anonymous' => true,
'oauth' => array(
//'login_path' => '/auth/{service}',
//'callback_path' => '/auth/{service}/callback',
//'check_path' => '/auth/{service}/check',
'failure_path' => '/login',
'with_csrf' => true
),
'logout' => array(
'logout_path' => '/logout',
'with_csrf' => true
),
'users' => new Gigablah\Silex\OAuth\Security\User\Provider\OAuthInMemoryUserProvider()
)
),
'security.access_rules' => array(
array('^/auth', 'ROLE_USER')
)
));
Note that the library assumes the default login, callback and check paths to be prefixed with /auth
, so this path needs to be secured. You can uncomment the path options and change the defaults.
You will need to configure each of your OAuth providers with the correct absolute callback_path
. For example, the default callback for Facebook would be http://your.domain/auth/facebook/callback
.
Finally, you can provide a login/logout interface. This example assumes usage of the Twig templating engine:
// Provides Twig template engine
$app->register(new Silex\Provider\TwigServiceProvider(), array(
'twig.path' => '/path/to/templates'
));
$app->before(function (Symfony\Component\HttpFoundation\Request $request) use ($app) {
$token = $app['security']->getToken();
$app['user'] = null;
if ($token && !$app['security.trust_resolver']->isAnonymous($token)) {
$app['user'] = $token->getUser();
}
});
$app->get('/login', function () use ($app) {
$services = array_keys($app['oauth.services']);
return $app['twig']->render('index.twig', array(
'login_paths' => array_map(function ($service) use ($app) {
return $app['url_generator']->generate('_auth_service', array(
'service' => $service,
'_csrf_token' => $app['form.csrf_provider']->generateCsrfToken('oauth')
));
}, array_combine($services, $services)),
'logout_path' => $app['url_generator']->generate('logout', array(
'_csrf_token' => $app['form.csrf_provider']->generateCsrfToken('logout')
))
));
});
$app->match('/logout', function () {})->bind('logout');
The template itself:
<div>
{% if app.user %}
<p>Hello {{ app.user.username }}! Your email is {{ app.user.email }}</p>
<a href="{{ logout_path }}">Logout</a>
{% else %}
<ul>
<li><a href="{{ login_paths.facebook }}">Login with Facebook</a></li>
<li><a href="{{ login_paths.twitter }}">Login with Twitter</a></li>
<li><a href="{{ login_paths.google }}">Login with Google</a></li>
<li><a href="{{ login_paths.github }}">Login with GitHub</a></li>
</ul>
{% endif %}
</div>
Two default event listeners are registered by default:
UserInfoListener
executes right after an OAuth access token is successfully generated. The security token is then populated with user profile information from the configured API endpoint.UserProviderListener
executes at the point where the authentication provider queries for a user object from the user provider.
Depending on your application, you might want to automatically register OAuth users who do not already have an existing user account. This can be done by overriding UserProviderListener
and placing your registration code in the listener function, or by simply registering a separate listener in the chain.
You can register your own services or override existing ones by manually specifying the class to instantiate:
$app->register(new atphp\silex\oauth\OAuthServiceProvider(), array(
'oauth.services' => array(
'my_service' => array(
'class' => 'My\\Custom\\Namespace\\MyOAuthService',
'key' => MY_API_KEY,
'secret' => MY_API_SECRET,
'scope' => array(),
'user_endpoint' => 'https://my.domain/userinfo'
),
// ...
)
));
Released under the MIT license. See the LICENSE file for details.