This project aims at providing a stand-alone OAuth v2 Authorization Server that is easy to integrate with your existing REST services, written in any language, without requiring extensive changes.
Licensed under the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
https://www.gnu.org/licenses/agpl.html
This rougly means that if you use this software in your service you need to make the source code available to the users of your service (if you modify it). Refer to the license for the exact details.
- PDO (database abstraction layer for various databases) storage backend for OAuth tokens
- OAuth v2 (authorization code and implicit grant) support
- SimpleAuth authentication support (php-simple-auth)
- SAML authentication support (simpleSAMLphp)
- Mozilla Persona authentication support using (php-browserid)
- Token introspection for resource servers
Below are some screenshots of the OAuth consent dialog, the first one is the default view, the second is the view when one clicks the "Details" button.
The installation requirements on Fedora/CentOS can be installed like this:
$ su -c 'yum install git php-pdo php httpd'
On Debian/Ubuntu:
$ sudo apt-get install git sqlite3 php5 php5-sqlite
NOTE: in the chown
line you need to use your own user account name!
NOTE: On Ubuntu (Debian) you would typically install in /var/www/php-oauth
and not
in /var/www/html/php-oauth
and you use sudo
instead of su -c
.
$ cd /var/www/html
$ su -c 'mkdir php-oauth'
$ su -c 'chown fkooman:fkooman php-oauth'
$ git clone git://github.com/fkooman/php-oauth.git
$ cd php-oauth
Install the external dependencies:
$ sh docs/install_dependencies.sh
Now you can create the default configuration files, the paths will be automatically set, permissions set and a sample Apache configuration file will be generated and shown on the screen (see below for more information on Apache configuration).
$ docs/configure.sh
Next make sure to configure the database settings in config/oauth.ini
, and
possibly other settings. If you want to keep using SQlite you are good to go
without fiddling with the database settings. Now to initialize the database,
i.e. to install the tables, run:
$ php docs/initOAuthDatabase.php
It is also possible to already preregister some clients which makes sense if
you want to use the management clients mentioned below. The sample registrations
are listed in docs/registration.json
. By default they point to
http://localhost
, but if you run this software on a "real" domain you need to
modify the docs/registration.json
file to point to your domain name and
full path where the management clients will be installed.
To modify the domain of where the clients will be located in one go, you can run the following command:
$ sed 's|http://localhost|https://www.example.org|g' docs/registration.json > docs/myregistration.json
You can still modify the docs/myregistration.json
by hand if you desire, and
then load them in the database:
$ php docs/registerClients.php docs/myregistration.json
This should take care of the initial setup and you can now move to installing the management clients, see below.
There are two reference management clients available:
These clients are written in HTML, CSS and JavaScript only and can be hosted on
any (static) web server. See the accompanying READMEs for more information. If
you followed the client registration in the previous section they should start
working immediately if you install the applications at the correct URL. Do not
forget to enable the management API in config/oauth.ini
.
The install script already takes care of setting the file permissions of the
data/
directory to allow Apache to write to the directory. If you want to use
the Mozilla Persona authentication plugin you also need to give Apache permission
to access the network. These permissions can be given by using setsebool
as
root:
$ sudo setsebool -P httpd_can_network_connect=on
If you want the logger to send out email, you need the following as well:
$ sudo setsebool -P httpd_can_sendmail=on
This is only for Red Hat based Linux distributions like RHEL, CentOS and Fedora.
If you want the labeling of the data/
directory to survive file system
relabeling you have to update the policy as well.
FIXME: add how to update the policy...
There is an example configuration file in docs/apache.conf
.
On Red Hat based distributions the file can be placed in
/etc/httpd/conf.d/php-oauth.conf
. On Debian based distributions the file can
be placed in /etc/apache2/conf.d/php-oauth
. Be sure to modify it to suit your
environment and do not forget to restart Apache.
The docs/configure.sh
script from the previous section outputs a config for
your system which replaces the /PATH/TO/APP
with the actual install directory.
There are thee plugins provided to authenticate users:
DummyResourceOwner
- one static account configured inconfig/oauth.ini
SimpleAuthResourceOwner
- very simple username/password authentication
librarySspResourceOwner
- simpleSAMLphp plugin for SAML authenticationPersonaResourceOwner
- Mozilla Persona plugin
You can configure which plugin to use by modifying the authenticationMechanism
setting in config/oauth.ini
.
A more complex part of the authentication and authorization is the use of entitlements. This is a bit similar to scope in OAuth, only entitlements are for a specific resource owner, while scope is only for an OAuth client.
The entitlements are for example used by the php-oauth
API. It is possible to
write a client application that uses the php-oauth
API to manage OAuth client
registrations. The problem now is how to decide who is allowed to manage
OAuth client registrations. Clearly not all users who can successfully
authenticate, but only a subset. The way now to determine who gets to do what
is accomplished through entitlements.
In the [Api]
section the management API can be enabled:
[Api]
enableApi = TRUE
In particular, the authenticated user (resource owner) needs to have the
urn:x-oauth:entitlement:applications
entitlement in order to be able to modify
application registrations. The entitlements are part of the resource owner's
attributes. This maps perfectly to SAML attributes obtained through the
simpleSAMLphp integration.
For instance in the DummyResourceOwner
section, the user has this entitlement
as shown in the snippet below:
; Dummy Configuration
[DummyResourceOwner]
resourceOwnerId = "1234-5678-9999"
[DummyResourceOwnerAttributes]
uid[] = "fkooman"
displayName[] = "François Kooman"
eduPersonEntitlement[] = "urn:x-oauth:entitlement:applications"
eduPersonEntitlement[] = "foo"
eduPersonEntitlement[] = "bar"
Here you can see that the resource owner will be granted the
urn:x-oauth:entitlement:applications
, foo
and bar
entitlements. As there is only
one account in the DummyResourceOwner
configuration it is quite boring.
The entitlements for the SimpleAuthResourceOwner
are configured in the
attributes file, located in config/simpleAuthAttributes.json
. An example is
also available. The listed attributes there also contain an
eduPersonEntitlement
attribute for the users admin
and teacher
. These
users match the default example set from php-simple-auth
. You can copy
the example file to config/simpleAuthAttributes.json
and modify it for your
needs. This authentication backend is not meant for production use as it will
require a lot of manual configuration per user. Better use the
SspResourceOwner
authentication library for serious deployments.
For this authentication source you also need to install and configure (php-simple-auth).
Now, for the SspResourceOwner
configuration it is a little bit more complex.
Dealing with this is left to the simpleSAMLphp configuration and we just
expect a certain configuration.
In the configuration file config/oauth.ini
only a few aspects can be
configured. To configure the SAML integration, make sure the following settings
are at least correct.
authenticationMechanism = "SspResourceOwner"
; simpleSAMLphp configuration
[SspResourceOwner]
sspPath = "/var/simplesamlphp"
authSource = "default-sp"
Now on to the simpleSAMLphp configuration. You configure simpleSAMLphp according to the manual. The snippets below will help you with the configuration to get the entitlements right.
First the metadata/saml20-idp-remote.php
to configure the IdP that is used
by the simpleSAMLphp as SP:
$metadata['http://localhost/simplesaml/saml2/idp/metadata.php'] = array(
'SingleSignOnService' => 'http://localhost/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'http://localhost/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '4bff319a0fa4903e4f6ed52956fb02e1ebec5166',
// clean up the attributes received from the IdP and modify them to use
// our naming convention
'authproc' => array(
50 => array(
'class' => 'core:AttributeMap',
'urn2name',
),
),
);
You need to modify this (the URLs and the certificate fingerprint) to work with your IdP and possibly the attribute mapping rules.
Rule 50
changes the attributes to their base name. For example, if your
IdP provides the urn:mace:dir:attribute-def:eduPersonEntitlement
attribute,
this is now reduced to just eduPersonEntitlement
, the same for all the
other urn:mace
prefixed attributes.
If you are writing a resource server (RS) an API is available to verify the
Bearer
token you receive from the client. Currently a draft specification
(draft-richer-oauth-introspection-04) is implemented to support this.
An example, the RS gets the following Authorization
header from the client:
Authorization: Bearer eeae9c3366af8cb7acb74dd5635c44e6
Now in order to verify it, the RS can send a request to the OAuth service:
$ curl http://localhost/php-oauth/introspect.php?token=eeae9c3366af8cb7acb74dd5635c44e6
If the token is valid, a response (formatted here for display purposes) will be given back to the RS:
{
"active": true,
"client_id": "testclient",
"exp": 2366377846,
"iat": 1366376612,
"scope": "foo bar",
"sub": "fkooman",
"x-entitlement": "urn:x-foo:service:access urn:x-bar:privilege:admin"
}
The RS can now figure out more about the resource owner. If you provide an invalid access token, the following response is returned:
{
"active": false
}
If your service needs to provision a user, the field sub
SHOULD to be used
for that. The scope
field can be used to determine the scope the client was
granted by the resource owner.
There are two proprietary extensions to this format: x-entitlement
and
x-attributes
. The former one shows the entitlement values space separated,
similar to the scope
field. The x-attributes
provides additional
"raw" information obtained through the authentication framework. For instance
all SAML attributes released are placed in this x-attributes
field. They
can contain for instance an email address or display name.
A library written in PHP to access the introspection endpoint is available here.
Whenever a resource owner successfully authenticates using some of the supported authentication mechanisms, the attributes belonging to that user are stored in the database. This is done to give the information to registered clients and to resource servers that have a valid access token.
Care should be taken in making sure that only the attributes that are needed for a correct service operation are provided as attributes. Also, this data, which may be privacy sensitive SHOULD be removed from the database after a certain amount of time expired when the user did not login to the service.