CI框架下oauth2开发

2019年12月18日 306点热度 0人点赞 0条评论

实现oauth2采用了OAuth 2.0 Server PHP

github上排名比较高的有两个,这个看上去相对比较简单,就使用了这个

Github地址:https://github.com/bshaffer/oauth2-server-php

官方文档:https://bshaffer.github.io/oauth2-server-php-docs/cookbook/

具体流程该文档中已经说的很详细。

具体步骤

  • 下载oauth2-server-php,放至 application/libraries中
  • 根据文档中提供的DDL建立数据库
  • 在application/libraries中建立一个类库,用于初始化
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
require_once('OAuth2/Autoloader.php');

class Oauth2_server
{
    public $server;

    public function __construct()
    {
        $dsn = 'mysql:dbname=oauth2;host=×××.×××.×××.×××';
        $username = 'oauth2';
        $password = '×××××××××××××××';

        OAuth2\Autoloader::register();
        $storage = new OAuth2\Storage\Pdo(array('dsn' => $dsn, 'username' => $username, 'password' => $password));
        $this->server = new OAuth2\Server($storage,array('always_issue_new_refresh_token' => true));
        $this->server->addGrantType(new OAuth2\GrantType\AuthorizationCode($storage));
        $this->server->addGrantType(new OAuth2\GrantType\RefreshToken($storage),array('always_issue_new_refresh_token' => true));
        $this->server->addGrantType(new OAuth2\GrantType\UserCredentials($storage));
    }
}

注意最后面的UserCredentials类型是密码模式

允许请求的GrantType首先与这边设置的有关,其次跟数据表oauth_clients中存储的client对应的grant_types有关(不同GrantType之间用空格分隔),如果为null则允许是这上面代码中所设置的所有类型

  • 创建一个控制器(授权)
<?php
defined('BASEPATH') OR exit('No direct script access allowed');

class Oauth extends CI_Controller
{
    public function __construct()
    {
        parent::__construct();
        $this->load->library("oauth2_server");
        $this->load->model("client_model");
    }

    public function authorize()
    {
        $request = OAuth2\Request::createFromGlobals();
        $response = new OAuth2\Response();

        if (!$this->oauth2_server->server->validateAuthorizeRequest($request, $response)) {
            $response->send();
            die;
        }

        //if not log in ,redirect to login page
        $redirect = '/';
        $redirect .= $this->uri->uri_string();
        if (isset($_SERVER['QUERY_STRING'])) {
            $redirect .= '?' . $_SERVER['QUERY_STRING'];
        }
        if (!isset($_SESSION['user'])) {
            redirect("/user/loginpage?redirect=" . urlencode($redirect));
        }

        //authorize
        if (empty($_POST)) {
            $storage = $this->oauth2_server->server->getStorage('client');
            $client_id = $storage->getClientDetails($this->input->get("client_id"))['client_id'];
            $client = $this->client_model->get_by_client_id($client_id);
            $this->load->view('authorize', array("client" => $client, "user" => $_SESSION['user'], "redirect" => $redirect));
            return;
        }

        $is_authorized = ($this->input->post('authorized') === 'yes');
        $this->oauth2_server->server->handleAuthorizeRequest($request, $response, $is_authorized, $_SESSION['user']->user_id);
        $response->send();
    }

    public function token()
    {
        $this->oauth2_server->server->handleTokenRequest(OAuth2\Request::createFromGlobals())->send();
    }

}

oauth/authorize用于用户授权

oauth/token用于client获取token

需要注意下,authorization_code有效期默认30秒,access_token有效期默认3600秒,refresh_token有效期默认1209600秒

  • 创建一个控制器(获取资源)

类似于下面

    public function me()
    {
        // Handle a request to a resource and authenticate the access token
        if (!$this->oauth2_server->server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
            $this->oauth2_server->server->getResponse()->send();
            die;
        }
        $token = $this->oauth2_server->server->getAccessTokenData(OAuth2\Request::createFromGlobals());
        echo "User ID associated with this token is {$token['user_id']}";
    }
  • scope还没有写,写完期末作业再研究= =

likole

人能常清静,天地悉皆归

文章评论