This package is a lightweight proxy for implementing the OAuth2 flow in Single Page Applications using PHP.
Add the repository to your package.json:
"repositories":[
{
"type": "vcs",
"url": "git@github.com:Wiselyst/oauth2-php-proxy.git"
}
],
then require the package using composer:
composer require wiselyst/oauth2-php-proxy
require_once __DIR__ . "/../vendor/autoload.php";
use Wiselyst\OAuth2Proxy\OAuth2Proxy;
try{
// Initialize the proxy
$proxy = new OAuth2Proxy();
// Enable grant types
$proxy->enableGrantType('password');
$proxy->enableGrantType('refresh_token');
// Enable CSRF Protection (optional)
$proxy->csrfProtection(true);
// OAuth remote server
$proxy->setApiHost('http://localhost:8000/myapp');
$proxy->setClientCredentials('clientid', 'clientsecret');
$proxy->setScope('read write');
// Single Page Application directory
$proxy->setSpaDir(__DIR__ . '/static');
// Run!
$proxy->run();
}catch(Exception $e){
// Do something with your exception...
}
The following grant types are supported: authorization_code, refresh_token, client_credentials and password.
It is possible to require the client to be authenticated in order to process Single Page Application requests:
$proxy->requireAuthentication();
If enabled, cross-site request forgeries protection, will set a cookie named XSRF-TOKEN
with a token. The token must be sent as a request header X-XSRF-TOKEN
on each /api or /token request.
Example (jQuery):
$.ajax{ // or use $.ajaxSetup
// ...
headers: {
'X-XSRF-TOKEN': Cookie.get('XSRF-TOKEN') // See js-cookie
}
// ...
}
Angular Http Client or Axios will automatically include the XSRF-TOKEN
value.
By default only 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'
requests are validated. This setting can be customized as follows:
OAuth2Proxy::$CSRF_SUPPORTED_METHODS = ['GET', 'POST'];
- /callback - Authorization code callback
- /redirect - Redirect for authorization code request
- /token - Token request
- /api/ - Proxy API to remote server
Everything else is rewritten to the Single Page Application.
The default OAuth2 endpoints can be overwritten as follows:
OAuth2Proxy::$REMOTE_TOKEN_ENDPOINT = '/token';
OAuth2Proxy::$REMOTE_AUTHORIZE_ENDPOINT = '/authorize';
OAuth2Proxy::$PROXY_TOKEN_ENDPOINT = '/token';
OAuth2Proxy::$PROXY_CALLBACK_ENDPOINT = '/callback';
OAuth2Proxy::$PROXY_REDIRECT_ENDPOINT = '/redirect';
OAuth2Proxy::$PROXY_API_ENDPOINT = '/api';
By default only the following headers are allowed to be proxied, but it is possible to override this setting as follows:
OAuth2Proxy::$ALLOWED_HEADERS = ['content-type', 'accept-language', 'user-agent', 'accept'];
The server should be configured to rewrite all requests to your proxy script
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [NC,L]
</IfModule>
location ~* {
if (!-e $request_filename){
try_files $uri $uri/ /index.php?$query_string;
}
}
- public (Document root)
--- .htaccess (Apache only)
--- index.php
- static (SPA dir)
- vendor
- package.json
- Support CORS policy