The authorization code grant methods, should be very familiar if you’ve ever signed into an application using your Facebook or Google account.
The flow is quite simple. The application redirects the user to the authorization server >> the user will then be asked to log in to the authorization server and >> approve access to his data. And if the user approves the application >> he will be redirected back to the application.
So let’s start preparing the authorization code grant example.
We are using PHP v5.6.32 and cURL enabled extension on a Windows localhost machine. If you are using XAMPP you normally just have to uncomment this line to have cURL enabled.
1 |
;extension=php_curl.dll |
you can find it in xampp\apache\bin\php.ini or xampp\php\php.ini , depending on your XAMPP version and then restart Apache service.
So first you will need to collect your data and prepare some vars:
1 2 3 4 5 6 |
define("CALLBACK_URL", "http://localhost/oauth2client.php"); define("AUTH_URL", "https://example.com/oauth2/authorize"); define("ACCESS_TOKEN_URL", "https://example/oauth2/token"); define("CLIENT_ID", "1yLCsmAfDF49nGmJLgDbHvB6bSca"); define("CLIENT_SECRET", "g2OKQ9isj2pcaextQdjx5xW3KoAa"); define("SCOPE", ""); // optional |
Now build your first URL to call. Normally you will want to call this URL in a popup window like old school times. You can also try a modern modal and use an iFrame but that didn’t work for me.
1 2 3 4 5 6 |
$url = AUTH_URL."?" ."response_type=code" ."&client_id=". urlencode(CLIENT_ID) ."&scope=". urlencode(SCOPE) ."&redirect_uri=". urlencode(CALLBACK_URL) ; |
After the user enters his credentials and gives application access the Identity provider will redirect to the CALLBACK_URL with a “code”.
You will see the code in the URL, so this is the GET method.
1 |
http://localhost/oauth2client.php?code=be0d0cb3-63ac-394a-a2a7-7365ddbbab7d&session_state=59de172acce92f220baff0433ebe629ea4981e544e406ba718ad76ea122bbb69.fPJIegSopJKfshsjNrxq9A |
So just use GET to retrieve the code param. Like this: $code = $_GET['code'];
This code is only valid for a short period of time and you will have to exchange the code for a token so you can make API calls. Here is the curl POST for receiving the token key:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
function getToken(){ $curl = curl_init(); $params = array( CURLOPT_URL => ACCESS_TOKEN_URL."?" ."code=".$code ."&grant_type=authorization_code" ."&client_id=". CLIENT_ID ."&client_secret=". CLIENT_SECRET ."&redirect_uri=". CALLBACK_URL, CURLOPT_RETURNTRANSFER => true, CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_NOBODY => false, CURLOPT_HTTPHEADER => array( "cache-control: no-cache", "content-type: application/x-www-form-urlencoded", "accept: *", "accept-encoding: gzip, deflate", ), ); curl_setopt_array($curl, $params); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #01: " . $err; } else { $response = json_decode($response, true); if(array_key_exists("access_token", $response)) return $response; if(array_key_exists("error", $response)) echo $response["error_description"]; echo "cURL Error #02: Something went wrong! Please contact admin."; } } |
If everything goes fine, you should get a JSON response similar to this one:
1 2 3 4 5 6 7 8 |
{ "access_token": "bd9abc28-f91c-313f-a953-32eba3db159x", "refresh_token": "730785c3-447b-31c2-9280-129dee19f789", "scope": "openid", "id_token": "very-long-id-token-here", "token_type": "Bearer", "expires_in": 35159 } |
You can now use this token to make API calls and retrieve the info you’re after. You normally do a request to your endpoint using the token like this:
1 2 3 4 |
CURLOPT_HTTPHEADER => array( "authorization: Bearer ".TOKEN, "cache-control: no-cache", ) |
Just a small note here: token is normally valid for a short-to-medium period of time. When the token expires you can use the refresh token to request a new token. The refresh token should always be kept a secret on the server side, but this is subject of a new tutorial.
Still here?? Let me know your experience and maybe I can help you out there.