oauth2.0服务端与客户端搭建
oauth2.0服务端与客户端搭建 - 推酷
今天搭建了oauth2.0服务端与客户端。把搭建的过程记录一下。具体实现的功能是:client.ruanwenwu.cn的用户能够通过 server.ruanwenwu.cn的用户名和密码登陆client.ruanwenwu.cn。并且登陆 后,client.ruanwenwu.cn的用户能获取server.ruanwenwu.cn哪里的一些资源。
我的个人博客原文地址: http://www.ruanwenwu.cn/2015/12/oauth-server-and-client-install.html
一、oauth2.0的作用
1、搭建第三方登录平台(就像你用很多网站支持qq登录。其实是qq提供的oauth2.0服务端支持。网站作为第三方,只要用oauth2.0标准请求服务端,求能得到用户信息,并实现登录)。
2、公共资源管理。
就 像你(Y)想通过一个打印照片的网站(A)来打印你存放在google(B)的照片。你就要通过这个A来获取B的照片。B肯定要验证是否是他的用户Y的请 求,验证通过才把照片传递给A实现打印。问题是Y不想把账号密码直接给A。用oauth2.0就是来解决这个问题的:
A先 把Y导向B的站点进行授权。授权通过,B向A发送oauth_code。A拿到这个oauth_code,连同A的client_id和 oauth_secrete发送给B,如果数据正确,B就会给A发送oauth_token。有了这个token,A就可以获取B的相关资源的。
基本的流程是这样。下面是具体的实现过程。
二、oauth2.0服务端的搭建。
oauth2.0的服务端分为验证服务器和资源服务器。这两个服务器也可以是同一个服务器(只不过把这两个功能用一个 服务器来完成罢了)。
说明:我的实现都在Thinkphp3.2.3框架下实现。
1、下载thinkphp3.2.3。
2、配置虚拟机server.ruanwenwu.cn
3、在Thinkphp的Home应用下修改配置文件(server.ruanwenwu.cn/Application/Home/Conf/config.php)如下所示:
<?phpreturn array(//'配置项'=>'配置值'//数据库设置'DB_TYPE' => 'mysql','DB_HOST' => '127.0.0.1',//localhost'DB_NAME' => 'oauth','DB_USER' => 'root','DB_PWD' => 'root','DB_PORT' => '3306','SCOPE_INFO' => array( //这是授权选项。根据你自己的项目来array('name' => '个人信息','value' => 'basicinfo'),array('name' => '论坛发帖回帖','value' => 'bbsinfo'),),'OAUTH2_CODES_TABLE' =>'oauth_code', //这里是oauth项目需要用的三个基础表'OAUTH2_CLIENTS_TABLE' =>'oauth_client','OAUTH2_TOKEN_TABLE' =>'oauth_token','SECRETKYE' => 'Mumayi!@#', //下面是一些网站自定义的项目。可以根据自己的情况来写或者不写//session 有效期'SESSION_EXPIRES' => 1200,//key 有效期'PASS_KEY_EXPIRES' => 86400,//key 有效期'PHONE_KEY_EXPIRES' => 300,//key 加密 整型 数字 必须为 int'PASS_KEY_CALC' => 1314,);
4、建oauth表。
SET FOREIGN_KEY_CHECKS=0;-- ------------------------------ Table structure for oauth_client-- ----------------------------DROP TABLE IF EXISTS `oauth_client`;CREATE TABLE `oauth_client` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`client_id` varchar(32) NOT NULL,`client_secret` varchar(32) NOT NULL,`redirect_uri` varchar(200) NOT NULL,`create_time` int(11) NOT NULL,PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;-- ------------------------------ Table structure for oauth_code-- ----------------------------DROP TABLE IF EXISTS `oauth_code`;CREATE TABLE `oauth_code` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`client_id` varchar(32) NOT NULL,`user_id` int(11) NOT NULL DEFAULT '1',`code` varchar(40) NOT NULL,`redirect_uri` varchar(200) NOT NULL,`expires` int(11) NOT NULL,`scope` varchar(250) DEFAULT NULL,PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=57 DEFAULT CHARSET=utf8;-- ------------------------------ Table structure for oauth_token-- ----------------------------DROP TABLE IF EXISTS `oauth_token`;CREATE TABLE `oauth_token` (`id` bigint(20) NOT NULL AUTO_INCREMENT,`client_id` varchar(32) NOT NULL,`user_id` int(11) NOT NULL,`access_token` varchar(40) NOT NULL,`refresh_token` varchar(40) NOT NULL,`expires_in` int(11) NOT NULL,`scope` varchar(200) DEFAULT NULL,PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=26 DEFAULT CHARSET=utf8;
5、引入oauth2.0服务端类文件。
5-1、在\server.ruanwenwu.cn\ThinkPHP\Library\Vendor\目录下建立oauth目录。
5-2、引入oauth2.0服务端PHP脚本。
在刚建立的oauth目录下引入OAuth2.class.php这个文件基本不用做修改。我们的操作都在继承这个类的子类上完成。类的代码如下:
<?php/*** @mainpage* OAuth 2.0 server in PHP, originally written for* <a href="http://www.opendining.net/"> Open Dining</a>. Supports* <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-10">IETF draft v10</a>.** Source repo has sample servers implementations for* <a href="http://php.net/manual/en/book.pdo.php"> PHP Data Objects</a> and* <a href="http://www.mongodb.org/">MongoDB</a>. Easily adaptable to other* storage engines.** PHP Data Objects supports a variety of databases, including MySQL,* Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample* to see how it all works.** We're expanding the wiki to include more helpful documentation, but for* now, your best bet is to view the oauth.php source - it has lots of* comments.** @author Tim Ridgely <tim.ridgely@gmail.com>* @author Aaron Parecki <aaron@parecki.com>* @author Edison Wong <hswong3i@pantarei-design.com>** @see http://code.google.com/p/oauth2-php/*//*** The default duration in seconds of the access token lifetime.*/define("OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME", 3600);/*** The default duration in seconds of the authorization code lifetime.*/define("OAUTH2_DEFAULT_AUTH_CODE_LIFETIME", 30);/*** The default duration in seconds of the refresh token lifetime.*/define("OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME", 1209600);/*** @defgroup oauth2_section_2 Client Credentials* @{** When interacting with the authorization server, the client identifies* itself using a client identifier and authenticates using a set of* client credentials. This specification provides one mechanism for* authenticating the client using password credentials.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2*//*** Regex to filter out the client identifier (described in Section 2 of IETF draft).** IETF draft does not prescribe a format for these, however I've arbitrarily* chosen alphanumeric strings with hyphens and underscores, 3-32 characters* long.** Feel free to change.*/define("OAUTH2_CLIENT_ID_REGEXP", "/^[a-z0-9-_]{3,32}$/i");/*** @}*//*** @defgroup oauth2_section_3 Obtaining End-User Authorization* @{** When the client interacts with an end-user, the end-user MUST first* grant the client authorization to access its protected resources.* Once obtained, the end-user access grant is expressed as an* authorization code which the client uses to obtain an access token.* To obtain an end-user authorization, the client sends the end-user to* the end-user authorization endpoint.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3*//*** Denotes "token" authorization response type.*/define("OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN", "token");/*** Denotes "code" authorization response type.*/define("OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE", "code");/*** Denotes "code-and-token" authorization response type.*/define("OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN", "code-and-token");/*** Regex to filter out the authorization response type.*/define("OAUTH2_AUTH_RESPONSE_TYPE_REGEXP", "/^(token|code|code-and-token)$/");/*** @}*//*** @defgroup oauth2_section_4 Obtaining an Access Token* @{** The client obtains an access token by authenticating with the* authorization server and presenting its access grant (in the form of* an authorization code, resource owner credentials, an assertion, or a* refresh token).** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4*//*** Denotes "authorization_code" grant types (for token obtaining).*/define("OAUTH2_GRANT_TYPE_AUTH_CODE", "authorization_code");/*** Denotes "password" grant types (for token obtaining).*/define("OAUTH2_GRANT_TYPE_USER_CREDENTIALS", "password");/*** Denotes "assertion" grant types (for token obtaining).*/define("OAUTH2_GRANT_TYPE_ASSERTION", "assertion");/*** Denotes "refresh_token" grant types (for token obtaining).*/define("OAUTH2_GRANT_TYPE_REFRESH_TOKEN", "refresh_token");/*** Denotes "none" grant types (for token obtaining).*/define("OAUTH2_GRANT_TYPE_NONE", "none");/*** Regex to filter out the grant type.*/define("OAUTH2_GRANT_TYPE_REGEXP", "/^(authorization_code|password|assertion|refresh_token|none)$/");/*** @}*//*** @defgroup oauth2_section_5 Accessing a Protected Resource* @{** Clients access protected resources by presenting an access token to* the resource server. Access tokens act as bearer tokens, where the* token string acts as a shared symmetric secret. This requires* treating the access token with the same care as other secrets (e.g.* end-user passwords). Access tokens SHOULD NOT be sent in the clear* over an insecure channel.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5*//*** Used to define the name of the OAuth access token parameter (POST/GET/etc.).** IETF Draft sections 5.1.2 and 5.1.3 specify that it should be called* "oauth_token" but other implementations use things like "access_token".** I won't be heartbroken if you change it, but it might be better to adhere* to the spec.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.2* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.3*/define("OAUTH2_TOKEN_PARAM_NAME", "oauth_token");/*** @}*//*** @defgroup oauth2_http_status HTTP status code* @{*//*** "Found" HTTP status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3*/define("OAUTH2_HTTP_FOUND", "302 Found");/*** "Bad Request" HTTP status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_HTTP_BAD_REQUEST", "400 Bad Request");/*** "Unauthorized" HTTP status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_HTTP_UNAUTHORIZED", "401 Unauthorized");/*** "Forbidden" HTTP status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_HTTP_FORBIDDEN", "403 Forbidden");/*** @}*//*** @defgroup oauth2_error Error handling* @{** @todo Extend for i18n.*//*** The request is missing a required parameter, includes an unsupported* parameter or parameter value, or is otherwise malformed.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_ERROR_INVALID_REQUEST", "invalid_request");/*** The client identifier provided is invalid.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1*/define("OAUTH2_ERROR_INVALID_CLIENT", "invalid_client");/*** The client is not authorized to use the requested response type.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1*/define("OAUTH2_ERROR_UNAUTHORIZED_CLIENT", "unauthorized_client");/*** The redirection URI provided does not match a pre-registered value.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1*/define("OAUTH2_ERROR_REDIRECT_URI_MISMATCH", "redirect_uri_mismatch");/*** The end-user or authorization server denied the request.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1*/define("OAUTH2_ERROR_USER_DENIED", "access_denied");/*** The requested response type is not supported by the authorization server.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1*/define("OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE", "unsupported_response_type");/*** The requested scope is invalid, unknown, or malformed.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1*/define("OAUTH2_ERROR_INVALID_SCOPE", "invalid_scope");/*** The provided access grant is invalid, expired, or revoked (e.g. invalid* assertion, expired authorization token, bad end-user password credentials,* or mismatching authorization code and redirection URI).** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1*/define("OAUTH2_ERROR_INVALID_GRANT", "invalid_grant");/*** The access grant included - its type or another attribute - is not* supported by the authorization server.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1*/define("OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE", "unsupported_grant_type");/*** The access token provided is invalid. Resource servers SHOULD use this* error code when receiving an expired token which cannot be refreshed to* indicate to the client that a new authorization is necessary. The resource* server MUST respond with the HTTP 401 (Unauthorized) status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_ERROR_INVALID_TOKEN", "invalid_token");/*** The access token provided has expired. Resource servers SHOULD only use* this error code when the client is expected to be able to handle the* response and request a new access token using the refresh token issued* with the expired access token. The resource server MUST respond with the* HTTP 401 (Unauthorized) status code.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_ERROR_EXPIRED_TOKEN", "expired_token");/*** The request requires higher privileges than provided by the access token.* The resource server SHOULD respond with the HTTP 403 (Forbidden) status* code and MAY include the "scope" attribute with the scope necessary to* access the protected resource.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1*/define("OAUTH2_ERROR_INSUFFICIENT_SCOPE", "insufficient_scope");/*** @}*//*** OAuth2.0 draft v10 server-side implementation.** @author Originally written by Tim Ridgely <tim.ridgely@gmail.com>.* @author Updated to draft v10 by Aaron Parecki <aaron@parecki.com>.* @author Debug, coding style clean up and documented by Edison Wong <hswong3i@pantarei-design.com>.*/abstract class OAuth2 {/*** Array of persistent variables stored.*/protected $conf = array();/*** Returns a persistent variable.** To avoid problems, always use lower case for persistent variable names.** @param $name* The name of the variable to return.* @param $default* The default value to use if this variable has never been set.** @return* The value of the variable.*/public function getVariable($name, $default = NULL) {return isset($this->conf[$name]) ? $this->conf[$name] : $default;}/*** Sets a persistent variable.** To avoid problems, always use lower case for persistent variable names.** @param $name* The name of the variable to set.* @param $value* The value to set.*/public function setVariable($name, $value) {$this->conf[$name] = $value;return $this;}// Subclasses must implement the following functions./*** Make sure that the client credentials is valid.** @param $client_id* Client identifier to be check with.* @param $client_secret* (optional) If a secret is required, check that they've given the right one.** @return* TRUE if client credentials are valid, and MUST return FALSE if invalid.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2.1** @ingroup oauth2_section_2*/abstract protected function checkClientCredentials($client_id, $client_secret = NULL);/*** Get the registered redirect URI of corresponding client_id.** OAuth says we should store request URIs for each registered client.* Implement this function to grab the stored URI for a given client id.** @param $client_id* Client identifier to be check with.** @return* Registered redirect URI of corresponding client identifier, and MUST* return FALSE if the given client does not exist or is invalid.** @ingroup oauth2_section_3*/abstract protected function getRedirectUri($client_id);/*** Look up the supplied oauth_token from storage.** We need to retrieve access token data as we create and verify tokens.** @param $oauth_token* oauth_token to be check with.** @return* An associative array as below, and return NULL if the supplied oauth_token* is invalid:* - client_id: Stored client identifier.* - expires: Stored expiration in unix timestamp.* - scope: (optional) Stored scope values in space-separated string.** @ingroup oauth2_section_5*/abstract protected function getAccessToken($oauth_token);/*** Store the supplied access token values to storage.** We need to store access token data as we create and verify tokens.** @param $oauth_token* oauth_token to be stored.* @param $client_id* Client identifier to be stored.* @param $expires* Expiration to be stored.* @param $user_id* User ID* @param $scope* (optional) Scopes to be stored in space-separated string.** @ingroup oauth2_section_4*/abstract protected function setAccessToken($oauth_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token='');// Stuff that should get overridden by subclasses.//// I don't want to make these abstract, because then subclasses would have// to implement all of them, which is too much work.//// So they're just stubs. Override the ones you need./*** Return supported grant types.** You should override this function with something, or else your OAuth* provider won't support any grant types!** @return* A list as below. If you support all grant types, then you'd do:* @code* return array(* OAUTH2_GRANT_TYPE_AUTH_CODE,* OAUTH2_GRANT_TYPE_USER_CREDENTIALS,* OAUTH2_GRANT_TYPE_ASSERTION,* OAUTH2_GRANT_TYPE_REFRESH_TOKEN,* OAUTH2_GRANT_TYPE_NONE,* );* @endcode** @ingroup oauth2_section_4*/protected function getSupportedGrantTypes() {return array();}/*** Return supported authorization response types.** You should override this function with your supported response types.** @return* A list as below. If you support all authorization response types,* then you'd do:* @code* return array(* OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE,* OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN,* OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN,* );* @endcode** @ingroup oauth2_section_3*/protected function getSupportedAuthResponseTypes() {return array(OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE,OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN,OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN);}/*** Return supported scopes.** If you want to support scope use, then have this function return a list* of all acceptable scopes (used to throw the invalid-scope error).** @return* A list as below, for example:* @code* return array(* 'my-friends',* 'photos',* 'whatever-else',* );* @endcode** @ingroup oauth2_section_3*/protected function getSupportedScopes() {return array();}/*** Check restricted authorization response types of corresponding Client* identifier.** If you want to restrict clients to certain authorization response types,* override this function.** @param $client_id* Client identifier to be check with.* @param $response_type* Authorization response type to be check with, would be one of the* values contained in OAUTH2_AUTH_RESPONSE_TYPE_REGEXP.** @return* TRUE if the authorization response type is supported by this* client identifier, and FALSE if it isn't.** @ingroup oauth2_section_3*/protected function checkRestrictedAuthResponseType($client_id, $response_type) {return TRUE;}/*** Check restricted grant types of corresponding client identifier.** If you want to restrict clients to certain grant types, override this* function.** @param $client_id* Client identifier to be check with.* @param $grant_type* Grant type to be check with, would be one of the values contained in* OAUTH2_GRANT_TYPE_REGEXP.** @return* TRUE if the grant type is supported by this client identifier, and* FALSE if it isn't.** @ingroup oauth2_section_4*/protected function checkRestrictedGrantType($client_id, $grant_type) {return TRUE;}// Functions that help grant access tokens for various grant types./*** Fetch authorization code data (probably the most common grant type).** Retrieve the stored data for the given authorization code.** Required for OAUTH2_GRANT_TYPE_AUTH_CODE.** @param $code* Authorization code to be check with.** @return* An associative array as below, and NULL if the code is invalid:* - client_id: Stored client identifier.* - redirect_uri: Stored redirect URI.* - expires: Stored expiration in unix timestamp.* - scope: (optional) Stored scope values in space-separated string.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.1** @ingroup oauth2_section_4*/protected function getAuthCode($code) {return NULL;}/*** Take the provided authorization code values and store them somewhere.** This function should be the storage counterpart to getAuthCode().** If storage fails for some reason, we're not currently checking for* any sort of success/failure, so you should bail out of the script* and provide a descriptive fail message.** Required for OAUTH2_GRANT_TYPE_AUTH_CODE.** @param $code* Authorization code to be stored.* @param $client_id* Client identifier to be stored.* @param $redirect_uri* Redirect URI to be stored.* @param $expires* Expiration to be stored.* @param $scope* (optional) Scopes to be stored in space-separated string.** @ingroup oauth2_section_4*/protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $userId, $scope = NULL) {}/*** Grant access tokens for basic user credentials.** Check the supplied username and password for validity.** You can also use the $client_id param to do any checks required based* on a client, if you need that.** Required for OAUTH2_GRANT_TYPE_USER_CREDENTIALS.** @param $client_id* Client identifier to be check with.* @param $username* Username to be check with.* @param $password* Password to be check with.** @return* TRUE if the username and password are valid, and FALSE if it isn't.* Moreover, if the username and password are valid, and you want to* verify the scope of a user's access, return an associative array* with the scope values as below. We'll check the scope you provide* against the requested scope before providing an access token:* @code* return array(* 'scope' => <stored scope values (space-separated string)>,* );* @endcode** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2** @ingroup oauth2_section_4*/protected function checkUserCredentials($client_id, $username, $password) {return FALSE;}/*** Grant access tokens for assertions.** Check the supplied assertion for validity.** You can also use the $client_id param to do any checks required based* on a client, if you need that.** Required for OAUTH2_GRANT_TYPE_ASSERTION.** @param $client_id* Client identifier to be check with.* @param $assertion_type* The format of the assertion as defined by the authorization server.* @param $assertion* The assertion.** @return* TRUE if the assertion is valid, and FALSE if it isn't. Moreover, if* the assertion is valid, and you want to verify the scope of an access* request, return an associative array with the scope values as below.* We'll check the scope you provide against the requested scope before* providing an access token:* @code* return array(* 'scope' => <stored scope values (space-separated string)>,* );* @endcode** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3** @ingroup oauth2_section_4*/protected function checkAssertion($client_id, $assertion_type, $assertion) {return FALSE;}/*** Grant refresh access tokens.** Retrieve the stored data for the given refresh token.** Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.** @param $refresh_token* Refresh token to be check with.** @return* An associative array as below, and NULL if the refresh_token is* invalid:* - client_id: Stored client identifier.* - expires: Stored expiration unix timestamp.* - scope: (optional) Stored scope values in space-separated string.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4** @ingroup oauth2_section_4*/protected function getRefreshToken($refresh_token) {return NULL;}/*** Take the provided refresh token values and store them somewhere.** This function should be the storage counterpart to getRefreshToken().** If storage fails for some reason, we're not currently checking for* any sort of success/failure, so you should bail out of the script* and provide a descriptive fail message.** Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.** @param $refresh_token* Refresh token to be stored.* @param $client_id* Client identifier to be stored.* @param $expires* expires to be stored.* @param $scope* (optional) Scopes to be stored in space-separated string.** @ingroup oauth2_section_4*/protected function setRefreshToken($refresh_token, $client_id, $expires, $scope = NULL) {return;}/*** Expire a used refresh token.** This is not explicitly required in the spec, but is almost implied.* After granting a new refresh token, the old one is no longer useful and* so should be forcibly expired in the data store so it can't be used again.** If storage fails for some reason, we're not currently checking for* any sort of success/failure, so you should bail out of the script* and provide a descriptive fail message.** @param $refresh_token* Refresh token to be expirse.** @ingroup oauth2_section_4*/protected function unsetRefreshToken($refresh_token) {return;}/*** Grant access tokens for the "none" grant type.** Not really described in the IETF Draft, so I just left a method* stub... Do whatever you want!** Required for OAUTH2_GRANT_TYPE_NONE.** @ingroup oauth2_section_4*/protected function checkNoneAccess($client_id) {return FALSE;}/*** Get default authentication realm for WWW-Authenticate header.** Change this to whatever authentication realm you want to send in a* WWW-Authenticate header.** @return* A string that you want to send in a WWW-Authenticate header.** @ingroup oauth2_error*/protected function getDefaultAuthenticationRealm() {return "Service";}// End stuff that should get overridden./*** Creates an OAuth2.0 server-side instance.** @param $config* An associative array as below:* - access_token_lifetime: (optional) The lifetime of access token in* seconds.* - auth_code_lifetime: (optional) The lifetime of authorization code in* seconds.* - refresh_token_lifetime: (optional) The lifetime of refresh token in* seconds.* - display_error: (optional) Whether to show verbose error messages in* the response.*/public function __construct($config = array()) {foreach ($config as $name => $value) {$this->setVariable($name, $value);}}// Resource protecting (Section 5)./*** Check that a valid access token has been provided.** The scope parameter defines any required scope that the token must have.* If a scope param is provided and the token does not have the required* scope, we bounce the request.** Some implementations may choose to return a subset of the protected* resource (i.e. "public" data) if the user has not provided an access* token or if the access token is invalid or expired.** The IETF spec says that we should send a 401 Unauthorized header and* bail immediately so that's what the defaults are set to.** @param $scope* A space-separated string of required scope(s), if you want to check* for scope.* @param $exit_not_present* If TRUE and no access token is provided, send a 401 header and exit,* otherwise return FALSE.* @param $exit_invalid* If TRUE and the implementation of getAccessToken() returns NULL, exit,* otherwise return FALSE.* @param $exit_expired* If TRUE and the access token has expired, exit, otherwise return FALSE.* @param $exit_scope* If TRUE the access token does not have the required scope(s), exit,* otherwise return FALSE.* @param $realm* If you want to specify a particular realm for the WWW-Authenticate* header, supply it here.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5** @ingroup oauth2_section_5*/public function verifyAccessToken($scope = NULL, $exit_not_present = TRUE, $exit_invalid = TRUE, $exit_expired = TRUE, $exit_scope = TRUE, $realm = NULL) {$token_param = $this->getAccessTokenParams();if ($token_param === FALSE) // Access token was not providedreturn $exit_not_present ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_BAD_REQUEST, $realm, OAUTH2_ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', NULL, $scope) : FALSE;// Get the stored token data (from the implementing subclass)$token = $this->getAccessToken($token_param);if ($token === NULL)return $exit_invalid ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_INVALID_TOKEN, 'The access token provided is invalid.', NULL, $scope) : FALSE;// Check token expiration (I'm leaving this check separated, later we'll fill in better error messages)if (isset($token["expires"]) && time() > $token["expires"])return $exit_expired ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_EXPIRED_TOKEN, 'The access token provided has expired.', NULL, $scope) : FALSE;// Check scope, if provided// If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an errorif ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"])))return $exit_scope ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_FORBIDDEN, $realm, OAUTH2_ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', NULL, $scope) : FALSE;return TRUE;}/*** Check if everything in required scope is contained in available scope.** @param $required_scope* Required scope to be check with.* @param $available_scope* Available scope to be compare with.** @return* TRUE if everything in required scope is contained in available scope,* and False if it isn't.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5** @ingroup oauth2_section_5*/private function checkScope($required_scope, $available_scope) {// The required scope should match or be a subset of the available scopeif (!is_array($required_scope))$required_scope = explode(" ", $required_scope);if (!is_array($available_scope))$available_scope = explode(" ", $available_scope);return (count(array_diff($required_scope, $available_scope)) == 0);}/*** Pulls the access token out of the HTTP request.** Either from the Authorization header or GET/POST/etc.** @return* Access token value if present, and FALSE if it isn't.** @todo Support PUT or DELETE.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1** @ingroup oauth2_section_5*/private function getAccessTokenParams() {$auth_header = $this->getAuthorizationHeader();if ($auth_header !== FALSE) {// Make sure only the auth header is setif (isset($_GET[OAUTH2_TOKEN_PARAM_NAME]) || isset($_POST[OAUTH2_TOKEN_PARAM_NAME]))$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth token found in GET or POST when token present in header');$auth_header = trim($auth_header);// Make sure it's Token authorizationif (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth header found that doesn\'t start with "OAuth"');// Parse the rest of the headerif (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0 || count($matches) < 2)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Malformed auth header');return $matches[1];}if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME])) {if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) // Both GET and POST are not allowed$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Only send the token in GET or POST, not both');return $_GET[OAUTH2_TOKEN_PARAM_NAME];}if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME]))return $_POST[OAUTH2_TOKEN_PARAM_NAME];return FALSE;}// Access token granting (Section 4)./*** Grant or deny a requested access token.** This would be called from the "/token" endpoint as defined in the spec.* Obviously, you can call your endpoint whatever you want.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4** @ingroup oauth2_section_4*/public function grantAccessToken() {$filters = array("grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),"scope" => array("flags" => FILTER_REQUIRE_SCALAR),"code" => array("flags" => FILTER_REQUIRE_SCALAR),"redirect_uri" => array("filter" => FILTER_SANITIZE_URL),"username" => array("flags" => FILTER_REQUIRE_SCALAR),"password" => array("flags" => FILTER_REQUIRE_SCALAR),"assertion_type" => array("flags" => FILTER_REQUIRE_SCALAR),"assertion" => array("flags" => FILTER_REQUIRE_SCALAR),"refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR),);$input = filter_input_array(INPUT_POST, $filters);// Grant Type must be specified.if (!$input["grant_type"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');// Make sure we've implemented the requested grant typeif (!in_array($input["grant_type"], $this->getSupportedGrantTypes()))$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE);// Authorize the client$client = $this->getClientCredentials();if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);if (!$this->checkRestrictedGrantType($client[0], $input["grant_type"]))$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNAUTHORIZED_CLIENT);// Do the grantingswitch ($input["grant_type"]) {case OAUTH2_GRANT_TYPE_AUTH_CODE:if (!$input["code"] || !$input["redirect_uri"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);$stored = $this->getAuthCode($input["code"]);// Ensure that the input uri starts with the stored uriif ($stored === NULL || (strcasecmp(substr($input["redirect_uri"], 0, strlen($stored["redirect_uri"])), $stored["redirect_uri"]) !== 0) || $client[0] != $stored["client_id"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);if ($stored["expires"] < time())$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN);break;case OAUTH2_GRANT_TYPE_USER_CREDENTIALS:if (!$input["username"] || !$input["password"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required');$stored = $this->checkUserCredentials($client[0], $input["username"], $input["password"]);if ($stored === FALSE)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);break;case OAUTH2_GRANT_TYPE_ASSERTION:if (!$input["assertion_type"] || !$input["assertion"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);$stored = $this->checkAssertion($client[0], $input["assertion_type"], $input["assertion"]);if ($stored === FALSE)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);break;case OAUTH2_GRANT_TYPE_REFRESH_TOKEN:if (!$input["refresh_token"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');$stored = $this->getRefreshToken($input["refresh_token"]);if ($stored === NULL || $client[0] != $stored["client_id"])$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);if ($stored["expires"] < time())$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN);// store the refresh token locally so we can delete it when a new refresh token is generated$this->setVariable('_old_refresh_token', $stored["token"]);break;case OAUTH2_GRANT_TYPE_NONE:$stored = $this->checkNoneAccess($client[0]);if ($stored === FALSE)$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);}// Check scope, if providedif ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"])))$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_SCOPE);if (!$input["scope"])$input["scope"] = NULL;$token = $this->createAccessToken($client[0], $input["scope"], $stored["user_id"]);//TOKEN 为 数组 (包括 TOKEN 值, 有效时间, 权限)// $this->sendJsonHeaders();echo json_encode($token);}/*** Internal function used to get the client credentials from HTTP basic* auth or POST data.** @return* A list containing the client identifier and password, for example* @code* return array(* $_POST["client_id"],* $_POST["client_secret"],* );* @endcode** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2** @ingroup oauth2_section_2*/protected function getClientCredentials() {if (isset($_SERVER["PHP_AUTH_USER"]) && $_POST && isset($_POST["client_id"]))$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);// Try basic authif (isset($_SERVER["PHP_AUTH_USER"]))return array($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);// Try POSTif ($_POST && isset($_POST["client_id"])) {if (isset($_POST["client_secret"]))return array($_POST["client_id"], $_POST["client_secret"]);return array($_POST["client_id"], NULL);}// No credentials were specified$this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);}// End-user/client Authorization (Section 3 of IETF Draft)./*** Pull the authorization request data out of the HTTP request.** @return* The authorization parameters so the authorization server can prompt* the user for approval if valid.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3** @ingroup oauth2_section_3*/public function getAuthorizeParams() {$filters = array("client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),"response_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_AUTH_RESPONSE_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),"redirect_uri" => array("filter" => FILTER_SANITIZE_URL),"state" => array("flags" => FILTER_REQUIRE_SCALAR),"scope" => array("flags" => FILTER_REQUIRE_SCALAR),);$input = filter_input_array(INPUT_GET, $filters);// Make sure a valid client id was suppliedif (!$input["client_id"]) {if ($input["redirect_uri"])$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]);$this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_CLIENT); // We don't have a good URI to use}// redirect_uri is not required if already established via other channels// check an existing redirect URI against the one supplied$redirect_uri = $this->getRedirectUri($input["client_id"]);// At least one of: existing redirect URI or input redirect URI must be specifiedif (!$redirect_uri && !$input["redirect_uri"])$this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_REQUEST);// getRedirectUri() should return FALSE if the given client ID is invalid// this probably saves us from making a separate db call, and simplifies the method setif ($redirect_uri === FALSE)$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]);// If there's an existing uri and one from input, verify that they matchif ($redirect_uri && $input["redirect_uri"]) {// Ensure that the input uri starts with the stored uriif (strcasecmp(substr($input["redirect_uri"], 0, strlen($redirect_uri)), $redirect_uri) !== 0)$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_REDIRECT_URI_MISMATCH, NULL, NULL, $input["state"]);}elseif ($redirect_uri) { // They did not provide a uri from input, so use the stored one$input["redirect_uri"] = $redirect_uri;}// type and client_id are requiredif (!$input["response_type"])$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_REQUEST, 'Invalid response type.', NULL, $input["state"]);// Check requested auth response type against the list of supported typesif (array_search($input["response_type"], $this->getSupportedAuthResponseTypes()) === FALSE)$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, NULL, $input["state"]);// Restrict clients to certain authorization response typesif ($this->checkRestrictedAuthResponseType($input["client_id"], $input["response_type"]) === FALSE)$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNAUTHORIZED_CLIENT, NULL, NULL, $input["state"]);// Validate that the requested scope is supportedif ($input["scope"] && !$this->checkScope($input["scope"], $this->getSupportedScopes()))$this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_SCOPE, NULL, NULL, $input["state"]);return $input;}/*** Redirect the user appropriately after approval.** After the user has approved or denied the access request the* authorization server should call this function to redirect the user* appropriately.** @param $is_authorized* TRUE or FALSE depending on whether the user authorized the access.* @param $params* An associative array as below:* - response_type: The requested response: an access token, an* authorization code, or both.* - client_id: The client identifier as described in Section 2.* - redirect_uri: An absolute URI to which the authorization server* will redirect the user-agent to when the end-user authorization* step is completed.* - scope: (optional) The scope of the access request expressed as a* list of space-delimited strings.* - state: (optional) An opaque value used by the client to maintain* state between the request and callback.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3** @ingroup oauth2_section_3*/public function finishClientAuthorization($is_authorized, $params = array()) {$params += array(// 'scope' => NULL,'state' => NULL,);extract($params);if ($state !== NULL)$result["query"]["state"] = $state;if ($is_authorized === FALSE) {$result["query"]["error"] = OAUTH2_ERROR_USER_DENIED;}else {if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN)$result["query"]["code"] = $this->createAuthCode($client_id, $redirect_uri, $user_id, $scope);if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN)$result["fragment"] = $this->createAccessToken($client_id, $scope, $user_id);}$result['display'] = !empty($display) ? $display : '';$this->doRedirectUriCallback($redirect_uri, $result);}// Other/utility functions./*** Redirect the user agent.** Handle both redirect for success or error response.** @param $redirect_uri* An absolute URI to which the authorization server will redirect* the user-agent to when the end-user authorization step is completed.* @param $params* Parameters to be pass though buildUri().** @ingroup oauth2_section_3*/private function doRedirectUriCallback($redirect_uri, $params) {header("HTTP/1.1 ". OAUTH2_HTTP_FOUND);if($params['display'] == 'frame') {echo '<script>window.top.location.href="'.$this->buildUri($redirect_uri, $params).'";</script>';} else {header("Location: " . $this->buildUri($redirect_uri, $params));}exit;}/*** Build the absolute URI based on supplied URI and parameters.** @param $uri* An absolute URI.* @param $params* Parameters to be append as GET.** @return* An absolute URI with supplied parameters.** @ingroup oauth2_section_3*/private function buildUri($uri, $params) {session_start();$parse_url = parse_url($uri);// Add our params to the parsed uriforeach ($params as $k => $v) {if (isset($parse_url[$k]))$parse_url[$k] .= "&" . http_build_query($v);else$parse_url[$k] = http_build_query($v);}// Put humpty dumpty back together$return =((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : ""). ((isset($parse_url["user"])) ? $parse_url["user"] . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : ""). ((isset($parse_url["host"])) ? $parse_url["host"] : ""). ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : ""). ((isset($parse_url["path"])) ? $parse_url["path"] : ""). ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : ""). ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "") . "&ssid=".base64_encode('2egc83'.session_id());return $return;}/*** Handle the creation of access token, also issue refresh token if support.** This belongs in a separate factory, but to keep it simple, I'm just* keeping it here.** @param $client_id* Client identifier related to the access token.* @param $scope* (optional) Scopes to be stored in space-separated string.** @ingroup oauth2_section_4*/protected function createAccessToken($client_id, $scope = NULL, $user_id = 10) {$token = array("access_token" => $this->genAccessToken(),"expires_in" => $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME),"user_id" => $user_id,"scope" => $scope);$refresh_token = '';// Issue a refresh token also, if we support themif (in_array(OAUTH2_GRANT_TYPE_REFRESH_TOKEN, $this->getSupportedGrantTypes())) {$refresh_token = $this->genAccessToken();// $this->setRefreshToken($token["refresh_token"], $client_id, time() + $this->getVariable('refresh_token_lifetime', OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME), $user_id, $scope);$token["refresh_token"] = $refresh_token;// If we've granted a new refresh token, expire the old oneif ($this->getVariable('_old_refresh_token'))$this->unsetRefreshToken($this->getVariable('_old_refresh_token'));}$access_token = $token['access_token'];$this->setAccessToken($access_token, $client_id, time() + $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), $token['user_id'], $scope, $refresh_token);return $token;}/*** Handle the creation of auth code.** This belongs in a separate factory, but to keep it simple, I'm just* keeping it here.** @param $client_id* Client identifier related to the access token.* @param $redirect_uri* An absolute URI to which the authorization server will redirect the* user-agent to when the end-user authorization step is completed.* @param $scope* (optional) Scopes to be stored in space-separated string.** @ingroup oauth2_section_3*/private function createAuthCode($client_id, $redirect_uri, $userId, $scope = NULL) {$code = $this->genAuthCode();$this->setAuthCode($code, $client_id, $redirect_uri, time() + $this->getVariable('auth_code_lifetime', OAUTH2_DEFAULT_AUTH_CODE_LIFETIME), $userId, $scope);return $code;}/*** Generate unique access token.** Implementing classes may want to override these function to implement* other access token or auth code generation schemes.** @return* An unique access token.** @ingroup oauth2_section_4*/protected function genAccessToken() {return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));}/*** Generate unique auth code.** Implementing classes may want to override these function to implement* other access token or auth code generation schemes.** @return* An unique auth code.** @ingroup oauth2_section_3*/protected function genAuthCode() {return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));}/*** Pull out the Authorization HTTP header and return it.** Implementing classes may need to override this function for use on* non-Apache web servers.** @return* The Authorization HTTP header, and FALSE if does not exist.** @todo Handle Authorization HTTP header for non-Apache web servers.** @ingroup oauth2_section_5*/private function getAuthorizationHeader() {if (array_key_exists("HTTP_AUTHORIZATION", $_SERVER))return $_SERVER["HTTP_AUTHORIZATION"];if (function_exists("apache_request_headers")) {$headers = apache_request_headers();if (array_key_exists("Authorization", $headers))return $headers["Authorization"];}return FALSE;}/*** Send out HTTP headers for JSON.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3** @ingroup oauth2_section_4*/private function sendJsonHeaders() {header("Content-Type: application/json");header("Cache-Control: no-store");}/*** Redirect the end-user's user agent with error message.** @param $redirect_uri* An absolute URI to which the authorization server will redirect the* user-agent to when the end-user authorization step is completed.* @param $error* A single error code as described in Section 3.2.1.* @param $error_description* (optional) A human-readable text providing additional information,* used to assist in the understanding and resolution of the error* occurred.* @param $error_uri* (optional) A URI identifying a human-readable web page with* information about the error, used to provide the end-user with* additional information about the error.* @param $state* (optional) REQUIRED if the "state" parameter was present in the client* authorization request. Set to the exact value received from the client.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2** @ingroup oauth2_error*/private function errorDoRedirectUriCallback($redirect_uri, $error, $error_description = NULL, $error_uri = NULL, $state = NULL) {$result["query"]["error"] = $error;if ($state)$result["query"]["state"] = $state;if ($this->getVariable('display_error') && $error_description)$result["query"]["error_description"] = $error_description;if ($this->getVariable('display_error') && $error_uri)$result["query"]["error_uri"] = $error_uri;$this->doRedirectUriCallback($redirect_uri, $result);}/*** Send out error message in JSON.** @param $http_status_code* HTTP status code message as predefined.* @param $error* A single error code.* @param $error_description* (optional) A human-readable text providing additional information,* used to assist in the understanding and resolution of the error* occurred.* @param $error_uri* (optional) A URI identifying a human-readable web page with* information about the error, used to provide the end-user with* additional information about the error.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3** @ingroup oauth2_error*/private function errorJsonResponse($http_status_code, $error, $error_description = NULL, $error_uri = NULL) {$result['error'] = $error;if ($this->getVariable('display_error') && $error_description)$result["error_description"] = $error_description;if ($this->getVariable('display_error') && $error_uri)$result["error_uri"] = $error_uri;header("HTTP/1.1 " . $http_status_code);$this->sendJsonHeaders();echo json_encode($result);exit;}/*** Send a 401 unauthorized header with the given realm and an error, if* provided.** @param $http_status_code* HTTP status code message as predefined.* @param $realm* The "realm" attribute is used to provide the protected resources* partition as defined by [RFC2617].* @param $scope* A space-delimited list of scope values indicating the required scope* of the access token for accessing the requested resource.* @param $error* The "error" attribute is used to provide the client with the reason* why the access request was declined.* @param $error_description* (optional) The "error_description" attribute provides a human-readable text* containing additional information, used to assist in the understanding* and resolution of the error occurred.* @param $error_uri* (optional) The "error_uri" attribute provides a URI identifying a human-readable* web page with information about the error, used to offer the end-user* with additional information about the error. If the value is not an* absolute URI, it is relative to the URI of the requested protected* resource.** @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2** @ingroup oauth2_error*/private function errorWWWAuthenticateResponseHeader($http_status_code, $realm, $error, $error_description = NULL, $error_uri = NULL, $scope = NULL) {$realm = $realm === NULL ? $this->getDefaultAuthenticationRealm() : $realm;$result = "WWW-Authenticate: OAuth realm='" . $realm . "'";if ($error)$result .= ", error='" . $error . "'";if ($this->getVariable('display_error') && $error_description)$result .= ", error_description='" . $error_description . "'";if ($this->getVariable('display_error') && $error_uri)$result .= ", error_uri='" . $error_uri . "'";if ($scope)$result .= ", scope='" . $scope . "'";header("HTTP/1.1 ". $http_status_code);header($result);exit;}}
代码比较多。有兴趣的可以细看。
由于采用Vendor方法引入,所以这里的文件都没有采用命名空间。
5-3、在同目录下,建ThinkOAuth2.php文件,这个文件里的类继承上面那个基类:
<?phprequire "oauth2.class.php";class ThinkOAuth2 extends OAuth2{private $db;private $table;/*** 构造*/public function __construct() {parent::__construct();$this -> db = M();$this -> table = array('auth_codes'=>C('OAUTH2_CODES_TABLE'),'clients'=>C('OAUTH2_CLIENTS_TABLE'),'tokens'=>C('OAUTH2_TOKEN_TABLE'));}/*** 析构*/function __destruct() {$this->db = NULL; // Release db connection}private function handleException($e) {echo "Database error: " . $e->getMessage();exit;}/**** 增加client* @param string $client_id* @param string $client_secret* @param string $redirect_uri*/public function addClient($client_id, $client_secret, $redirect_uri) {$time = time();$sql = "INSERT INTO {$this -> table['clients']} (client_id, client_secret, redirect_uri,create_time) VALUES ('{$client_id}', '{$client_secret}', '{$redirect_uri}','{$time}')";$res = $this -> db -> execute($sql);return res;}/*** Implements OAuth2::checkClientCredentials()* @see OAuth2::checkClientCredentials()*/protected function checkClientCredentials($client_id, $client_secret = NULL) {$sql = "SELECT client_secret FROM {$this -> table['clients']} WHERE client_id = {$client_id}";$result = $this -> db -> query($sql);if ($client_secret === NULL) {return $result !== FALSE;}//Log::write("checkClientCredentials : ".$result);//Log::write("checkClientCredentials : ".$result[0]);//Log::write("checkClientCredentials : ".$result[0]["client_secret"]);return $result[0]["client_secret"] == $client_secret;}/*** Implements OAuth2::getRedirectUri().* @see OAuth2::getRedirectUri()*/protected function getRedirectUri($client_id) {$sql = "SELECT redirect_uri FROM {$this -> table['clients']} WHERE client_id = {$client_id}";$result = $this -> db -> query($sql);if ($result === FALSE) {return FALSE;}//Log::write("getRedirectUri : ".$result);//Log::write("getRedirectUri : ".$result[0]);//Log::write("getRedirectUri : ".$result[0]["redirect_uri"]);return isset($result[0]["redirect_uri"]) && $result[0]["redirect_uri"] ? $result[0]["redirect_uri"] : NULL;}/*** Implements OAuth2::getAccessToken().* @see OAuth2::getAccessToken()*/protected function getAccessToken($access_token) {$sql = "SELECT client_id, expires_in, scope FROM {$this -> table['tokens']} WHERE access_token = '{$access_token}'";$result = $this -> db -> query($sql);//Log::write("getAccessToken : ".$result);//Log::write("getAccessToken : ".$result[0]);return $result !== FALSE ? $result : NULL;}/*** Implements OAuth2::setAccessToken().* @see OAuth2::setAccessToken()*/protected function setAccessToken($access_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token='') {$sql = "INSERT INTO {$this -> table['tokens']} (access_token, client_id, expires_in, scope,user_id,refresh_token) VALUES ('{$access_token}', '{$client_id}', '{$expires}', '{$scope}',{$user_id},'{$refresh_token}')";$this -> db -> execute($sql);}/*** Overrides OAuth2::getSupportedGrantTypes().* @see OAuth2::getSupportedGrantTypes()*/protected function getSupportedGrantTypes() {return array(OAUTH2_GRANT_TYPE_AUTH_CODE);}/*** Overrides OAuth2::getAuthCode().* @see OAuth2::getAuthCode()*/protected function getAuthCode($code) {$sql = "SELECT user_id, code, client_id, redirect_uri, expires, scope FROM {$this -> table['auth_codes']} WHERE code = '{$code}'";$result = $this -> db -> query($sql);//Log::write("getAuthcode : ".$result);//Log::write("getAuthcode : ".$result[0]);//Log::write("getAuthcode : ".$result[0]["code"]);return $result !== FALSE ? $result[0] : NULL;}/*** Overrides OAuth2::setAuthCode().* @see OAuth2::setAuthCode()*/protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $scope = NULL) {$time = time();$sql = "INSERT INTO {$this -> table['auth_codes']} (code, client_id, redirect_uri, expires, scope) VALUES ('{$code}', '{$client_id}', '{$redirect_uri}', '{$expires}', '{$scope}')";$result = $this -> db -> execute($sql);}/*** Overrides OAuth2::checkUserCredentials().* @see OAuth2::checkUserCredentials()*/protected function checkUserCredentials($client_id, $username, $password){return TRUE;}}
这里涉及到一些数据库的操作。继承出来操作,还是比较一目了然的。
5-4、准备好类了。我们就可以实现控制器里的功能代码。动手之前先搞清楚我们的意图。
首先,我们需要分配一个oauth_client和一个oauth_secrete给第三方网站(也就是client.ruanwenwu.cn)来获取oauth服务。
其次,client.ruanwenwu.cn会把用户导入到server.ruanwenwu.cn来进行授权。所以我们我们还需要准备授权页面。
因为涉及到服务端和客户端的数据交互,所以可能服务端和客户端的相关介绍我会交叉进行。
5-4-1、创建oauth_client。
5-4-2、获取oauth_cliest列表。
5-4-3、准备获取用户授权的页面和逻辑。(授权服务器)
5-4-4、准备提供用户数据的逻辑。(资源服务器)
这些逻辑我都写在一个控制器OauthController.class.php里。代码如下:
<?phpnamespace Home\Controller;use Think\Controller;class OauthController extends Controller{private $oauth = NULL;function _initialize(){header("Content-Type: application/json");Vendor("oauth.ThinkOAuth2");$this -> oauth = new \ThinkOAuth2();}public function index(){header("Content-Type:application/json; charset=utf-8");$this -> ajaxReturn(null, 'oauth-server-start', 1, 'json');}public function access_token() {$this -> oauth -> grantAccessToken();}//权限验证public function authorize() {if (IS_POST) {if(true){//这个地方验证成功后要把用户的uid加进来$_POST['user_id'] = 1;$this -> oauth -> finishClientAuthorization(true, $_POST); //第一个参数很重要,是用户是否授权}return;}///表单准备$auth_params = $this -> oauth -> getAuthorizeParams();$this->assign("auth_params",$auth_params);$this->display();}public function addclient() {echo 'jack';if (IS_POST) {echo 'pd';$res = $this -> oauth -> addClient($_POST["client_id"], $_POST["client_secret"], $_POST["redirect_uri"]);if($res){$this->redirect("/home/Oauth/clientlist");die;}}$this->display();}public function clientlist(){$res = M()->table("oauth_client")->select();$this->assign("clients",$res);var_dump($res);$this->display();}}
顺便我将用到的模板文件(server.ruanwenwu.cn\Application\Home\View\oauth目录下)也贴出来给大家参考一下:
addclient.html
<!doctype html><head><meta charset="utf-8" /><title>这里是添加客户端界面</title></head><body><h1>添加客户端</h1><form action="" method="post" >clientId:<input type="text" name="client_id" /><br />client_secrete:<input type="text" name="client_secret" /><br />callbackUrl:<input type="text" name="redirect_uri" /><br /><input type="submit" value="submit" /></form></body></html>
authorize.html
<!doctype html><html><form action="" method="post">用户名:<input type="text" name="username" /><br />密码:<input type="text" name="pwd" /><input type="hidden" name="response_type" value="code" /><input type="hidden" name="client_id" value="{$auth_params['client_id']}" /><input type="hidden" name="redirect_uri" value="{$auth_params['redirect_uri']}" /><input type="submit" value="submit" /></form></html>
注意:我这里用到了几个隐藏域。这个是必须的,在post提交验证时会用到。
5-4-5、创建oauth2.0用户。
打 开server.ruanwenwu.cn/index.php/home/oauth/addcient,输入client_id和 client_secrete还有redirect_uri创建一个oauth2.0用户。其中redirect_uri是用户授权后需要跳转的地方。
到这里服务端的部署就差不多结束了。现在开始部署客户端。
三、oauth2.0客户端搭建。
1、同服务端一样搭建client.ruanwenwu.cn。(也是用thinkphp)。
2、能正常访问后。在类库中加入oauth2.0客户端类。
在\client.ruanwenwu.cn\ThinkPHP\Library\Org\Util目录下建立Oauth2.class.php,代码如下:
<?phpnamespace Org\Util;/*** 与 OAuth2 服务器 通讯验证 核心类 (PHP版)** @description OAuth2 说明请大家参考 木蚂蚁接口文档*** @author Mumayi-Team (zhaopan赵攀)* @version 1.0* @datetime 2013-12-31*/class Oauth2{/** 以下几个参数 具体作用和用法 详见 木蚂蚁接口文档*///分配的客户端 IDpublic $client_id;//分配的客户端 密匙public $client_secret;//获得的 用户授权 访问令牌public $access_token;//刷新 访问令牌 (过期时使用)public $refresh_token;// 最后一个收到的HTTP代码 (用于调试,忽略)public $http_code;//预留字段 (忽略)public $url;//设置 基础链接public $host = "http://server.ruanwenwu.cn/index.php/home/oauth/";//请求超时时间public $timeout = 30;//链接超时时间public $connecttimeout = 30;//是否验证 SSL 证书public $ssl_verifypeer = FALSE;//请求结果处理格式public $format = 'json';//以 JSON_DECODE 方式解析public $decode_json = TRUE;//预留字段 (忽略)public $http_info;//CURL 函数使用 (验证使用, 忽略)public $useragent = 'Mumayi Team OAuth2 v1.0';//是否 开启 请求调试 (开启时 将输出 详细的请求结果)public $debug = FALSE;//边界 (CURL使用 写入在Header的分界线, 忽略)public static $boundary = '';//返回 OAuth 令牌 请求地址function accessTokenURL() { return $this->host.'access_token'; }//返回 OAuth 自动授权 请求地址function authorizeURL() { return $this->host.'authorize'; }//构造函数 赋值 一些必要参数function __construct($client_id, $client_secret, $access_token = NULL, $refresh_token = NULL) {$this->client_id = $client_id;$this->client_secret = $client_secret;$this->access_token = $access_token;$this->refresh_token = $refresh_token;// $this->debug = true;}/*** authorize接口** 对应API:{@link http://u.mumayi.com/oauth/authorize Oauth2/authorize}** @param string $url 授权后的回调地址,站外应用需与回调地址一致,站内应用需要填写canvas page的地址* @param string $response_type 支持的值包括 code 和token 默认值为code* @param string $state 用于保持请求和回调的状态。在回调时,会在Query Parameter中回传该参数* @param string $display 授权页面类型 可选范围:* - default 默认授权页面* - mobile 支持html5的手机* - popup 弹窗授权页* - wap1.2 wap1.2页面* - wap2.0 wap2.0页面* - js js-sdk 专用 授权页面是弹窗,返回结果为js-sdk回掉函数* - apponweibo 站内应用专用,站内应用不传display参数,并且response_type为token时,默认使用改display.授权后不会返回access_token,只是输出js刷新站内应用父框架* @return array*/function getAuthorizeURL( $url, $response_type = 'code', $state = NULL, $display = NULL ) {$params = array();$params['client_id'] = $this->client_id;$params['redirect_uri'] = $url;$params['response_type'] = $response_type;$params['state'] = $state;$params['display'] = $display;return $this->authorizeURL() . "&" . http_build_query($params);}/*** access_token接口** 对应API:{@link http://open.weibo.com/wiki/OAuth2/access_token OAuth2/access_token}** @param string $type 请求的类型,可以为:code, password, token* @param array $keys 其他参数:* - 当$type为code时: array('code'=>..., 'redirect_uri'=>...)* - 当$type为password时: array('username'=>..., 'password'=>...)* - 当$type为token时: array('refresh_token'=>...)* @return array*/function getAccessToken( $type = 'code', $keys ) {$params = array();$params['client_id'] = $this->client_id;$params['client_secret'] = $this->client_secret;if ( $type === 'token' ) {$params['grant_type'] = 'refresh_token';$params['refresh_token'] = $keys['refresh_token'];} elseif ( $type === 'code' ) {$params['grant_type'] = 'authorization_code';$params['code'] = $keys['code'];$params['redirect_uri'] = $keys['redirect_uri'];} elseif ( $type === 'password' ) {$params['grant_type'] = 'password';$params['username'] = $keys['username'];$params['password'] = $keys['password'];} else {echo json_encode(array('error' => '错误的授权类型['.$type.'(token, code)]'));die;}$response = $this->oAuthRequest($this->accessTokenURL(), 'POST', $params);//var_dump($response);die;$token = json_decode($response, true);if ( is_array($token) && !isset($token['error']) ) {$this->access_token = $token['access_token'];//$this->refresh_token = $token['refresh_token'];} else {echo json_encode(array('error' => '获取访问令牌失败。['.$token['error'].']'));die;}return $token;}/*** 解析 signed_request** @param string $signed_request 应用框架在加载iframe时会通过向Canvas URL post的参数signed_request** @return array*/function parseSignedRequest($signed_request) {list($encoded_sig, $payload) = explode('.', $signed_request, 2);$sig = self::base64decode($encoded_sig) ;$data = json_decode(self::base64decode($payload), true);if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') return '-1';$expected_sig = hash_hmac('sha256', $payload, $this->client_secret, true);return ($sig !== $expected_sig)? '-2':$data;}/*** @ignore*/function base64decode($str) {return base64_decode(strtr($str.str_repeat('=', (4 - strlen($str) % 4)), '-_', '+/'));}/*** 读取jssdk授权信息,用于和jssdk的同步登录** @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false*/function getTokenFromJSSDK() {$key = "mumayijs_" . $this->client_id;if ( isset($_COOKIE[$key]) && $cookie = $_COOKIE[$key] ) {parse_str($cookie, $token);if ( isset($token['access_token']) && isset($token['refresh_token']) ) {$this->access_token = $token['access_token'];$this->refresh_token = $token['refresh_token'];return $token;} else {return false;}} else {return false;}}/*** 从数组中读取access_token和refresh_token* 常用于从Session或Cookie中读取token,或通过Session/Cookie中是否存有token判断登录状态。** @param array $arr 存有access_token和secret_token的数组* @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false*/function getTokenFromArray( $arr ) {if (isset($arr['access_token']) && $arr['access_token']) {$token = array();$this->access_token = $token['access_token'] = $arr['access_token'];if (isset($arr['refresh_token']) && $arr['refresh_token']) {$this->refresh_token = $token['refresh_token'] = $arr['refresh_token'];}return $token;} else {return false;}}/*** 以 GET 请求方式 请求 OAuth 验证服务器** @return mixed*/function get($url, $parameters = array()) {$response = $this->oAuthRequest($url, 'GET', $parameters);if ($this->format === 'json' && $this->decode_json) {return json_decode($response, true);}return $response;}/*** 以 POST 请求方式 请求 OAuth 验证服务器** @return mixed*/function post($url, $parameters = array(), $multi = false) {$response = $this->oAuthRequest($url, 'POST', $parameters, $multi );if ($this->format === 'json' && $this->decode_json) {return json_decode($response, true);}return $response;}/*** 请求 OAuth 验证服务器 进行验证** @return string*/function oAuthRequest($url, $method, $parameters, $multi = false) {if (strrpos($url, 'http://') !== 0 && strrpos($url, 'https://') !== 0) {$url = "{$this->host}{$url}.{$this->format}";}switch ($method) {case 'GET':if(!empty($parameters))$url = $url . '&' . http_build_query($parameters);return $this->http($url, 'GET');default:$headers = array();if (!$multi && (is_array($parameters) || is_object($parameters)) ) {$body = http_build_query($parameters);} else {$body = self::build_http_query_multi($parameters);$headers[] = "Content-Type: multipart/form-data; boundary=" . self::$boundary;}//return $this->http($url, $method, $body, $headers);return $this->http($url, $method, $body, $headers);}}/*** 使用 CURL 模拟一个 HTTP 请求** @description (需要开启 CURL 扩展)** @return string API results**/function http($url, $method, $postfields = NULL, $headers = array()) {$this->http_info = array();$ci = curl_init();/* Curl settings */curl_setopt($ci, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);curl_setopt($ci, CURLOPT_USERAGENT, $this->useragent);curl_setopt($ci, CURLOPT_CONNECTTIMEOUT, $this->connecttimeout);curl_setopt($ci, CURLOPT_TIMEOUT, $this->timeout);curl_setopt($ci, CURLOPT_RETURNTRANSFER, TRUE);curl_setopt($ci, CURLOPT_ENCODING, "");curl_setopt($ci, CURLOPT_SSL_VERIFYPEER, $this->ssl_verifypeer);curl_setopt($ci, CURLOPT_SSL_VERIFYHOST, 1);curl_setopt($ci, CURLOPT_HEADERFUNCTION, array($this, 'getHeader'));curl_setopt($ci, CURLOPT_HEADER, FALSE);switch ($method) {case 'POST':curl_setopt($ci, CURLOPT_POST, TRUE);if (!empty($postfields)) {curl_setopt($ci, CURLOPT_POSTFIELDS, $postfields);$this->postdata = $postfields;}break;case 'DELETE':curl_setopt($ci, CURLOPT_CUSTOMREQUEST, 'DELETE');if (!empty($postfields)) {$url = "{$url}?{$postfields}";}}if ( isset($this->access_token) && $this->access_token )$headers[] = "Authorization: OAuth2 ".$this->access_token;if ( !empty($this->remote_ip) ) {if ( defined('SAE_ACCESSKEY') ) {$headers[] = "SaeRemoteIP: " . $this->remote_ip;} else {$headers[] = "API-RemoteIP: " . $this->remote_ip;}} else {if ( !defined('SAE_ACCESSKEY') ) {$headers[] = "API-RemoteIP: " . $_SERVER['REMOTE_ADDR'];}}curl_setopt($ci, CURLOPT_URL, $url );curl_setopt($ci, CURLOPT_HTTPHEADER, $headers );curl_setopt($ci, CURLINFO_HEADER_OUT, TRUE );$response = curl_exec($ci);$this->http_code = curl_getinfo($ci, CURLINFO_HTTP_CODE);$this->http_info = array_merge($this->http_info, curl_getinfo($ci));$this->url = $url;if ($this->debug) {echo "=====post data======\r\n";var_dump($postfields);echo "=====headers======\r\n";print_r($headers);echo '=====request info====='."\r\n";print_r( curl_getinfo($ci) );echo '=====response====='."\r\n";print_r( $response );}curl_close ($ci);return $response;}/*** 从结果中 获取 header 参数 (CURL 使用)** @return int** @ignore (忽略)*/function getHeader($ch, $header) {$i = strpos($header, ':');if (!empty($i)) {$key = str_replace('-', '_', strtolower(substr($header, 0, $i)));$value = trim(substr($header, $i + 2));$this->http_header[$key] = $value;}return strlen($header);}/*** 把要传递的参数 重新构造一下 (多维数组)** @ignore (忽略)*/public static function build_http_query_multi($params) {if (!$params) return '';uksort($params, 'strcmp');$pairs = array();self::$boundary = $boundary = uniqid('------------------');$MPboundary = '--'.$boundary;$endMPboundary = $MPboundary. '--';$multipartbody = '';foreach ($params as $parameter => $value) {if( in_array($parameter, array('pic', 'image')) && $value{0} == '@' ) {$url = ltrim( $value, '@' );$content = file_get_contents( $url );$array = explode( '?', basename( $url ) );$filename = $array[0];$multipartbody .= $MPboundary . "\r\n";$multipartbody .= 'Content-Disposition: form-data; name="' . $parameter . '"; filename="' . $filename . '"'. "\r\n";$multipartbody .= "Content-Type: image/unknown\r\n\r\n";$multipartbody .= $content. "\r\n";} else {$multipartbody .= $MPboundary . "\r\n";$multipartbody .= 'content-disposition: form-data; name="' . $parameter . "\"\r\n\r\n";$multipartbody .= $value."\r\n";}}$multipartbody .= $endMPboundary;return $multipartbody;}public function get_uid() {$hostUrl = 'http://server.ruanwenwu.cn/index.php/home/resource/userinfo?type=mumayi';$params = array('access_token' => $this->access_token,);return $this->get( $hostUrl, $params );}}
注意:这个类的加载跟服务端采用的不同的方式。这里用了命名空间。服务端用的vendor。
3、准备访问链接。
我们通过这个url将用户导向server.ruanwenwu.cn进行授权,发送accesss_code操作。
我在client.ruanwenwu.cn的index控制器中实现的这个url。控制器里没有逻辑,我只贴index.html了:
<!doctype html><html><head></head><body><a href="http://server.ruanwenwu.cn/index.php/home/oauth/authorize?redirect_uri=http://client.ruanwenwu.cn/index.php/home/login&response_type=code&client_id=10009174&type=123456">登陆</a></body></html>
注 意:这个url中redirect_uri,response_type为必选参数。而且这个redirect_uri必须包含我们在服务端添加 oauth服务时写的那个redirect_uri。否则不能通过验证。(也就是说:在我们这个例子里,这个redirect_uri必须包含:
http://client.ruanwenwu.cn/index.php/home/login
4、点击链接,跳转到服务端对应的url。实际上就是server.ruanwenwu.cn的authorize操作。在这里会对用户进行验证,并判断是否授权。
//权限验证public function authorize() {if (IS_POST) {if(true){//这个地方验证成功后要把用户的uid加进来$_POST['user_id'] = 1; //这里是写死的,实际上是从数据库读出来$this -> oauth -> finishClientAuthorization(true, $_POST); //第一个参数很重要,是用户是否授权}return;}///表单准备$auth_params = $this -> oauth -> getAuthorizeParams();$this->assign("auth_params",$auth_params);$this->display();}
注意看我在这个操作里写的注释。
验证成功后,页面又跳回到我们之前写的redirect_uri,并带上了code参数,这就是验证服务器向客户端发送的access_code。
5、客户端拿到access_code,向验证服务器请求access_token。
在我的client.ruanwenwu.cn的loginController.class.php中进行:
<?phpnamespace Home\Controller;use Think\Controller;use Org\Util\Oauth2;class LoginController extends Controller{public function _initialize(){}public function index(){$this->oauth = new Oauth2('10009174','123456');$keys = array();//keys 数组 赋值 code 值 (换取token, 必须参数)$keys['code'] = $_GET['code'];//keys 数组 赋值 回调地址信息 (换取token, 必须参数)$keys['redirect_uri'] = 'http://client.ruanwenwu.cn/index.php/home/login?type=mumayidev';//根据 code 获取 token//var_dump( $token = $this->oauth->getAccessToken( 'code', $keys )) ;$token = $this->oauth->getAccessToken( 'code', $keys ) ;//现在已经得到token,并且将access_token写到对象里了。就可以请求资源了var_dump( $this->oauth->get_uid());die;}}
$token = $this->oauth->getAccessToken( 'code', $keys ) ; //这就是请求代码。code是验证方式。$keys数组里要code和redirect_uri。在服务器端需要验证
服务端的响应是这样的:
验证client.ruanwenwu.cn的client_id和secrete是否合法,还要判读access_code是否过期
public function access_token() {$this -> oauth -> grantAccessToken(); //这个方法里有所有的验证及生成access_token的操作。(会有数据库的写入)}
服务端生成access_token之后,会返回给客户端。
客户端拿到access_token之后,向资源服务器请求用户资源:
在这里我的验证服务器和资源服务器都是server.ruanwenwu.cn。我用resourceController.class.php来做资源控制:
<?phpnamespace Home\Controller;use Think\Controller;class ResourceController extends Controller{protected $db;public function _initialize(){$this->db = M();}public function userinfo(){// $arr = array("username"=>"阮文武","sex"=>1,"img"=>"http://weewrerfdf");// echo json_encode($arr);// die;if(isset($_GET['access_token']) && $_GET['access_token']){$res = $this->db->table("oauth_token")->where("access_token = '".$_GET['access_token']."'")->find();if($res && count($res) > 0){if($res['expires_in'] > time()){$arr = array("username"=>"阮文武d","sex"=>1,"img"=>"http://weewrerfdf");echo json_encode($arr);die;}}};}}
如果access_token有效,就查到用户id,取出用户的信息。我这里只是做测试,所以就直接自己返回了数据。原本写的很详细,后来因为内容字段是text,没保存完整,这会时间比较赶,就写的简单一点。
再抽时间补充吧。
欢迎大家与我讨论哦。
http://www.tuicool.com/articles/u6beUju
oauth2.0服务端与客户端搭建的更多相关文章
- Java的oauth2.0 服务端与客户端的实现
oauth原理简述 oauth本身不是技术,而是一项资源授权协议,重点是协议!Apache基金会提供了针对Java的oauth封装.我们做Java web项目想要实现oauth协议进行资源授权访问,直 ...
- 创建自己的OAuth2.0服务端(一)
如果对OAuth2.0有任何的疑问,请先熟悉OAuth2.0基础的文章:http://www.cnblogs.com/alunchen/p/6956016.html 1. 前言 本篇文章时对 客户端的 ...
- Oracle服务端及客户端搭建帮助文档
Oracle服务端及客户端搭建帮助文档 目录 简介 Oracle服务端安装 Oracle客户端安装 PLSQL安装 登录测试 系统配置修改 用户操作 解锁账户.密码 创建账户及密码 配置监听文件 监听 ...
- Apache Oltu 实现 OAuth2.0 服务端【授权码模式(Authorization Code)】
要实现OAuth服务端,就得先理解客户端的调用流程,服务提供商实现可能也有些区别,实现OAuth服务端的方式很多,具体可能看 http://oauth.net/code/ 各语言的实现有(我使用了Ap ...
- rsync的服务端和客户端搭建
首先要看看有没有rsync,没有就按装一个rsync 1配置文件 然后创建rsyncd.conf文件,并添加如下内容(文件默认不存在) [root@chensiqi2 backup]# cat /et ...
- 写个OAuth2.0的请求端来测试自己的OAuth2.0服务端(二)
在上一篇文章中,我们介绍了怎么创建自己的服务器,现在我们开始写个client端,来测试. 我们创建一个MVC项目,叫TestOAuthClient 1. 代码开始 1)第一步,我们创建一个MainCo ...
- SVN服务端和客户端的安装与搭建
版权声明:本文为博主原创文章,转载请注明原文出处. https://blog.csdn.net/zzfenglin/article/details/50931462 SVN简介 SVN全名Subver ...
- Centos6.9 搭建rsync服务端与客户端 案例:全网备份项目
rsync的企业工作场景说明 1)定时备份 1.1生产场景集群架构服务器备份方案项目 借助cron+rsync把所有客户服务器数据同步到备份服务器 2)实时复制 本地数据传输模式(local-only ...
- eureka服务端和客户端的简单搭建
本篇博客简单记录一下,eureka 服务端和 客户端的简单搭建. 目标: 1.完成单机 eureka server 和 eureka client 的搭建. 2.完成eureka server 的添加 ...
随机推荐
- sql server中调用c#写的dll里的方法
最近有一项目: 一超市管理系统单机版,运行在WIN2003+SQL2005上,每天超市关门都都会关电脑,现客户要新加功能,每天关门下班后回家可以上网查看超市管理系统的数据库里的相关数据,然后再做一些原 ...
- ios页面间跳转方式总结
转自:http://www.cnblogs.com/anywherego/p/3542202.html 下面以OldViewController(oldC)的按钮btn点击后跳转到NewViewCon ...
- 通过反射实现圆角ImageView
private void init(){ paint = new Paint(Paint.ANTI_ALIAS_FLAG); roundRect = , , getWidth() , getHeigh ...
- Django使用manage.py备份与恢复数据
Django dumpdata and loaddata django database model dumpdata dumpdata command It is a django manageme ...
- zabbix server 与数据库不在同一台服务器上面
16312:20170527:095215.225 database is down: reconnecting in 10 seconds 16312:20170527:095225.225 [Z3 ...
- Vmware虚拟硬盘合并多个分割文件
有时,当我们创建虚拟机vmware里面的应用程序,我们可能会选择创建分割的虚拟磁盘中的多个文件2 GB的文件,这是为了提高复制过程,主要用于存储虚拟机文件系统不支持创建更大的文件. 如果我们需要将它转 ...
- 在javascript中获取一个对象内属性的个数
var foo = {a1:'1',a2:'2',a3:'3'}; //获得对象所有属性的数组 Object.getOwnPropertyNames(foo); > [ 'a1', 'a2', ...
- elementui常用知识点总结
1.淡入淡出效果: <transition name="el-fade-in-linear"> <div v-show="show" clas ...
- Ubuntu 系统下卸载 IntelliJ IDEA
参考:http://blog.csdn.net/csdnones/article/details/50449947 卸载只需要删除解压出来的目录就行了,然后删除/home/你用登录名/IntelliJ ...
- python - hadoop,mapreduce demo
Hadoop,mapreduce 介绍 59888745@qq.com 大数据工程师是在Linux系统下搭建Hadoop生态系统(cloudera是最大的输出者类似于Linux的红帽), 把用户的交易 ...