conquer/oauth2

The Oauth2 Server extension for the Yii2 framework

Maintainers

👁 borodulin

Package info

github.com/borodulin/yii2-oauth2-server

Type:yii2-extension

pkg:composer/conquer/oauth2

Statistics

Installs: 118 679

Dependents: 3

Suggesters: 0

Stars: 76

Open Issues: 6

1.7.1 2018-12-05 13:00 UTC

Requires

Suggests

None

Provides

None

Conflicts

None

Replaces

None

MIT 28be1ea3caabdd0387349f3176aa91b8d68ffa99

  • Andrey Borodulin <borodulin.woop@gmail.com>

oauth2yii2oauth2-server

This package is auto-updated.

Last update: 2026-06-24 03:08:17 UTC

README

👁 Build Status

Description

This extension provides simple implementation of Oauth 2.0 specification using Yii2 framework.

Installation

The preferred way to install this extension is through composer.

To install, either run

$ php composer.phar require conquer/oauth2 "*"

or add

"conquer/oauth2": "*"

to the require section of your composer.json file.

Migrations are available from migrations folder.

To add migrations to your application, edit the console config file to configure a namespaced migration:

'controllerMap' => [
 // ...
 'migrate' => [
 'class' => 'yii\console\controllers\MigrateController',
 'migrationPath' => null,
 'migrationNamespaces' => [
 // ...
 'conquer\oauth2\migrations',
 ],
 ],
],

Then issue the migrate/up command:

yii migrate/up

You also need to specify message translation source for this package:

'components' => [
 'i18n' => [
 'translations' => [
 'conquer/oauth2' => [
 'class' => \yii\i18n\PhpMessageSource::class,
 'basePath' => '@conquer/oauth2/messages',
 ],
 ],
 ]
],

Usage

OAuth 2.0 Authorization usage

namespace app\controllers;

use app\models\LoginForm;

class AuthController extends \yii\web\Controller
{
 public function behaviors()
 {
 return [
 /** 
 * Checks oauth2 credentions and try to perform OAuth2 authorization on logged user.
 * AuthorizeFilter uses session to store incoming oauth2 request, so 
 * you can do additional steps, such as third party oauth authorization (Facebook, Google ...) 
 */
 'oauth2Auth' => [
 'class' => \conquer\oauth2\AuthorizeFilter::className(),
 'only' => ['index'],
 ],
 ];
 }
 public function actions()
 {
 return [
 /**
 * Returns an access token.
 */
 'token' => [
 'class' => \conquer\oauth2\TokenAction::classname(),
 ],
 /**
 * OPTIONAL
 * Third party oauth providers also can be used.
 */
 'back' => [
 'class' => \yii\authclient\AuthAction::className(),
 'successCallback' => [$this, 'successCallback'],
 ],
 ];
 }
 /**
 * Display login form, signup or something else.
 * AuthClients such as Google also may be used
 */
 public function actionIndex()
 {
 $model = new LoginForm();
 if ($model->load(\Yii::$app->request->post()) && $model->login()) {
 if ($this->isOauthRequest) {
 $this->finishAuthorization();
 } else {
 return $this->goBack();
 }
 } else {
 return $this->render('index', [
 'model' => $model,
 ]);
 }
 }
 /**
 * OPTIONAL
 * Third party oauth callback sample
 * @param OAuth2 $client
 */
 public function successCallback($client)
 {
 switch ($client::className()) {
 case GoogleOAuth::className():
 // Do login with automatic signup 
 break;
 ...
 default:
 break;
 }
 /**
 * If user is logged on, redirects to oauth client with success,
 * or redirects error with Access Denied
 */
 if ($this->isOauthRequest) {
 $this->finishAuthorization();
 }
 }
 
}

Api controller sample

class ApiController extends \yii\rest\Controller
{
 public function behaviors()
 {
 return [
 /** 
 * Performs authorization by token
 */
 'tokenAuth' => [
 'class' => \conquer\oauth2\TokenAuth::className(),
 ],
 ];
 }
 /**
 * Returns username and email
 */
 public function actionIndex()
 {
 $user = \Yii::$app->user->identity;
 return [
 'username' => $user->username,
 'email' => $user->email,
 ];
 }
}

Sample client config

return [
...
 'components' => [
 'authClientCollection' => [
 'class' => 'yii\authclient\Collection',
 'clients' => [
 'myserver' => [
 'class' => 'yii\authclient\OAuth2',
 'clientId' => 'unique client_id',
 'clientSecret' => 'client_secret',
 'tokenUrl' => 'http://myserver.local/auth/token',
 'authUrl' => 'http://myserver.local/auth/index',
 'apiBaseUrl' => 'http://myserver.local/api',
 ],
 ],
 ],
];

If you want to use Resource Owner Password Credentials Grant, implement \conquer\oauth2\OAuth2IdentityInterface.

use conquer\oauth2\OAuth2IdentityInterface;

class User extends ActiveRecord implements IdentityInterface, OAuth2IdentityInterface
{
 ...
 
 /**
 * Finds user by username
 *
 * @param string $username
 * @return static|null
 */
 public static function findIdentityByUsername($username)
 {
 return static::findOne(['username' => $username]);
 }
 
 /**
 * Validates password
 *
 * @param string $password password to validate
 * @return bool if password provided is valid for current user
 */
 public function validatePassword($password)
 {
 return Yii::$app->security->validatePassword($password, $this->password_hash);
 }
 
 ...
}

Warning

As official documentation says:

Since this access token request utilizes the resource owner's password, the authorization server MUST protect the endpoint against brute force attacks (e.g., using rate-limitation or generating alerts).

It's strongly recommended to rate limits on token endpoint. Fortunately, Yii2 have instruments to do this.

For further information see Yii2 Ratelimiter

License

conquer/oauth2 is released under the MIT License. See the bundled LICENSE for details.