oauth2.0服务端与客户端搭建

oauth2.0服务端与客户端搭建 - 推酷

今天搭建了oauth2.0服务端与客户端。把搭建的过程记录一下。具体实现的功能是：client.ruanwenwu.cn的用户可以经过 server.ruanwenwu.cn的用户名和密码登录client.ruanwenwu.cn。而且登录 后，client.ruanwenwu.cn的用户能获取server.ruanwenwu.cn哪里的一些资源。

个人我的博客原文地址： http://www.ruanwenwu.cn/2015/12/oauth-server-and-client-install.html 

1、oauth2.0的做用

一、搭建第三方登陆平台（就像你用不少网站支持qq登陆。实际上是qq提供的oauth2.0服务端支持。网站做为第三方，只要用oauth2.0标准请求服务端，求能获得用户信息，并实现登陆）。

二、公共资源管理。

就 像你（Y）想经过一个打印照片的网站（A)来打印你存放在google(B)的照片。你就要经过这个A来获取B的照片。B确定要验证是不是他的用户Y的请 求，验证经过才把照片传递给A实现打印。问题是Y不想把帐号密码直接给A。用oauth2.0就是来解决这个问题的：

A先 把Y导向B的站点进行受权。受权经过，B向A发送oauth_code。A拿到这个oauth_code，连同A的client_id和 oauth_secrete发送给B，若是数据正确，B就会给A发送oauth_token。有了这个token,A就能够获取B的相关资源的。

基本的流程是这样。下面是具体的实现过程。

2、oauth2.0服务端的搭建。

oauth2.0的服务端分为验证服务器和资源服务器。这两个服务器也能够是同一个服务器（只不过把这两个功能用一个 服务器来完成罢了）。

说明：个人实现都在Thinkphp3.2.3框架下实现。

一、下载thinkphp3.2.3。

二、配置虚拟机server.ruanwenwu.cn

三、在Thinkphp的Home应用下修改配置文件（server.ruanwenwu.cn/Application/Home/Conf/config.php）以下所示：

<?php return array( //'配置项'=>'配置值' //数据库设置 'DB_TYPE' => 'mysql', 'DB_HOST' => '127.0.0.1',//localhost 'DB_NAME' => 'oauth', 'DB_USER' => 'root', 'DB_PWD' => 'root', 'DB_PORT' => '3306', 'SCOPE_INFO' => array( //这是受权选项。根据你本身的项目来 array( 'name' => '我的信息', 'value' => 'basicinfo' ), array( 'name' => '论坛发帖回帖', 'value' => 'bbsinfo' ), ), 'OAUTH2_CODES_TABLE' =>'oauth_code', //这里是oauth项目须要用的三个基础表 'OAUTH2_CLIENTS_TABLE' =>'oauth_client', 'OAUTH2_TOKEN_TABLE' =>'oauth_token', 'SECRETKYE' => 'Mumayi!@#', //下面是一些网站自定义的项目。能够根据本身的状况来写或者不写 //session 有效期 'SESSION_EXPIRES' => 1200, //key 有效期 'PASS_KEY_EXPIRES' => 86400, //key 有效期 'PHONE_KEY_EXPIRES' => 300, //key 加密 整型 数字 必须为 int 'PASS_KEY_CALC' => 1314, );

四、建oauth表。

SET FOREIGN_KEY_CHECKS=0; -- ---------------------------- -- Table structure for oauth_client -- ---------------------------- DROP TABLE IF EXISTS `oauth_client`; CREATE TABLE `oauth_client` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `client_id` varchar(32) NOT NULL, `client_secret` varchar(32) NOT NULL, `redirect_uri` varchar(200) NOT NULL, `create_time` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=utf8; -- ---------------------------- -- Table structure for oauth_code -- ---------------------------- DROP TABLE IF EXISTS `oauth_code`; CREATE TABLE `oauth_code` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `client_id` varchar(32) NOT NULL, `user_id` int(11) NOT NULL DEFAULT '1', `code` varchar(40) NOT NULL, `redirect_uri` varchar(200) NOT NULL, `expires` int(11) NOT NULL, `scope` varchar(250) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=57 DEFAULT CHARSET=utf8; -- ---------------------------- -- Table structure for oauth_token -- ---------------------------- DROP TABLE IF EXISTS `oauth_token`; CREATE TABLE `oauth_token` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `client_id` varchar(32) NOT NULL, `user_id` int(11) NOT NULL, `access_token` varchar(40) NOT NULL, `refresh_token` varchar(40) NOT NULL, `expires_in` int(11) NOT NULL, `scope` varchar(200) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=26 DEFAULT CHARSET=utf8;

五、引入oauth2.0服务端类文件。

5-一、在\server.ruanwenwu.cn\ThinkPHP\Library\Vendor\目录下创建oauth目录。

5-二、引入oauth2.0服务端PHP脚本。

在刚创建的oauth目录下引入OAuth2.class.php这个文件基本不用作修改。咱们的操做都在继承这个类的子类上完成。类的代码以下：

<?php /** * @mainpage * OAuth 2.0 server in PHP, originally written for * <a href="http://www.opendining.net/"> Open Dining</a>. Supports * <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-10">IETF draft v10</a>. * * Source repo has sample servers implementations for * <a href="http://php.net/manual/en/book.pdo.php"> PHP Data Objects</a> and * <a href="http://www.mongodb.org/">MongoDB</a>. Easily adaptable to other * storage engines. * * PHP Data Objects supports a variety of databases, including MySQL, * Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample * to see how it all works. * * We're expanding the wiki to include more helpful documentation, but for * now, your best bet is to view the oauth.php source - it has lots of * comments. * * @author Tim Ridgely <tim.ridgely@gmail.com> * @author Aaron Parecki <aaron@parecki.com> * @author Edison Wong <hswong3i@pantarei-design.com> * * @see http://code.google.com/p/oauth2-php/ */ /** * The default duration in seconds of the access token lifetime. */ define("OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME", 3600); /** * The default duration in seconds of the authorization code lifetime. */ define("OAUTH2_DEFAULT_AUTH_CODE_LIFETIME", 30); /** * The default duration in seconds of the refresh token lifetime. */ define("OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME", 1209600); /** * @defgroup oauth2_section_2 Client Credentials * @{ * * When interacting with the authorization server, the client identifies * itself using a client identifier and authenticates using a set of * client credentials. This specification provides one mechanism for * authenticating the client using password credentials. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2 */ /** * Regex to filter out the client identifier (described in Section 2 of IETF draft). * * IETF draft does not prescribe a format for these, however I've arbitrarily * chosen alphanumeric strings with hyphens and underscores, 3-32 characters * long. * * Feel free to change. */ define("OAUTH2_CLIENT_ID_REGEXP", "/^[a-z0-9-_]{3,32}$/i"); /** * @} */ /** * @defgroup oauth2_section_3 Obtaining End-User Authorization * @{ * * When the client interacts with an end-user, the end-user MUST first * grant the client authorization to access its protected resources. * Once obtained, the end-user access grant is expressed as an * authorization code which the client uses to obtain an access token. * To obtain an end-user authorization, the client sends the end-user to * the end-user authorization endpoint. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 */ /** * Denotes "token" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN", "token"); /** * Denotes "code" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE", "code"); /** * Denotes "code-and-token" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN", "code-and-token"); /** * Regex to filter out the authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_REGEXP", "/^(token|code|code-and-token)$/"); /** * @} */ /** * @defgroup oauth2_section_4 Obtaining an Access Token * @{ * * The client obtains an access token by authenticating with the * authorization server and presenting its access grant (in the form of * an authorization code, resource owner credentials, an assertion, or a * refresh token). * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4 */ /** * Denotes "authorization_code" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_AUTH_CODE", "authorization_code"); /** * Denotes "password" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_USER_CREDENTIALS", "password"); /** * Denotes "assertion" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_ASSERTION", "assertion"); /** * Denotes "refresh_token" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_REFRESH_TOKEN", "refresh_token"); /** * Denotes "none" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_NONE", "none"); /** * Regex to filter out the grant type. */ define("OAUTH2_GRANT_TYPE_REGEXP", "/^(authorization_code|password|assertion|refresh_token|none)$/"); /** * @} */ /** * @defgroup oauth2_section_5 Accessing a Protected Resource * @{ * * Clients access protected resources by presenting an access token to * the resource server. Access tokens act as bearer tokens, where the * token string acts as a shared symmetric secret. This requires * treating the access token with the same care as other secrets (e.g. * end-user passwords). Access tokens SHOULD NOT be sent in the clear * over an insecure channel. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 */ /** * Used to define the name of the OAuth access token parameter (POST/GET/etc.). * * IETF Draft sections 5.1.2 and 5.1.3 specify that it should be called * "oauth_token" but other implementations use things like "access_token". * * I won't be heartbroken if you change it, but it might be better to adhere * to the spec. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.2 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.3 */ define("OAUTH2_TOKEN_PARAM_NAME", "oauth_token"); /** * @} */ /** * @defgroup oauth2_http_status HTTP status code * @{ */ /** * "Found" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 */ define("OAUTH2_HTTP_FOUND", "302 Found"); /** * "Bad Request" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_BAD_REQUEST", "400 Bad Request"); /** * "Unauthorized" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_UNAUTHORIZED", "401 Unauthorized"); /** * "Forbidden" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_FORBIDDEN", "403 Forbidden"); /** * @} */ /** * @defgroup oauth2_error Error handling * @{ * * @todo Extend for i18n. */ /** * The request is missing a required parameter, includes an unsupported * parameter or parameter value, or is otherwise malformed. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INVALID_REQUEST", "invalid_request"); /** * The client identifier provided is invalid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_CLIENT", "invalid_client"); /** * The client is not authorized to use the requested response type. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_UNAUTHORIZED_CLIENT", "unauthorized_client"); /** * The redirection URI provided does not match a pre-registered value. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_REDIRECT_URI_MISMATCH", "redirect_uri_mismatch"); /** * The end-user or authorization server denied the request. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_USER_DENIED", "access_denied"); /** * The requested response type is not supported by the authorization server. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE", "unsupported_response_type"); /** * The requested scope is invalid, unknown, or malformed. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_SCOPE", "invalid_scope"); /** * The provided access grant is invalid, expired, or revoked (e.g. invalid * assertion, expired authorization token, bad end-user password credentials, * or mismatching authorization code and redirection URI). * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_GRANT", "invalid_grant"); /** * The access grant included - its type or another attribute - is not * supported by the authorization server. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE", "unsupported_grant_type"); /** * The access token provided is invalid. Resource servers SHOULD use this * error code when receiving an expired token which cannot be refreshed to * indicate to the client that a new authorization is necessary. The resource * server MUST respond with the HTTP 401 (Unauthorized) status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INVALID_TOKEN", "invalid_token"); /** * The access token provided has expired. Resource servers SHOULD only use * this error code when the client is expected to be able to handle the * response and request a new access token using the refresh token issued * with the expired access token. The resource server MUST respond with the * HTTP 401 (Unauthorized) status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_EXPIRED_TOKEN", "expired_token"); /** * The request requires higher privileges than provided by the access token. * The resource server SHOULD respond with the HTTP 403 (Forbidden) status * code and MAY include the "scope" attribute with the scope necessary to * access the protected resource. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INSUFFICIENT_SCOPE", "insufficient_scope"); /** * @} */ /** * OAuth2.0 draft v10 server-side implementation. * * @author Originally written by Tim Ridgely <tim.ridgely@gmail.com>. * @author Updated to draft v10 by Aaron Parecki <aaron@parecki.com>. * @author Debug, coding style clean up and documented by Edison Wong <hswong3i@pantarei-design.com>. */ abstract class OAuth2 { /** * Array of persistent variables stored. */ protected $conf = array(); /** * Returns a persistent variable. * * To avoid problems, always use lower case for persistent variable names. * * @param $name * The name of the variable to return. * @param $default * The default value to use if this variable has never been set. * * @return * The value of the variable. */ public function getVariable($name, $default = NULL) { return isset($this->conf[$name]) ? $this->conf[$name] : $default; } /** * Sets a persistent variable. * * To avoid problems, always use lower case for persistent variable names. * * @param $name * The name of the variable to set. * @param $value * The value to set. */ public function setVariable($name, $value) { $this->conf[$name] = $value; return $this; } // Subclasses must implement the following functions. /** * Make sure that the client credentials is valid. * * @param $client_id * Client identifier to be check with. * @param $client_secret * (optional) If a secret is required, check that they've given the right one. * * @return * TRUE if client credentials are valid, and MUST return FALSE if invalid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2.1 * * @ingroup oauth2_section_2 */ abstract protected function checkClientCredentials($client_id, $client_secret = NULL); /** * Get the registered redirect URI of corresponding client_id. * * OAuth says we should store request URIs for each registered client. * Implement this function to grab the stored URI for a given client id. * * @param $client_id * Client identifier to be check with. * * @return * Registered redirect URI of corresponding client identifier, and MUST * return FALSE if the given client does not exist or is invalid. * * @ingroup oauth2_section_3 */ abstract protected function getRedirectUri($client_id); /** * Look up the supplied oauth_token from storage. * * We need to retrieve access token data as we create and verify tokens. * * @param $oauth_token * oauth_token to be check with. * * @return * An associative array as below, and return NULL if the supplied oauth_token * is invalid: * - client_id: Stored client identifier. * - expires: Stored expiration in unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @ingroup oauth2_section_5 */ abstract protected function getAccessToken($oauth_token); /** * Store the supplied access token values to storage. * * We need to store access token data as we create and verify tokens. * * @param $oauth_token * oauth_token to be stored. * @param $client_id * Client identifier to be stored. * @param $expires * Expiration to be stored. * @param $user_id * User ID * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ abstract protected function setAccessToken($oauth_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token=''); // Stuff that should get overridden by subclasses. // // I don't want to make these abstract, because then subclasses would have // to implement all of them, which is too much work. // // So they're just stubs. Override the ones you need. /** * Return supported grant types. * * You should override this function with something, or else your OAuth * provider won't support any grant types! * * @return * A list as below. If you support all grant types, then you'd do: * @code * return array( * OAUTH2_GRANT_TYPE_AUTH_CODE, * OAUTH2_GRANT_TYPE_USER_CREDENTIALS, * OAUTH2_GRANT_TYPE_ASSERTION, * OAUTH2_GRANT_TYPE_REFRESH_TOKEN, * OAUTH2_GRANT_TYPE_NONE, * ); * @endcode * * @ingroup oauth2_section_4 */ protected function getSupportedGrantTypes() { return array(); } /** * Return supported authorization response types. * * You should override this function with your supported response types. * * @return * A list as below. If you support all authorization response types, * then you'd do: * @code * return array( * OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE, * OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN, * OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN, * ); * @endcode * * @ingroup oauth2_section_3 */ protected function getSupportedAuthResponseTypes() { return array( OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE, OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN, OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN ); } /** * Return supported scopes. * * If you want to support scope use, then have this function return a list * of all acceptable scopes (used to throw the invalid-scope error). * * @return * A list as below, for example: * @code * return array( * 'my-friends', * 'photos', * 'whatever-else', * ); * @endcode * * @ingroup oauth2_section_3 */ protected function getSupportedScopes() { return array(); } /** * Check restricted authorization response types of corresponding Client * identifier. * * If you want to restrict clients to certain authorization response types, * override this function. * * @param $client_id * Client identifier to be check with. * @param $response_type * Authorization response type to be check with, would be one of the * values contained in OAUTH2_AUTH_RESPONSE_TYPE_REGEXP. * * @return * TRUE if the authorization response type is supported by this * client identifier, and FALSE if it isn't. * * @ingroup oauth2_section_3 */ protected function checkRestrictedAuthResponseType($client_id, $response_type) { return TRUE; } /** * Check restricted grant types of corresponding client identifier. * * If you want to restrict clients to certain grant types, override this * function. * * @param $client_id * Client identifier to be check with. * @param $grant_type * Grant type to be check with, would be one of the values contained in * OAUTH2_GRANT_TYPE_REGEXP. * * @return * TRUE if the grant type is supported by this client identifier, and * FALSE if it isn't. * * @ingroup oauth2_section_4 */ protected function checkRestrictedGrantType($client_id, $grant_type) { return TRUE; } // Functions that help grant access tokens for various grant types. /** * Fetch authorization code data (probably the most common grant type). * * Retrieve the stored data for the given authorization code. * * Required for OAUTH2_GRANT_TYPE_AUTH_CODE. * * @param $code * Authorization code to be check with. * * @return * An associative array as below, and NULL if the code is invalid: * - client_id: Stored client identifier. * - redirect_uri: Stored redirect URI. * - expires: Stored expiration in unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.1 * * @ingroup oauth2_section_4 */ protected function getAuthCode($code) { return NULL; } /** * Take the provided authorization code values and store them somewhere. * * This function should be the storage counterpart to getAuthCode(). * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * Required for OAUTH2_GRANT_TYPE_AUTH_CODE. * * @param $code * Authorization code to be stored. * @param $client_id * Client identifier to be stored. * @param $redirect_uri * Redirect URI to be stored. * @param $expires * Expiration to be stored. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $userId, $scope = NULL) { } /** * Grant access tokens for basic user credentials. * * Check the supplied username and password for validity. * * You can also use the $client_id param to do any checks required based * on a client, if you need that. * * Required for OAUTH2_GRANT_TYPE_USER_CREDENTIALS. * * @param $client_id * Client identifier to be check with. * @param $username * Username to be check with. * @param $password * Password to be check with. * * @return * TRUE if the username and password are valid, and FALSE if it isn't. * Moreover, if the username and password are valid, and you want to * verify the scope of a user's access, return an associative array * with the scope values as below. We'll check the scope you provide * against the requested scope before providing an access token: * @code * return array( * 'scope' => <stored scope values (space-separated string)>, * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2 * * @ingroup oauth2_section_4 */ protected function checkUserCredentials($client_id, $username, $password) { return FALSE; } /** * Grant access tokens for assertions. * * Check the supplied assertion for validity. * * You can also use the $client_id param to do any checks required based * on a client, if you need that. * * Required for OAUTH2_GRANT_TYPE_ASSERTION. * * @param $client_id * Client identifier to be check with. * @param $assertion_type * The format of the assertion as defined by the authorization server. * @param $assertion * The assertion. * * @return * TRUE if the assertion is valid, and FALSE if it isn't. Moreover, if * the assertion is valid, and you want to verify the scope of an access * request, return an associative array with the scope values as below. * We'll check the scope you provide against the requested scope before * providing an access token: * @code * return array( * 'scope' => <stored scope values (space-separated string)>, * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3 * * @ingroup oauth2_section_4 */ protected function checkAssertion($client_id, $assertion_type, $assertion) { return FALSE; } /** * Grant refresh access tokens. * * Retrieve the stored data for the given refresh token. * * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN. * * @param $refresh_token * Refresh token to be check with. * * @return * An associative array as below, and NULL if the refresh_token is * invalid: * - client_id: Stored client identifier. * - expires: Stored expiration unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4 * * @ingroup oauth2_section_4 */ protected function getRefreshToken($refresh_token) { return NULL; } /** * Take the provided refresh token values and store them somewhere. * * This function should be the storage counterpart to getRefreshToken(). * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN. * * @param $refresh_token * Refresh token to be stored. * @param $client_id * Client identifier to be stored. * @param $expires * expires to be stored. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function setRefreshToken($refresh_token, $client_id, $expires, $scope = NULL) { return; } /** * Expire a used refresh token. * * This is not explicitly required in the spec, but is almost implied. * After granting a new refresh token, the old one is no longer useful and * so should be forcibly expired in the data store so it can't be used again. * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * @param $refresh_token * Refresh token to be expirse. * * @ingroup oauth2_section_4 */ protected function unsetRefreshToken($refresh_token) { return; } /** * Grant access tokens for the "none" grant type. * * Not really described in the IETF Draft, so I just left a method * stub... Do whatever you want! * * Required for OAUTH2_GRANT_TYPE_NONE. * * @ingroup oauth2_section_4 */ protected function checkNoneAccess($client_id) { return FALSE; } /** * Get default authentication realm for WWW-Authenticate header. * * Change this to whatever authentication realm you want to send in a * WWW-Authenticate header. * * @return * A string that you want to send in a WWW-Authenticate header. * * @ingroup oauth2_error */ protected function getDefaultAuthenticationRealm() { return "Service"; } // End stuff that should get overridden. /** * Creates an OAuth2.0 server-side instance. * * @param $config * An associative array as below: * - access_token_lifetime: (optional) The lifetime of access token in * seconds. * - auth_code_lifetime: (optional) The lifetime of authorization code in * seconds. * - refresh_token_lifetime: (optional) The lifetime of refresh token in * seconds. * - display_error: (optional) Whether to show verbose error messages in * the response. */ public function __construct($config = array()) { foreach ($config as $name => $value) { $this->setVariable($name, $value); } } // Resource protecting (Section 5). /** * Check that a valid access token has been provided. * * The scope parameter defines any required scope that the token must have. * If a scope param is provided and the token does not have the required * scope, we bounce the request. * * Some implementations may choose to return a subset of the protected * resource (i.e. "public" data) if the user has not provided an access * token or if the access token is invalid or expired. * * The IETF spec says that we should send a 401 Unauthorized header and * bail immediately so that's what the defaults are set to. * * @param $scope * A space-separated string of required scope(s), if you want to check * for scope. * @param $exit_not_present * If TRUE and no access token is provided, send a 401 header and exit, * otherwise return FALSE. * @param $exit_invalid * If TRUE and the implementation of getAccessToken() returns NULL, exit, * otherwise return FALSE. * @param $exit_expired * If TRUE and the access token has expired, exit, otherwise return FALSE. * @param $exit_scope * If TRUE the access token does not have the required scope(s), exit, * otherwise return FALSE. * @param $realm * If you want to specify a particular realm for the WWW-Authenticate * header, supply it here. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 * * @ingroup oauth2_section_5 */ public function verifyAccessToken($scope = NULL, $exit_not_present = TRUE, $exit_invalid = TRUE, $exit_expired = TRUE, $exit_scope = TRUE, $realm = NULL) { $token_param = $this->getAccessTokenParams(); if ($token_param === FALSE) // Access token was not provided return $exit_not_present ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_BAD_REQUEST, $realm, OAUTH2_ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', NULL, $scope) : FALSE; // Get the stored token data (from the implementing subclass) $token = $this->getAccessToken($token_param); if ($token === NULL) return $exit_invalid ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_INVALID_TOKEN, 'The access token provided is invalid.', NULL, $scope) : FALSE; // Check token expiration (I'm leaving this check separated, later we'll fill in better error messages) if (isset($token["expires"]) && time() > $token["expires"]) return $exit_expired ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_EXPIRED_TOKEN, 'The access token provided has expired.', NULL, $scope) : FALSE; // Check scope, if provided // If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an error if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"]))) return $exit_scope ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_FORBIDDEN, $realm, OAUTH2_ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', NULL, $scope) : FALSE; return TRUE; } /** * Check if everything in required scope is contained in available scope. * * @param $required_scope * Required scope to be check with. * @param $available_scope * Available scope to be compare with. * * @return * TRUE if everything in required scope is contained in available scope, * and False if it isn't. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 * * @ingroup oauth2_section_5 */ private function checkScope($required_scope, $available_scope) { // The required scope should match or be a subset of the available scope if (!is_array($required_scope)) $required_scope = explode(" ", $required_scope); if (!is_array($available_scope)) $available_scope = explode(" ", $available_scope); return (count(array_diff($required_scope, $available_scope)) == 0); } /** * Pulls the access token out of the HTTP request. * * Either from the Authorization header or GET/POST/etc. * * @return * Access token value if present, and FALSE if it isn't. * * @todo Support PUT or DELETE. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1 * * @ingroup oauth2_section_5 */ private function getAccessTokenParams() { $auth_header = $this->getAuthorizationHeader(); if ($auth_header !== FALSE) { // Make sure only the auth header is set if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME]) || isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth token found in GET or POST when token present in header'); $auth_header = trim($auth_header); // Make sure it's Token authorization if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth header found that doesn\'t start with "OAuth"'); // Parse the rest of the header if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0 || count($matches) < 2) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Malformed auth header'); return $matches[1]; } if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME])) { if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) // Both GET and POST are not allowed $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Only send the token in GET or POST, not both'); return $_GET[OAUTH2_TOKEN_PARAM_NAME]; } if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) return $_POST[OAUTH2_TOKEN_PARAM_NAME]; return FALSE; } // Access token granting (Section 4). /** * Grant or deny a requested access token. * * This would be called from the "/token" endpoint as defined in the spec. * Obviously, you can call your endpoint whatever you want. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4 * * @ingroup oauth2_section_4 */ public function grantAccessToken() { $filters = array( "grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR), "code" => array("flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "username" => array("flags" => FILTER_REQUIRE_SCALAR), "password" => array("flags" => FILTER_REQUIRE_SCALAR), "assertion_type" => array("flags" => FILTER_REQUIRE_SCALAR), "assertion" => array("flags" => FILTER_REQUIRE_SCALAR), "refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR), ); $input = filter_input_array(INPUT_POST, $filters); // Grant Type must be specified. if (!$input["grant_type"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing'); // Make sure we've implemented the requested grant type if (!in_array($input["grant_type"], $this->getSupportedGrantTypes())) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE); // Authorize the client $client = $this->getClientCredentials(); if ($this->checkClientCredentials($client[0], $client[1]) === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); if (!$this->checkRestrictedGrantType($client[0], $input["grant_type"])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNAUTHORIZED_CLIENT); // Do the granting switch ($input["grant_type"]) { case OAUTH2_GRANT_TYPE_AUTH_CODE: if (!$input["code"] || !$input["redirect_uri"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); $stored = $this->getAuthCode($input["code"]); // Ensure that the input uri starts with the stored uri if ($stored === NULL || (strcasecmp(substr($input["redirect_uri"], 0, strlen($stored["redirect_uri"])), $stored["redirect_uri"]) !== 0) || $client[0] != $stored["client_id"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); if ($stored["expires"] < time()) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN); break; case OAUTH2_GRANT_TYPE_USER_CREDENTIALS: if (!$input["username"] || !$input["password"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required'); $stored = $this->checkUserCredentials($client[0], $input["username"], $input["password"]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); break; case OAUTH2_GRANT_TYPE_ASSERTION: if (!$input["assertion_type"] || !$input["assertion"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); $stored = $this->checkAssertion($client[0], $input["assertion_type"], $input["assertion"]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); break; case OAUTH2_GRANT_TYPE_REFRESH_TOKEN: if (!$input["refresh_token"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found'); $stored = $this->getRefreshToken($input["refresh_token"]); if ($stored === NULL || $client[0] != $stored["client_id"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); if ($stored["expires"] < time()) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN); // store the refresh token locally so we can delete it when a new refresh token is generated $this->setVariable('_old_refresh_token', $stored["token"]); break; case OAUTH2_GRANT_TYPE_NONE: $stored = $this->checkNoneAccess($client[0]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); } // Check scope, if provided if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_SCOPE); if (!$input["scope"]) $input["scope"] = NULL; $token = $this->createAccessToken($client[0], $input["scope"], $stored["user_id"]); //TOKEN 为 数组 (包括 TOKEN 值， 有效时间， 权限) // $this->sendJsonHeaders(); echo json_encode($token); } /** * Internal function used to get the client credentials from HTTP basic * auth or POST data. * * @return * A list containing the client identifier and password, for example * @code * return array( * $_POST["client_id"], * $_POST["client_secret"], * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2 * * @ingroup oauth2_section_2 */ protected function getClientCredentials() { if (isset($_SERVER["PHP_AUTH_USER"]) && $_POST && isset($_POST["client_id"])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); // Try basic auth if (isset($_SERVER["PHP_AUTH_USER"])) return array($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]); // Try POST if ($_POST && isset($_POST["client_id"])) { if (isset($_POST["client_secret"])) return array($_POST["client_id"], $_POST["client_secret"]); return array($_POST["client_id"], NULL); } // No credentials were specified $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); } // End-user/client Authorization (Section 3 of IETF Draft). /** * Pull the authorization request data out of the HTTP request. * * @return * The authorization parameters so the authorization server can prompt * the user for approval if valid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 * * @ingroup oauth2_section_3 */ public function getAuthorizeParams() { $filters = array( "client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "response_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_AUTH_RESPONSE_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "state" => array("flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR), ); $input = filter_input_array(INPUT_GET, $filters); // Make sure a valid client id was supplied if (!$input["client_id"]) { if ($input["redirect_uri"]) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]); $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_CLIENT); // We don't have a good URI to use } // redirect_uri is not required if already established via other channels // check an existing redirect URI against the one supplied $redirect_uri = $this->getRedirectUri($input["client_id"]); // At least one of: existing redirect URI or input redirect URI must be specified if (!$redirect_uri && !$input["redirect_uri"]) $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_REQUEST); // getRedirectUri() should return FALSE if the given client ID is invalid // this probably saves us from making a separate db call, and simplifies the method set if ($redirect_uri === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]); // If there's an existing uri and one from input, verify that they match if ($redirect_uri && $input["redirect_uri"]) { // Ensure that the input uri starts with the stored uri if (strcasecmp(substr($input["redirect_uri"], 0, strlen($redirect_uri)), $redirect_uri) !== 0) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_REDIRECT_URI_MISMATCH, NULL, NULL, $input["state"]); } elseif ($redirect_uri) { // They did not provide a uri from input, so use the stored one $input["redirect_uri"] = $redirect_uri; } // type and client_id are required if (!$input["response_type"]) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_REQUEST, 'Invalid response type.', NULL, $input["state"]); // Check requested auth response type against the list of supported types if (array_search($input["response_type"], $this->getSupportedAuthResponseTypes()) === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, NULL, $input["state"]); // Restrict clients to certain authorization response types if ($this->checkRestrictedAuthResponseType($input["client_id"], $input["response_type"]) === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNAUTHORIZED_CLIENT, NULL, NULL, $input["state"]); // Validate that the requested scope is supported if ($input["scope"] && !$this->checkScope($input["scope"], $this->getSupportedScopes())) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_SCOPE, NULL, NULL, $input["state"]); return $input; } /** * Redirect the user appropriately after approval. * * After the user has approved or denied the access request the * authorization server should call this function to redirect the user * appropriately. * * @param $is_authorized * TRUE or FALSE depending on whether the user authorized the access. * @param $params * An associative array as below: * - response_type: The requested response: an access token, an * authorization code, or both. * - client_id: The client identifier as described in Section 2. * - redirect_uri: An absolute URI to which the authorization server * will redirect the user-agent to when the end-user authorization * step is completed. * - scope: (optional) The scope of the access request expressed as a * list of space-delimited strings. * - state: (optional) An opaque value used by the client to maintain * state between the request and callback. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 * * @ingroup oauth2_section_3 */ public function finishClientAuthorization($is_authorized, $params = array()) { $params += array( // 'scope' => NULL, 'state' => NULL, ); extract($params); if ($state !== NULL) $result["query"]["state"] = $state; if ($is_authorized === FALSE) { $result["query"]["error"] = OAUTH2_ERROR_USER_DENIED; } else { if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN) $result["query"]["code"] = $this->createAuthCode($client_id, $redirect_uri, $user_id, $scope); if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN) $result["fragment"] = $this->createAccessToken($client_id, $scope, $user_id); } $result['display'] = !empty($display) ? $display : ''; $this->doRedirectUriCallback($redirect_uri, $result); } // Other/utility functions. /** * Redirect the user agent. * * Handle both redirect for success or error response. * * @param $redirect_uri * An absolute URI to which the authorization server will redirect * the user-agent to when the end-user authorization step is completed. * @param $params * Parameters to be pass though buildUri(). * * @ingroup oauth2_section_3 */ private function doRedirectUriCallback($redirect_uri, $params) { header("HTTP/1.1 ". OAUTH2_HTTP_FOUND); if($params['display'] == 'frame') { echo '<script>window.top.location.href="'.$this->buildUri($redirect_uri, $params).'";</script>'; } else { header("Location: " . $this->buildUri($redirect_uri, $params)); } exit; } /** * Build the absolute URI based on supplied URI and parameters. * * @param $uri * An absolute URI. * @param $params * Parameters to be append as GET. * * @return * An absolute URI with supplied parameters. * * @ingroup oauth2_section_3 */ private function buildUri($uri, $params) { session_start(); $parse_url = parse_url($uri); // Add our params to the parsed uri foreach ($params as $k => $v) { if (isset($parse_url[$k])) $parse_url[$k] .= "&" . http_build_query($v); else $parse_url[$k] = http_build_query($v); } // Put humpty dumpty back together $return = ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "") . ((isset($parse_url["user"])) ? $parse_url["user"] . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "") . ((isset($parse_url["host"])) ? $parse_url["host"] : "") . ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "") . ((isset($parse_url["path"])) ? $parse_url["path"] : "") . ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : "") . ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "") . "&ssid=".base64_encode('2egc83'.session_id()); return $return; } /** * Handle the creation of access token, also issue refresh token if support. * * This belongs in a separate factory, but to keep it simple, I'm just * keeping it here. * * @param $client_id * Client identifier related to the access token. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function createAccessToken($client_id, $scope = NULL, $user_id = 10) { $token = array( "access_token" => $this->genAccessToken(), "expires_in" => $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), "user_id" => $user_id, "scope" => $scope ); $refresh_token = ''; // Issue a refresh token also, if we support them if (in_array(OAUTH2_GRANT_TYPE_REFRESH_TOKEN, $this->getSupportedGrantTypes())) { $refresh_token = $this->genAccessToken(); // $this->setRefreshToken($token["refresh_token"], $client_id, time() + $this->getVariable('refresh_token_lifetime', OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME), $user_id, $scope); $token["refresh_token"] = $refresh_token; // If we've granted a new refresh token, expire the old one if ($this->getVariable('_old_refresh_token')) $this->unsetRefreshToken($this->getVariable('_old_refresh_token')); } $access_token = $token['access_token']; $this->setAccessToken($access_token, $client_id, time() + $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), $token['user_id'], $scope, $refresh_token); return $token; } /** * Handle the creation of auth code. * * This belongs in a separate factory, but to keep it simple, I'm just * keeping it here. * * @param $client_id * Client identifier related to the access token. * @param $redirect_uri * An absolute URI to which the authorization server will redirect the * user-agent to when the end-user authorization step is completed. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_3 */ private function createAuthCode($client_id, $redirect_uri, $userId, $scope = NULL) { $code = $this->genAuthCode(); $this->setAuthCode($code, $client_id, $redirect_uri, time() + $this->getVariable('auth_code_lifetime', OAUTH2_DEFAULT_AUTH_CODE_LIFETIME), $userId, $scope); return $code; } /** * Generate unique access token. * * Implementing classes may want to override these function to implement * other access token or auth code generation schemes. * * @return * An unique access token. * * @ingroup oauth2_section_4 */ protected function genAccessToken() { return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid()))); } /** * Generate unique auth code. * * Implementing classes may want to override these function to implement * other access token or auth code generation schemes. * * @return * An unique auth code. * * @ingroup oauth2_section_3 */ protected function genAuthCode() { return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid()))); } /** * Pull out the Authorization HTTP header and return it. * * Implementing classes may need to override this function for use on * non-Apache web servers. * * @return * The Authorization HTTP header, and FALSE if does not exist. * * @todo Handle Authorization HTTP header for non-Apache web servers. * * @ingroup oauth2_section_5 */ private function getAuthorizationHeader() { if (array_key_exists("HTTP_AUTHORIZATION", $_SERVER)) return $_SERVER["HTTP_AUTHORIZATION"]; if (function_exists("apache_request_headers")) { $headers = apache_request_headers(); if (array_key_exists("Authorization", $headers)) return $headers["Authorization"]; } return FALSE; } /** * Send out HTTP headers for JSON. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * * @ingroup oauth2_section_4 */ private function sendJsonHeaders() { header("Content-Type: application/json"); header("Cache-Control: no-store"); } /** * Redirect the end-user's user agent with error message. * * @param $redirect_uri * An absolute URI to which the authorization server will redirect the * user-agent to when the end-user authorization step is completed. * @param $error * A single error code as described in Section 3.2.1. * @param $error_description * (optional) A human-readable text providing additional information, * used to assist in the understanding and resolution of the error * occurred. * @param $error_uri * (optional) A URI identifying a human-readable web page with * information about the error, used to provide the end-user with * additional information about the error. * @param $state * (optional) REQUIRED if the "state" parameter was present in the client * authorization request. Set to the exact value received from the client. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2 * * @ingroup oauth2_error */ private function errorDoRedirectUriCallback($redirect_uri, $error, $error_description = NULL, $error_uri = NULL, $state = NULL) { $result["query"]["error"] = $error; if ($state) $result["query"]["state"] = $state; if ($this->getVariable('display_error') && $error_description) $result["query"]["error_description"] = $error_description; if ($this->getVariable('display_error') && $error_uri) $result["query"]["error_uri"] = $error_uri; $this->doRedirectUriCallback($redirect_uri, $result); } /** * Send out error message in JSON. * * @param $http_status_code * HTTP status code message as predefined. * @param $error * A single error code. * @param $error_description * (optional) A human-readable text providing additional information, * used to assist in the understanding and resolution of the error * occurred. * @param $error_uri * (optional) A URI identifying a human-readable web page with * information about the error, used to provide the end-user with * additional information about the error. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * * @ingroup oauth2_error */ private function errorJsonResponse($http_status_code, $error, $error_description = NULL, $error_uri = NULL) { $result['error'] = $error; if ($this->getVariable('display_error') && $error_description) $result["error_description"] = $error_description; if ($this->getVariable('display_error') && $error_uri) $result["error_uri"] = $error_uri; header("HTTP/1.1 " . $http_status_code); $this->sendJsonHeaders(); echo json_encode($result); exit; } /** * Send a 401 unauthorized header with the given realm and an error, if * provided. * * @param $http_status_code * HTTP status code message as predefined. * @param $realm * The "realm" attribute is used to provide the protected resources * partition as defined by [RFC2617]. * @param $scope * A space-delimited list of scope values indicating the required scope * of the access token for accessing the requested resource. * @param $error * The "error" attribute is used to provide the client with the reason * why the access request was declined. * @param $error_description * (optional) The "error_description" attribute provides a human-readable text * containing additional information, used to assist in the understanding * and resolution of the error occurred. * @param $error_uri * (optional) The "error_uri" attribute provides a URI identifying a human-readable * web page with information about the error, used to offer the end-user * with additional information about the error. If the value is not an * absolute URI, it is relative to the URI of the requested protected * resource. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2 * * @ingroup oauth2_error */ private function errorWWWAuthenticateResponseHeader($http_status_code, $realm, $error, $error_description = NULL, $error_uri = NULL, $scope = NULL) { $realm = $realm === NULL ? $this->getDefaultAuthenticationRealm() : $realm; $result = "WWW-Authenticate: OAuth realm='" . $realm . "'"; if ($error) $result .= ", error='" . $error . "'"; if ($this->getVariable('display_error') && $error_description) $result .= ", error_description='" . $error_description . "'"; if ($this->getVariable('display_error') && $error_uri) $result .= ", error_uri='" . $error_uri . "'"; if ($scope) $result .= ", scope='" . $scope . "'"; header("HTTP/1.1 ". $http_status_code); header($result); exit; } }

代码比较多。有兴趣的能够细看。

因为采用Vendor方法引入，因此这里的文件都没有采用命名空间。

5-三、在同目录下，建ThinkOAuth2.php文件，这个文件里的类继承上面那个基类：

<?php require "oauth2.class.php"; class ThinkOAuth2 extends OAuth2{ private $db; private $table; /** * 构造 */ public function __construct() { parent::__construct(); $this -> db = M(); $this -> table = array( 'auth_codes'=>C('OAUTH2_CODES_TABLE'), 'clients'=>C('OAUTH2_CLIENTS_TABLE'), 'tokens'=>C('OAUTH2_TOKEN_TABLE') ); } /** * 析构 */ function __destruct() { $this->db = NULL; // Release db connection } private function handleException($e) { echo "Database error: " . $e->getMessage(); exit; } /** * * 增长client * @param string $client_id * @param string $client_secret * @param string $redirect_uri */ public function addClient($client_id, $client_secret, $redirect_uri) { $time = time(); $sql = "INSERT INTO {$this -> table['clients']} (client_id, client_secret, redirect_uri,create_time) VALUES ('{$client_id}', '{$client_secret}', '{$redirect_uri}','{$time}')"; $res = $this -> db -> execute($sql); return res; } /** * Implements OAuth2::checkClientCredentials() * @see OAuth2::checkClientCredentials() */ protected function checkClientCredentials($client_id, $client_secret = NULL) { $sql = "SELECT client_secret FROM {$this -> table['clients']} WHERE client_id = {$client_id}"; $result = $this -> db -> query($sql); if ($client_secret === NULL) { return $result !== FALSE; } //Log::write("checkClientCredentials : ".$result); //Log::write("checkClientCredentials : ".$result[0]); //Log::write("checkClientCredentials : ".$result[0]["client_secret"]); return $result[0]["client_secret"] == $client_secret; } /** * Implements OAuth2::getRedirectUri(). * @see OAuth2::getRedirectUri() */ protected function getRedirectUri($client_id) { $sql = "SELECT redirect_uri FROM {$this -> table['clients']} WHERE client_id = {$client_id}"; $result = $this -> db -> query($sql); if ($result === FALSE) { return FALSE; } //Log::write("getRedirectUri : ".$result); //Log::write("getRedirectUri : ".$result[0]); //Log::write("getRedirectUri : ".$result[0]["redirect_uri"]); return isset($result[0]["redirect_uri"]) && $result[0]["redirect_uri"] ? $result[0]["redirect_uri"] : NULL; } /** * Implements OAuth2::getAccessToken(). * @see OAuth2::getAccessToken() */ protected function getAccessToken($access_token) { $sql = "SELECT client_id, expires_in, scope FROM {$this -> table['tokens']} WHERE access_token = '{$access_token}'"; $result = $this -> db -> query($sql); //Log::write("getAccessToken : ".$result); //Log::write("getAccessToken : ".$result[0]); return $result !== FALSE ? $result : NULL; } /** * Implements OAuth2::setAccessToken(). * @see OAuth2::setAccessToken() */ protected function setAccessToken($access_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token='') { $sql = "INSERT INTO {$this -> table['tokens']} (access_token, client_id, expires_in, scope,user_id,refresh_token) VALUES ('{$access_token}', '{$client_id}', '{$expires}', '{$scope}',{$user_id},'{$refresh_token}')"; $this -> db -> execute($sql); } /** * Overrides OAuth2::getSupportedGrantTypes(). * @see OAuth2::getSupportedGrantTypes() */ protected function getSupportedGrantTypes() { return array( OAUTH2_GRANT_TYPE_AUTH_CODE ); } /** * Overrides OAuth2::getAuthCode(). * @see OAuth2::getAuthCode() */ protected function getAuthCode($code) { $sql = "SELECT user_id, code, client_id, redirect_uri, expires, scope FROM {$this -> table['auth_codes']} WHERE code = '{$code}'"; $result = $this -> db -> query($sql); //Log::write("getAuthcode : ".$result); //Log::write("getAuthcode : ".$result[0]); //Log::write("getAuthcode : ".$result[0]["code"]); return $result !== FALSE ? $result[0] : NULL; } /** * Overrides OAuth2::setAuthCode(). * @see OAuth2::setAuthCode() */ protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $scope = NULL) { $time = time(); $sql = "INSERT INTO {$this -> table['auth_codes']} (code, client_id, redirect_uri, expires, scope) VALUES ('{$code}', '{$client_id}', '{$redirect_uri}', '{$expires}', '{$scope}')"; $result = $this -> db -> execute($sql); } /** * Overrides OAuth2::checkUserCredentials(). * @see OAuth2::checkUserCredentials() */ protected function checkUserCredentials($client_id, $username, $password){ return TRUE; } }

这里涉及到一些数据库的操做。继承出来操做，仍是比较一目了然的。

5-四、准备好类了。咱们就能够实现控制器里的功能代码。动手以前先搞清楚咱们的意图。

首先，咱们须要分配一个oauth_client和一个oauth_secrete给第三方网站（也就是client.ruanwenwu.cn)来获取oauth服务。

其次，client.ruanwenwu.cn会把用户导入到server.ruanwenwu.cn来进行受权。因此咱们咱们还须要准备受权页面。

由于涉及到服务端和客户端的数据交互，因此可能服务端和客户端的相关介绍我会交叉进行。

5-4-一、建立oauth_client。

5-4-二、获取oauth_cliest列表。

5-4-三、准备获取用户受权的页面和逻辑。（受权服务器）

5-4-四、准备提供用户数据的逻辑。（资源服务器）

这些逻辑我都写在一个控制器OauthController.class.php里。代码以下：

<?php namespace Home\Controller; use Think\Controller; class OauthController extends Controller{ private $oauth = NULL; function _initialize(){ header("Content-Type: application/json"); Vendor("oauth.ThinkOAuth2"); $this -> oauth = new \ThinkOAuth2(); } public function index(){ header("Content-Type:application/json; charset=utf-8"); $this -> ajaxReturn(null, 'oauth-server-start', 1, 'json'); } public function access_token() { $this -> oauth -> grantAccessToken(); } //权限验证 public function authorize() { if (IS_POST) { if(true){ //这个地方验证成功后要把用户的uid加进来 $_POST['user_id'] = 1; $this -> oauth -> finishClientAuthorization(true, $_POST); //第一个参数很重要，是用户是否受权 } return; } ///表单准备 $auth_params = $this -> oauth -> getAuthorizeParams(); $this->assign("auth_params",$auth_params); $this->display(); } public function addclient() { echo 'jack'; if (IS_POST) { echo 'pd'; $res = $this -> oauth -> addClient($_POST["client_id"], $_POST["client_secret"], $_POST["redirect_uri"]); if($res){ $this->redirect("/home/Oauth/clientlist"); die; } } $this->display(); } public function clientlist(){ $res = M()->table("oauth_client")->select(); $this->assign("clients",$res); var_dump($res); $this->display(); } }

顺便我将用到的模板文件（server.ruanwenwu.cn\Application\Home\View\oauth目录下）也贴出来给你们参考一下：

addclient.html

<!doctype html> <head> <meta charset="utf-8" /> <title>这里是添加客户端界面</title> </head> <body> <h1>添加客户端</h1> <form action="" method="post" > clientId:<input type="text" name="client_id" /> <br /> client_secrete:<input type="text" name="client_secret" /> <br /> callbackUrl:<input type="text" name="redirect_uri" /> <br /> <input type="submit" value="submit" /> </form> </body> </html>

authorize.html

<!doctype html> <html> <form action="" method="post"> 用户名：<input type="text" name="username" /> <br /> 密码：<input type="text" name="pwd" /> <input type="hidden" name="response_type" value="code" /> <input type="hidden" name="client_id" value="{$auth_params['client_id']}" /> <input type="hidden" name="redirect_uri" value="{$auth_params['redirect_uri']}" /> <input type="submit" value="submit" /> </form> </html>

注意：我这里用到了几个隐藏域。这个是必须的，在post提交验证时会用到。

5-4-五、建立oauth2.0用户。

打 开server.ruanwenwu.cn/index.php/home/oauth/addcient,输入client_id和 client_secrete还有redirect_uri建立一个oauth2.0用户。其中redirect_uri是用户受权后须要跳转的地方。

到这里服务端的部署就差很少结束了。如今开始部署客户端。

3、oauth2.0客户端搭建。

一、同服务端同样搭建client.ruanwenwu.cn。（也是用thinkphp)。

二、能正常访问后。在类库中加入oauth2.0客户端类。

在\client.ruanwenwu.cn\ThinkPHP\Library\Org\Util目录下创建Oauth2.class.php，代码以下：

<?php namespace Org\Util; /** * 与 OAuth2 服务器 通信验证 核心类 (PHP版) * * @description OAuth2 说明请你们参考 木蚂蚁接口文档 * * * @author Mumayi-Team (zhaopan赵攀) * @version 1.0 * @datetime 2013-12-31 */ class Oauth2 { /* * 如下几个参数 具体做用和用法 详见 木蚂蚁接口文档 */ //分配的客户端 ID public $client_id; //分配的客户端 密匙 public $client_secret; //得到的 用户受权 访问令牌 public $access_token; //刷新 访问令牌 (过时时使用) public $refresh_token; // 最后一个收到的HTTP代码 (用于调试，忽略) public $http_code; //预留字段 (忽略) public $url; //设置 基础连接 public $host = "http://server.ruanwenwu.cn/index.php/home/oauth/"; //请求超时时间 public $timeout = 30; //连接超时时间 public $connecttimeout = 30; //是否验证 SSL 证书 public $ssl_verifypeer = FALSE; //请求结果处理格式 public $format = 'json'; //以 JSON_DECODE 方式解析 public $decode_json = TRUE; //预留字段 (忽略) public $http_info; //CURL 函数使用 (验证使用， 忽略) public $useragent = 'Mumayi Team OAuth2 v1.0'; //是否 开启 请求调试 (开启时 将输出 详细的请求结果) public $debug = FALSE; //边界 (CURL使用 写入在Header的分界线, 忽略) public static $boundary = ''; //返回 OAuth 令牌 请求地址 function accessTokenURL() { return $this->host.'access_token'; } //返回 OAuth 自动受权 请求地址 function authorizeURL() { return $this->host.'authorize'; } //构造函数 赋值 一些必要参数 function __construct($client_id, $client_secret, $access_token = NULL, $refresh_token = NULL) { $this->client_id = $client_id; $this->client_secret = $client_secret; $this->access_token = $access_token; $this->refresh_token = $refresh_token; // $this->debug = true; } /** * authorize接口 * * 对应API：{@link http://u.mumayi.com/oauth/authorize Oauth2/authorize} * * @param string $url 受权后的回调地址,站外应用需与回调地址一致,站内应用须要填写canvas page的地址 * @param string $response_type 支持的值包括 code 和token 默认值为code * @param string $state 用于保持请求和回调的状态。在回调时,会在Query Parameter中回传该参数 * @param string $display 受权页面类型 可选范围: * - default 默认受权页面 * - mobile 支持html5的手机 * - popup 弹窗受权页 * - wap1.2 wap1.2页面 * - wap2.0 wap2.0页面 * - js js-sdk 专用 受权页面是弹窗，返回结果为js-sdk回掉函数 * - apponweibo 站内应用专用,站内应用不传display参数,而且response_type为token时,默认使用改display.受权后不会返回access_token，只是输出js刷新站内应用父框架 * @return array */ function getAuthorizeURL( $url, $response_type = 'code', $state = NULL, $display = NULL ) { $params = array(); $params['client_id'] = $this->client_id; $params['redirect_uri'] = $url; $params['response_type'] = $response_type; $params['state'] = $state; $params['display'] = $display; return $this->authorizeURL() . "&" . http_build_query($params); } /** * access_token接口 * * 对应API：{@link http://open.weibo.com/wiki/OAuth2/access_token OAuth2/access_token} * * @param string $type 请求的类型,能够为:code, password, token * @param array $keys 其余参数： * - 当$type为code时： array('code'=>..., 'redirect_uri'=>...) * - 当$type为password时： array('username'=>..., 'password'=>...) * - 当$type为token时： array('refresh_token'=>...) * @return array */ function getAccessToken( $type = 'code', $keys ) { $params = array(); $params['client_id'] = $this->client_id; $params['client_secret'] = $this->client_secret; if ( $type === 'token' ) { $params['grant_type'] = 'refresh_token'; $params['refresh_token'] = $keys['refresh_token']; } elseif ( $type === 'code' ) { $params['grant_type'] = 'authorization_code'; $params['code'] = $keys['code']; $params['redirect_uri'] = $keys['redirect_uri']; } elseif ( $type === 'password' ) { $params['grant_type'] = 'password'; $params['username'] = $keys['username']; $params['password'] = $keys['password']; } else { echo json_encode(array('error' => '错误的受权类型['.$type.'(token, code)]')); die; } $response = $this->oAuthRequest($this->accessTokenURL(), 'POST', $params); //var_dump($response);die; $token = json_decode($response, true); if ( is_array($token) && !isset($token['error']) ) { $this->access_token = $token['access_token']; //$this->refresh_token = $token['refresh_token']; } else { echo json_encode(array('error' => '获取访问令牌失败。['.$token['error'].']')); die; } return $token; } /** * 解析 signed_request * * @param string $signed_request 应用框架在加载iframe时会经过向Canvas URL post的参数signed_request * * @return array */ function parseSignedRequest($signed_request) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); $sig = self::base64decode($encoded_sig) ; $data = json_decode(self::base64decode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') return '-1'; $expected_sig = hash_hmac('sha256', $payload, $this->client_secret, true); return ($sig !== $expected_sig)? '-2':$data; } /** * @ignore */ function base64decode($str) { return base64_decode(strtr($str.str_repeat('=', (4 - strlen($str) % 4)), '-_', '+/')); } /** * 读取jssdk受权信息，用于和jssdk的同步登陆 * * @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false */ function getTokenFromJSSDK() { $key = "mumayijs_" . $this->client_id; if ( isset($_COOKIE[$key]) && $cookie = $_COOKIE[$key] ) { parse_str($cookie, $token); if ( isset($token['access_token']) && isset($token['refresh_token']) ) { $this->access_token = $token['access_token']; $this->refresh_token = $token['refresh_token']; return $token; } else { return false; } } else { return false; } } /** * 从数组中读取access_token和refresh_token * 经常使用于从Session或Cookie中读取token，或经过Session/Cookie中是否存有token判断登陆状态。 * * @param array $arr 存有access_token和secret_token的数组 * @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false */ function getTokenFromArray( $arr ) { if (isset($arr['access_token']) && $arr['access_token']) { $token = array(); $this->access_token = $token['access_token'] = $arr['access_token']; if (isset($arr['refresh_token']) && $arr['refresh_token']) { $this->refresh_token = $token['refresh_token'] = $arr['refresh_token']; } return $token; } else { return false; } } /** * 以 GET 请求方式 请求 OAuth 验证服务器 * * @return mixed */ function get($url, $parameters = array()) { $response = $this->oAuthRequest($url, 'GET', $parameters); if ($this->format === 'json' && $this->decode_json) { return json_decode($response, true); } return $response; } /** * 以 POST 请求方式 请求 OAuth 验证服务器 * * @return mixed */ function post($url, $parameters = array(), $multi = false) { $response = $this->oAuthRequest($url, 'POST', $parameters, $multi ); if ($this->format === 'json' && $this->decode_json) { return json_decode($response, true); } return $response; } /** * 请求 OAuth 验证服务器 进行验证 * * @return string */ function oAuthRequest($url, $method, $parameters, $multi = false) { if (strrpos($url, 'http://') !== 0 && strrpos($url, 'https://') !== 0) { $url = "{$this->host}{$url}.{$this->format}"; } switch ($method) { case 'GET': if(!empty($parameters)) $url = $url . '&' . http_build_query($parameters); return $this->http($url, 'GET'); default: $headers = array(); if (!$multi && (is_array($parameters) || is_object($parameters)) ) { $body = http_build_query($parameters); } else { $body = self::build_http_query_multi($parameters); $headers[] = "Content-Type: multipart/form-data; boundary=" . self::$boundary; } //return $this->http($url, $method, $body, $headers); return $this->http($url, $method, $body, $headers); } } /** * 使用 CURL 模拟一个 HTTP 请求 * * @description (须要开启 CURL 扩展) * * @return string API results * */ function http($url, $method, $postfields = NULL, $headers = array()) { $this->http_info = array(); $ci = curl_init(); /* Curl settings */ curl_setopt($ci, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); curl_setopt($ci, CURLOPT_USERAGENT, $this->useragent); curl_setopt($ci, CURLOPT_CONNECTTIMEOUT, $this->connecttimeout); curl_setopt($ci, CURLOPT_TIMEOUT, $this->timeout); curl_setopt($ci, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ci, CURLOPT_ENCODING, ""); curl_setopt($ci, CURLOPT_SSL_VERIFYPEER, $this->ssl_verifypeer); curl_setopt($ci, CURLOPT_SSL_VERIFYHOST, 1); curl_setopt($ci, CURLOPT_HEADERFUNCTION, array($this, 'getHeader')); curl_setopt($ci, CURLOPT_HEADER, FALSE); switch ($method) { case 'POST': curl_setopt($ci, CURLOPT_POST, TRUE); if (!empty($postfields)) { curl_setopt($ci, CURLOPT_POSTFIELDS, $postfields); $this->postdata = $postfields; } break; case 'DELETE': curl_setopt($ci, CURLOPT_CUSTOMREQUEST, 'DELETE'); if (!empty($postfields)) { $url = "{$url}?{$postfields}"; } } if ( isset($this->access_token) && $this->access_token ) $headers[] = "Authorization: OAuth2 ".$this->access_token; if ( !empty($this->remote_ip) ) { if ( defined('SAE_ACCESSKEY') ) { $headers[] = "SaeRemoteIP: " . $this->remote_ip; } else { $headers[] = "API-RemoteIP: " . $this->remote_ip; } } else { if ( !defined('SAE_ACCESSKEY') ) { $headers[] = "API-RemoteIP: " . $_SERVER['REMOTE_ADDR']; } } curl_setopt($ci, CURLOPT_URL, $url ); curl_setopt($ci, CURLOPT_HTTPHEADER, $headers ); curl_setopt($ci, CURLINFO_HEADER_OUT, TRUE ); $response = curl_exec($ci); $this->http_code = curl_getinfo($ci, CURLINFO_HTTP_CODE); $this->http_info = array_merge($this->http_info, curl_getinfo($ci)); $this->url = $url; if ($this->debug) { echo "=====post data======\r\n"; var_dump($postfields); echo "=====headers======\r\n"; print_r($headers); echo '=====request info====='."\r\n"; print_r( curl_getinfo($ci) ); echo '=====response====='."\r\n"; print_r( $response ); } curl_close ($ci); return $response; } /** * 从结果中 获取 header 参数 (CURL 使用) * * @return int * * @ignore (忽略) */ function getHeader($ch, $header) { $i = strpos($header, ':'); if (!empty($i)) { $key = str_replace('-', '_', strtolower(substr($header, 0, $i))); $value = trim(substr($header, $i + 2)); $this->http_header[$key] = $value; } return strlen($header); } /** * 把要传递的参数 从新构造一下 (多维数组) * * @ignore (忽略) */ public static function build_http_query_multi($params) { if (!$params) return ''; uksort($params, 'strcmp'); $pairs = array(); self::$boundary = $boundary = uniqid('------------------'); $MPboundary = '--'.$boundary; $endMPboundary = $MPboundary. '--'; $multipartbody = ''; foreach ($params as $parameter => $value) { if( in_array($parameter, array('pic', 'image')) && $value{0} == '@' ) { $url = ltrim( $value, '@' ); $content = file_get_contents( $url ); $array = explode( '?', basename( $url ) ); $filename = $array[0]; $multipartbody .= $MPboundary . "\r\n"; $multipartbody .= 'Content-Disposition: form-data; name="' . $parameter . '"; filename="' . $filename . '"'. "\r\n"; $multipartbody .= "Content-Type: image/unknown\r\n\r\n"; $multipartbody .= $content. "\r\n"; } else { $multipartbody .= $MPboundary . "\r\n"; $multipartbody .= 'content-disposition: form-data; name="' . $parameter . "\"\r\n\r\n"; $multipartbody .= $value."\r\n"; } } $multipartbody .= $endMPboundary; return $multipartbody; } public function get_uid() { $hostUrl = 'http://server.ruanwenwu.cn/index.php/home/resource/userinfo?type=mumayi'; $params = array( 'access_token' => $this->access_token, ); return $this->get( $hostUrl, $params ); } }

注意：这个类的加载跟服务端采用的不一样的方式。这里用了命名空间。服务端用的vendor。

三、准备访问连接。

咱们经过这个url将用户导向server.ruanwenwu.cn进行受权，发送accesss_code操做。

我在client.ruanwenwu.cn的index控制器中实现的这个url。控制器里没有逻辑，我只贴index.html了：

<!doctype html> <html> <head></head> <body> <a href="http://server.ruanwenwu.cn/index.php/home/oauth/authorize?redirect_uri=http://client.ruanwenwu.cn/index.php/home/login&response_type=code&client_id=10009174&type=123456">登录</a> </body> </html>

注 意：这个url中redirect_uri,response_type为必选参数。并且这个redirect_uri必须包含咱们在服务端添加 oauth服务时写的那个redirect_uri。不然不能经过验证。（也就是说：在咱们这个例子里，这个redirect_uri必须包含：

http://client.ruanwenwu.cn/index.php/home/login

四、点击连接，跳转到服务端对应的url。实际上就是server.ruanwenwu.cn的authorize操做。在这里会对用户进行验证，并判断是否受权。

//权限验证 public function authorize() { if (IS_POST) { if(true){ //这个地方验证成功后要把用户的uid加进来 $_POST['user_id'] = 1; //这里是写死的，其实是从数据库读出来 $this -> oauth -> finishClientAuthorization(true, $_POST); //第一个参数很重要，是用户是否受权 } return; } ///表单准备 $auth_params = $this -> oauth -> getAuthorizeParams(); $this->assign("auth_params",$auth_params); $this->display(); }

注意看我在这个操做里写的注释。

验证成功后，页面又跳回到咱们以前写的redirect_uri，并带上了code参数，这就是验证服务器向客户端发送的access_code。

五、客户端拿到access_code，向验证服务器请求access_token。

在个人client.ruanwenwu.cn的loginController.class.php中进行：

<?php namespace Home\Controller; use Think\Controller; use Org\Util\Oauth2; class LoginController extends Controller{ public function _initialize(){ } public function index(){ $this->oauth = new Oauth2('10009174','123456'); $keys = array(); //keys 数组 赋值 code 值 (换取token, 必须参数) $keys['code'] = $_GET['code']; //keys 数组 赋值 回调地址信息 (换取token, 必须参数) $keys['redirect_uri'] = 'http://client.ruanwenwu.cn/index.php/home/login?type=mumayidev'; //根据 code 获取 token //var_dump( $token = $this->oauth->getAccessToken( 'code', $keys )) ; $token = $this->oauth->getAccessToken( 'code', $keys ) ; //如今已经获得token，而且将access_token写到对象里了。就能够请求资源了 var_dump( $this->oauth->get_uid()); die; } }

$token = $this->oauth->getAccessToken( 'code', $keys ) ; //这就是请求代码。code是验证方式。$keys数组里要code和redirect_uri。在服务器端须要验证

服务端的响应是这样的：

验证client.ruanwenwu.cn的client_id和secrete是否合法，还要判读access_code是否过时

public function access_token() { $this -> oauth -> grantAccessToken(); //这个方法里有全部的验证及生成access_token的操做。（会有数据库的写入） }

服务端生成access_token以后，会返回给客户端。

客户端拿到access_token以后，向资源服务器请求用户资源：

在这里个人验证服务器和资源服务器都是server.ruanwenwu.cn。我用resourceController.class.php来作资源控制：

<?php namespace Home\Controller; use Think\Controller; class ResourceController extends Controller{ protected $db; public function _initialize(){ $this->db = M(); } public function userinfo(){ // $arr = array("username"=>"阮文武","sex"=>1,"img"=>"http://weewrerfdf"); // echo json_encode($arr); // die; if(isset($_GET['access_token']) && $_GET['access_token']){ $res = $this->db->table("oauth_token")->where("access_token = '".$_GET['access_token']."'")->find(); if($res && count($res) > 0){ if($res['expires_in'] > time()){ $arr = array("username"=>"阮文武d","sex"=>1,"img"=>"http://weewrerfdf"); echo json_encode($arr); die; } } }; } }

若是access_token有效，就查到用户id，取出用户的信息。我这里只是作测试，因此就直接本身返回了数据。本来写的很详细，后来由于内容字段是text，没保存完整，这会时间比较赶，就写的简单一点。

再抽时间补充吧。

欢迎你们与我讨论哦。

 

 

http://www.tuicool.com/articles/u6beUju