This application is designed to demo the workflow between OAuth2.0 Clients and Servers.

If this is your first time here, try experimenting with the live demo to get a better feel for OAuth2.0 flows.

This library is running the OAuth2 Server PHP library.

Use Composer to install this application:

$ git clone git://github.com/bshaffer/oauth2-demo-php.git
$ cd oauth2-demo-php
$ curl -s http://getcomposer.org/installer | php
$ ./composer.phar install

Silex requires you to configure your web server to run it.

Be sure to run the command $ chmod -R 777 data/ in the project root so that the web server can create the sqlite file.

You can use php's built-in web server, however, you will need to spin up two instances and specify one of them in data/parameters.json in order to prevent the server from locking up. The client will issue a request to the server, and because PHP's built-in web server is single-threaded, this will result in deadlock.

$ cd oauth2-demo-php
$ cp data/parameters.json.dist data/parameters.json
$ sed -i '' 's?"grant"?"http://localhost:8081/lockdin/token"?g' data/parameters.json
$ sed -i '' 's?"access"?"http://localhost:8081/lockdin/resource"?g' data/parameters.json

Now all you have to do is spin up two separate web servers in the web directory

$ cd web
$ php -S localhost:8080 & php -S localhost:8081

Browse to http://localhost:8080 in your browser and you're all set!

This application simulates the interaction between an OAuth2 Client (Demo App) and OAuth2 Server (Lock'd In). To get started, access the Demo App homepage:

Clicking Authorize will send you to Lock'd In, which mimics a data provider (such as twitter, facebook, etc). Lock'd In assumes you are already signed in, and asks if you'd like to grant the Demo app access to your information:

Once you click Yes, I Authorize this Request, you will be redirected back to Demo App with an authorization code, which the client then exchanges for an Access Token. Demo App then makes another call to the Lock'd In APIs and uses the Access Token to retrieve the data on your behalf.

If all is successful, your data from Lock'd In will be displayed on the final page:

The OAuth2 Client can be used to test ANY OAuth2.0 server, and can be configured to do so using the the configuration file defined below.

The OAuth2 Server is created (see the setup method) and then used in the Controller Classes, which implement the following endpoints:

• /authorize - endpoint which grants the Demo App an authorization code
• /token - endpoint which grants the Demo App an access_token when supplied with the authorization code above
• /resource - endpoint which grants the Demo App access to your protected resources (in this case, your friends) when supplied the access token above

These are the three main functions of the OAuth2 server (authorize the user, grant the user tokens, and validate api calls). When you write your OAuth2-compatible servers, your interface will be similar.

Note: the above urls are prefixed with /server to namespace the application.

You can test this application against your own OAuth application with ease. Just copy over the parameters.json.dist file to parameters.json:

$ cd /path/to/oauth2-demo-php
$ cp data/parameters.json.dist data/parameters.json

Open the parameters.json file, and notice the default configuration:

{
  "client_id": "demoapp",
  "client_secret": "demopass",
  "token_route": "grant",
  "authorize_route": "authorize",
  "resource_route": "access",
  "resource_method": "GET",
  "resource_params": {},
  "curl_options": {}
}

This is the configuration for the default Lock'd In OAuth2 server. To test against your own, change those parameters to fit the api server you want to test against:

{
  "client_id": "OAuth Demo Application",
  "client_secret": "a3b4b74330724a927bec",
  "token_route": "https://api.myapp.com/token",
  "authorize_route": "https://myapp.com/authorize",
  "resource_route": "https://api.myapp.com/profile",
  "resource_method": "POST",
  "resource_params": { "debug": true },
  "curl_options": { "http_port": 443, "verifyssl": false }
}

The above example uses a new client to authenticate against a fictional oauth server at myapp.com. This is very useful when testing your application in production

Note: The curl options are set to ignore an SSL certificate, and the resource_params define a fictional debug parameter. These are not required for your APIs, but is meant as an example what can be done with the configuration

###Test in multiple environments

In addition, you can create multiple environments using the parameters.json file, and switch between them:

{
    "LockdIn": {
      "client_id": "demoapp",
      "client_secret": "demopass",
      "token_route": "grant",
      "authorize_route": "authorize",
      "resource_route": "access",
      "resource_method": "GET",
      "resource_params": {},
      "curl_options": {}
    },
    "My App": {
      "client_id": "OAuth Demo Application",
      "client_secret": "a3b4b74330724a927bec",
      "token_route": "https://api.myapp.com/token",
      "authorize_route": "https://myapp.com/authorize",
      "resource_route": "https://api.myapp.com/profile",
      "resource_method": "POST",
      "resource_params": { "debug": true },
      "curl_options": { "http_port": 443, "verifyssl": false }
    }
}

This will provide a dropdown at the top which will allow you to switch environments and test multiple OAuth servers

Please contact Brent Shaffer (bshafs <at> gmail <dot> com) for more information