Enumerations
enum	OAUTH2_GRANT_TYPE_AUTH_CODE
enum	OAUTH2_GRANT_TYPE_USER_CREDENTIALS
enum	OAUTH2_GRANT_TYPE_ASSERTION
enum	OAUTH2_GRANT_TYPE_REFRESH_TOKEN
enum	OAUTH2_GRANT_TYPE_NONE
enum	OAUTH2_GRANT_TYPE_REGEXP
Functions
	setAccessToken ($oauth_token, $client_id, $expires, $scope=NULL)
	getSupportedGrantTypes ()
	checkRestrictedGrantType ($client_id, $grant_type)
	getAuthCode ($code)
	setAuthCode ($code, $client_id, $redirect_uri, $expires, $scope=NULL)
	checkUserCredentials ($client_id, $username, $password)
	checkAssertion ($client_id, $assertion_type, $assertion)
	getRefreshToken ($refresh_token)
	setRefreshToken ($refresh_token, $client_id, $expires, $scope=NULL)
	unsetRefreshToken ($refresh_token)
	checkNoneAccess ($client_id)
	grantAccessToken ()
	createAccessToken ($client_id, $scope=NULL)
	genAccessToken ()
	sendJsonHeaders ()

Detailed Description

The client obtains an access token by authenticating with the authorization server and presenting its access grant (in the form of an authorization code, resource owner credentials, an assertion, or a refresh token).

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4

Enumeration Type Documentation

enum OAUTH2_GRANT_TYPE_ASSERTION

Denotes "assertion" grant types (for token obtaining).

Definition at line 138 of file OAuth2.inc.

enum OAUTH2_GRANT_TYPE_AUTH_CODE

Denotes "authorization_code" grant types (for token obtaining).

Definition at line 128 of file OAuth2.inc.

enum OAUTH2_GRANT_TYPE_NONE

Denotes "none" grant types (for token obtaining).

Definition at line 148 of file OAuth2.inc.

enum OAUTH2_GRANT_TYPE_REFRESH_TOKEN

Denotes "refresh_token" grant types (for token obtaining).

Definition at line 143 of file OAuth2.inc.

enum OAUTH2_GRANT_TYPE_REGEXP

Regex to filter out the grant type.

Definition at line 153 of file OAuth2.inc.

enum OAUTH2_GRANT_TYPE_USER_CREDENTIALS

Denotes "password" grant types (for token obtaining).

Definition at line 133 of file OAuth2.inc.

Function Documentation

checkAssertion	(	$	client_id,
		$	assertion_type,
		$	assertion
	)			`[protected, inherited]`

Grant access tokens for assertions.

Check the supplied assertion for validity.

You can also use the $client_id param to do any checks required based on a client, if you need that.

Required for OAUTH2_GRANT_TYPE_ASSERTION.

Parameters:

	$client_id	Client identifier to be check with.
	$assertion_type	The format of the assertion as defined by the authorization server.
	$assertion	The assertion.

Returns:

TRUE if the assertion is valid, and FALSE if it isn't. Moreover, if the assertion is valid, and you want to verify the scope of an access request, return an associative array with the scope values as below. We'll check the scope you provide against the requested scope before providing an access token:

 return array(
   'scope' => <stored scope values (space-separated string)>,
 );

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3

Definition at line 714 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

checkNoneAccess ( $ client_id ) [protected, inherited]

Grant access tokens for the "none" grant type.

Not really described in the IETF Draft, so I just left a method stub... Do whatever you want!

Required for OAUTH2_GRANT_TYPE_NONE.

Definition at line 799 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

checkRestrictedGrantType	(	$	client_id,
		$	grant_type
	)			`[protected, inherited]`

Check restricted grant types of corresponding client identifier.

If you want to restrict clients to certain grant types, override this function.

Parameters:

	$client_id	Client identifier to be check with.
	$grant_type	Grant type to be check with, would be one of the values contained in OAUTH2_GRANT_TYPE_REGEXP.

Returns:: TRUE if the grant type is supported by this client identifier, and FALSE if it isn't.

Definition at line 586 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

checkUserCredentials	(	$	client_id,
		$	username,
		$	password
	)			`[protected, inherited]`

Grant access tokens for basic user credentials.

Check the supplied username and password for validity.

You can also use the $client_id param to do any checks required based on a client, if you need that.

Required for OAUTH2_GRANT_TYPE_USER_CREDENTIALS.

Parameters:

	$client_id	Client identifier to be check with.
	$username	Username to be check with.
	$password	Password to be check with.

Returns:

TRUE if the username and password are valid, and FALSE if it isn't. Moreover, if the username and password are valid, and you want to verify the scope of a user's access, return an associative array with the scope values as below. We'll check the scope you provide against the requested scope before providing an access token:

 return array(
   'scope' => <stored scope values (space-separated string)>,
 );

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2

Definition at line 677 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

createAccessToken	(	$	client_id,
		$	scope = `NULL`
	)			`[protected, inherited]`

Handle the creation of access token, also issue refresh token if support.

This belongs in a separate factory, but to keep it simple, I'm just keeping it here.

Parameters:

	$client_id	Client identifier related to the access token.
	$scope	(optional) Scopes to be stored in space-separated string.

Definition at line 1320 of file OAuth2.inc.

References OAuth2::genAccessToken(), OAuth2::getSupportedGrantTypes(), OAuth2::getVariable(), OAuth2::setAccessToken(), OAuth2::setRefreshToken(), and OAuth2::unsetRefreshToken().

Referenced by OAuth2::finishClientAuthorization(), and OAuth2::grantAccessToken().

genAccessToken ( ) [protected, inherited]

Generate unique access token.

Implementing classes may want to override these function to implement other access token or auth code generation schemes.

Returns:: An unique access token.

Definition at line 1374 of file OAuth2.inc.

Referenced by OAuth2::createAccessToken().

getAuthCode ( $ code ) [protected, inherited]

Fetch authorization code data (probably the most common grant type).

Retrieve the stored data for the given authorization code.

Required for OAUTH2_GRANT_TYPE_AUTH_CODE.

Parameters:

$code

Authorization code to be check with.

Returns:

An associative array as below, and NULL if the code is invalid:

client_id: Stored client identifier.
redirect_uri: Stored redirect URI.
expires: Stored expiration in unix timestamp.
scope: (optional) Stored scope values in space-separated string.

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.1

Reimplemented in MongoOAuth2, and PDOOAuth2.

Definition at line 613 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

getRefreshToken ( $ refresh_token ) [protected, inherited]

Grant refresh access tokens.

Retrieve the stored data for the given refresh token.

Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.

Parameters:

$refresh_token

Refresh token to be check with.

Returns:

An associative array as below, and NULL if the refresh_token is invalid:

client_id: Stored client identifier.
expires: Stored expiration unix timestamp.
scope: (optional) Stored scope values in space-separated string.

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4

Definition at line 739 of file OAuth2.inc.

Referenced by OAuth2::grantAccessToken().

getSupportedGrantTypes ( ) [protected, inherited]

Return supported grant types.

You should override this function with something, or else your OAuth provider won't support any grant types!

Returns:

A list as below. If you support all grant types, then you'd do:

 return array(
   OAUTH2_GRANT_TYPE_AUTH_CODE,
   OAUTH2_GRANT_TYPE_USER_CREDENTIALS,
   OAUTH2_GRANT_TYPE_ASSERTION,
   OAUTH2_GRANT_TYPE_REFRESH_TOKEN,
   OAUTH2_GRANT_TYPE_NONE,
 );

Reimplemented in MongoOAuth2, and PDOOAuth2.

Definition at line 493 of file OAuth2.inc.

Referenced by OAuth2::createAccessToken(), and OAuth2::grantAccessToken().

grantAccessToken ( ) [inherited]

Grant or deny a requested access token.

This would be called from the "/token" endpoint as defined in the spec. Obviously, you can call your endpoint whatever you want.

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4

Definition at line 986 of file OAuth2.inc.

References OAuth2::checkAssertion(), OAuth2::checkClientCredentials(), OAuth2::checkNoneAccess(), OAuth2::checkRestrictedGrantType(), OAuth2::checkScope(), OAuth2::checkUserCredentials(), OAuth2::createAccessToken(), OAuth2::errorJsonResponse(), OAuth2::getAuthCode(), OAuth2::getClientCredentials(), OAuth2::getRefreshToken(), OAuth2::getSupportedGrantTypes(), OAuth2::sendJsonHeaders(), and OAuth2::setVariable().

sendJsonHeaders ( ) [private, inherited]

Send out HTTP headers for JSON.

See also:: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2; http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3

Definition at line 1428 of file OAuth2.inc.

Referenced by OAuth2::errorJsonResponse(), and OAuth2::grantAccessToken().

setAccessToken	(	$	oauth_token,
		$	client_id,
		$	expires,
		$	scope = `NULL`
	)			`[abstract, protected, inherited]`

Store the supplied access token values to storage.

We need to store access token data as we create and verify tokens.

Parameters:

	$oauth_token	oauth_token to be stored.
	$client_id	Client identifier to be stored.
	$expires	Expiration to be stored.
	$scope	(optional) Scopes to be stored in space-separated string.

Reimplemented in MongoOAuth2, and PDOOAuth2.

Referenced by OAuth2::createAccessToken().

setAuthCode	(	$	code,
		$	client_id,
		$	redirect_uri,
		$	expires,
		$	scope = `NULL`
	)			`[protected, inherited]`

Take the provided authorization code values and store them somewhere.

This function should be the storage counterpart to getAuthCode().

If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.

Required for OAUTH2_GRANT_TYPE_AUTH_CODE.

Parameters:

	$code	Authorization code to be stored.
	$client_id	Client identifier to be stored.
	$redirect_uri	Redirect URI to be stored.
	$expires	Expiration to be stored.
	$scope	(optional) Scopes to be stored in space-separated string.

Reimplemented in MongoOAuth2, and PDOOAuth2.

Definition at line 641 of file OAuth2.inc.

Referenced by OAuth2::createAuthCode().

setRefreshToken	(	$	refresh_token,
		$	client_id,
		$	expires,
		$	scope = `NULL`
	)			`[protected, inherited]`

Take the provided refresh token values and store them somewhere.

This function should be the storage counterpart to getRefreshToken().

If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.

Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.

Parameters:

	$refresh_token	Refresh token to be stored.
	$client_id	Client identifier to be stored.
	$expires	expires to be stored.
	$scope	(optional) Scopes to be stored in space-separated string.

Definition at line 765 of file OAuth2.inc.

Referenced by OAuth2::createAccessToken().

unsetRefreshToken ( $ refresh_token ) [protected, inherited]

Expire a used refresh token.

This is not explicitly required in the spec, but is almost implied. After granting a new refresh token, the old one is no longer useful and so should be forcibly expired in the data store so it can't be used again.

If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.

Parameters:

$refresh_token

Refresh token to be expirse.

Definition at line 785 of file OAuth2.inc.

Referenced by OAuth2::createAccessToken().

��Ŵ��

Obtaining an Access Token

Enumerations

Functions

Detailed Description

Enumeration Type Documentation

Function Documentation

���Ŵ�����

Obtaining an Access Token

Enumerations

Functions

Detailed Description

Enumeration Type Documentation

Function Documentation

��Ŵ��