OAuth2 supports authentication by OAuth2 2-legged flows.

It primary supports

  • service account authorization
  • authorization where a user already has an access token
CloneableInstantiable
ImplementsGoogle\Auth\FetchAuthTokenInterface
Constants
public Google\Auth\OAuth2::DEFAULT_EXPIRY_SECONDS = 3600
public Google\Auth\OAuth2::DEFAULT_SKEW_SECONDS = 60
public Google\Auth\OAuth2::JWT_URN = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
Properties
public static $knownGrantTypes = ['authorization_code', 'refresh_token', 'password', 'client_credentials']
 

The well known grant types.

  • var array
public static $knownSigningAlgorithms = ['HS256', 'HS512', 'HS384', 'RS256']
 

TODO: determine known methods from the keys of JWT::methods.

Methods
public __construct(array $config)
 

Create a new OAuthCredentials.

The configuration array accepts various options

  • authorizationUri
    The authorization server's HTTP endpoint capable of
    authenticating the end-user and obtaining authorization.

  • tokenCredentialUri
    The authorization server's HTTP endpoint capable of issuing
    tokens and refreshing expired tokens.

  • clientId
    A unique identifier issued to the client to identify itself to the
    authorization server.

  • clientSecret
    A shared symmetric secret issued by the authorization server,
    which is used to authenticate the client.

  • scope
    The scope of the access request, expressed either as an Array
    or as a space-delimited String.

  • state
    An arbitrary string designed to allow the client to maintain state.

  • redirectUri
    The redirection URI used in the initial request.

  • username
    The resource owner's username.

  • password
    The resource owner's password.

  • issuer
    Issuer ID when using assertion profile

  • audience
    Target audience for assertions

  • expiry
    Number of seconds assertions are valid for

  • signingKey
    Signing key when using assertion profile

  • signingKeyId
    Signing key id when using assertion profile

  • refreshToken
    The refresh token associated with the access token
    to be refreshed.

  • accessToken
    The current access token for this client.

  • idToken
    The current ID token for this client.

  • extensionParams
    When using an extension grant type, this is the set of parameters used
    by that extension.

    public buildFullAuthorizationUri(array $config = [])
     

    Builds the authorization Uri that the user should be redirected to.

    • return UriInterface the authorization Url.
    • throws InvalidArgumentException
    public fetchAuthToken(?callable $httpHandler = NULL)
     

    Fetches the auth tokens based on the current state.

    • return array the response
    public generateCredentialsRequest()
     

    Generates a request for token credentials.

    • return RequestInterface the authorization Url.
    public getAccessToken()
     

    Gets the current access token.

    public getAdditionalClaims()
     

    Gets the additional claims to be included in the JWT token.

    • return array
    public getAudience()
     

    Gets the target audience when issuing assertions.

    public getAuthorizationUri()
     

    Gets the authorization server's HTTP endpoint capable of authenticating
    the end-user and obtaining authorization.

    • return UriInterface
    public getCacheKey()
     

    Obtains a key that can used to cache the results of #fetchAuthToken.

    The key is derived from the scopes.

    • return string a key that may be used to cache the auth token.
    public getClientId()
     

    Sets a unique identifier issued to the client to identify itself to the
    authorization server.

    public getClientName(?callable $httpHandler = NULL)
     

    Get the client ID.

    Alias of {@see \Google\Auth\OAuth2::getClientId()}.

    • return string
    • access private
    public getClientSecret()
     

    Gets a shared symmetric secret issued by the authorization server, which
    is used to authenticate the client.

    public getCode()
     

    Gets the authorization code issued to this client.

    public getExpiresAt()
     

    Gets the time the current access token expires at.

    • return int
    public getExpiresIn()
     

    Gets the lifetime of the access token in seconds.

    public getExpiry()
     

    Gets the number of seconds assertions are valid for.

    public getExtensionParams()
     

    Gets the set of parameters used by extension when using an extension
    grant type.

    public getGrantType()
     

    Gets the current grant type.

    • return string
    public getIdToken()
     

    Gets the current ID token.

    public getIssuedAt()
     

    Gets the time the current access token was issued at.

    public getIssuer()
     

    Gets the Issuer ID when using assertion profile.

    public getLastReceivedToken()
     

    The expiration of the last received token.

    • return array
    public getPassword()
     

    Gets the resource owner's password.

    public getRedirectUri()
     

    Gets the redirection URI used in the initial request.

    • return string
    public getRefreshToken()
     

    Gets the refresh token associated with the current access token.

    public getScope()
     

    Gets the scope of the access requests as a space-delimited String.

    • return string
    public getSigningAlgorithm()
     

    Gets the signing algorithm when using an assertion profile.

    • return string
    public getSigningKey()
     

    Gets the signing key when using an assertion profile.

    public getSigningKeyId()
     

    Gets the signing key id when using an assertion profile.

    • return string
    public getState()
     

    Gets an arbitrary string designed to allow the client to maintain state.

    • return string
    public getSub()
     

    Gets the target sub when issuing assertions.

    public getTokenCredentialUri()
     

    Gets the authorization server's HTTP endpoint capable of issuing tokens
    and refreshing expired tokens.

    • return string
    public getUsername()
     

    Gets the resource owner's username.

    public isExpired()
     

    Returns true if the acccess token has expired.

    • return bool
    public parseTokenResponse(Psr\Http\Message\ResponseInterface $resp)
     

    Parses the fetched tokens.

    • return array the tokens parsed from the response body.
    • throws Exception
    public setAccessToken( $accessToken)
     

    Sets the current access token.

      public setAdditionalClaims(array $additionalClaims)
       

      Sets additional claims to be included in the JWT token

        public setAudience( $audience)
         

        Sets the target audience when issuing assertions.

          public setAuthorizationUri( $uri)
           

          Sets the authorization server's HTTP endpoint capable of authenticating
          the end-user and obtaining authorization.

            public setClientId( $clientId)
             

            Sets a unique identifier issued to the client to identify itself to the
            authorization server.

              public setClientSecret( $clientSecret)
               

              Sets a shared symmetric secret issued by the authorization server, which
              is used to authenticate the client.

                public setCode( $code)
                 

                Sets the authorization code issued to this client.

                  public setExpiresAt( $expiresAt)
                   

                  Sets the time the current access token expires at.

                    public setExpiresIn( $expiresIn)
                     

                    Sets the lifetime of the access token in seconds.

                      public setExpiry( $expiry)
                       

                      Sets the number of seconds assertions are valid for.

                        public setExtensionParams( $extensionParams)
                         

                        Sets the set of parameters used by extension when using an extension
                        grant type.

                          public setGrantType( $grantType)
                           

                          Sets the current grant type.

                          • throws InvalidArgumentException
                          public setIdToken( $idToken)
                           

                          Sets the current ID token.

                            public setIssuedAt( $issuedAt)
                             

                            Sets the time the current access token was issued at.

                              public setIssuer( $issuer)
                               

                              Sets the Issuer ID when using assertion profile.

                                public setPassword( $password)
                                 

                                Sets the resource owner's password.

                                  public setRedirectUri( $uri)
                                   

                                  Sets the redirection URI used in the initial request.

                                    public setRefreshToken( $refreshToken)
                                     

                                    Sets the refresh token associated with the current access token.

                                      public setScope( $scope)
                                       

                                      Sets the scope of the access request, expressed either as an Array or as
                                      a space-delimited String.

                                      • throws InvalidArgumentException
                                      public setSigningAlgorithm( $signingAlgorithm)
                                       

                                      Sets the signing algorithm when using an assertion profile.

                                        public setSigningKey( $signingKey)
                                         

                                        Sets the signing key when using an assertion profile.

                                          public setSigningKeyId( $signingKeyId)
                                           

                                          Sets the signing key id when using an assertion profile.

                                            public setState( $state)
                                             

                                            Sets an arbitrary string designed to allow the client to maintain state.

                                              public setSub( $sub)
                                               

                                              Sets the target sub when issuing assertions.

                                                public setTokenCredentialUri( $uri)
                                                 

                                                Sets the authorization server's HTTP endpoint capable of issuing tokens
                                                and refreshing expired tokens.

                                                  public setUsername( $username)
                                                   

                                                  Sets the resource owner's username.

                                                    public toJwt(array $config = [])
                                                     

                                                    Obtains the encoded jwt from the instance data.

                                                    • return string
                                                    public updateToken(array $config)
                                                     

                                                    Updates an OAuth 2.0 client.

                                                    Example:

                                                    $oauth->updateToken([
                                                        'refresh_token' => 'n4E9O119d',
                                                        'access_token' => 'FJQbwq9',
                                                        'expires_in' => 3600
                                                    ]);
                                                    
                                                      public verifyIdToken( $publicKey = NULL, $allowed_algs = [])
                                                       

                                                      Verifies the idToken if present.

                                                      • if none is present, return null
                                                      • if present, but invalid, raises DomainException.
                                                      • otherwise returns the payload in the idtoken as a PHP object.

                                                      The behavior of this method varies depending on the version of
                                                      firebase/php-jwt you are using. In versions lower than 3.0.0, if
                                                      $publicKey is null, the key is decoded without being verified. In
                                                      newer versions, if a public key is not given, this method will throw an
                                                      \InvalidArgumentException.

                                                      • throws DomainException if the token is missing an audience.
                                                      • throws DomainException if the audience does not match the one set in the OAuth2 class instance.
                                                      • throws UnexpectedValueException If the token is invalid
                                                      • throws SignatureInvalidException If the signature is invalid.
                                                      • throws BeforeValidException If the token is not yet valid.
                                                      • throws ExpiredException If the token has expired.
                                                      • return null|object
                                                      Properties
                                                      private $accessToken
                                                       

                                                      The current access token.

                                                      • var string
                                                      private $additionalClaims
                                                       

                                                      When using the toJwt function, these claims will be added to the JWT
                                                      payload.

                                                      private $audience
                                                       

                                                      The target audience for assertions.

                                                      • var string
                                                      private $authorizationUri
                                                       
                                                      • authorizationUri
                                                        The authorization server's HTTP endpoint capable of
                                                        authenticating the end-user and obtaining authorization.
                                                      • var UriInterface
                                                      private $clientId
                                                       

                                                      A unique identifier issued to the client to identify itself to the
                                                      authorization server.

                                                      • var string
                                                      private $clientSecret
                                                       

                                                      A shared symmetric secret issued by the authorization server, which is
                                                      used to authenticate the client.

                                                      • var string
                                                      private $code
                                                       

                                                      The authorization code issued to this client.

                                                      Only used by the authorization code access grant type.

                                                      • var string
                                                      private $expiresAt
                                                       

                                                      The expiration time of the access token as a number of seconds since the
                                                      unix epoch.

                                                      • var int
                                                      private $expiresIn
                                                       

                                                      The lifetime in seconds of the current access token.

                                                      • var int
                                                      private $expiry
                                                       

                                                      The number of seconds assertions are valid for.

                                                      • var int
                                                      private $extensionParams
                                                       

                                                      When using an extension grant type, this is the set of parameters used by
                                                      that extension.

                                                      private $grantType
                                                       

                                                      The current grant type.

                                                      • var string
                                                      private $idToken
                                                       

                                                      The current ID token.

                                                      • var string
                                                      private $issuedAt
                                                       

                                                      The issue time of the access token as a number of seconds since the unix
                                                      epoch.

                                                      • var int
                                                      private $issuer
                                                       

                                                      The issuer ID when using assertion profile.

                                                      • var string
                                                      private $password
                                                       

                                                      The resource owner's password.

                                                      • var string
                                                      private $redirectUri
                                                       

                                                      The redirection URI used in the initial request.

                                                      • var string
                                                      private $refreshToken
                                                       

                                                      The refresh token associated with the access token to be refreshed.

                                                      • var string
                                                      private $scope
                                                       

                                                      The scope of the access request, expressed either as an Array or as a
                                                      space-delimited string.

                                                      • var array
                                                      private $signingAlgorithm
                                                       

                                                      The signing algorithm when using an assertion profile.

                                                      • var string
                                                      private $signingKey
                                                       

                                                      The signing key when using assertion profile.

                                                      • var string
                                                      private $signingKeyId
                                                       

                                                      The signing key id when using assertion profile. Param kid in jwt header

                                                      • var string
                                                      private $state
                                                       

                                                      An arbitrary string designed to allow the client to maintain state.

                                                      • var string
                                                      private $sub
                                                       

                                                      The target sub when issuing assertions.

                                                      • var string
                                                      private $tokenCredentialUri
                                                       
                                                      • tokenCredentialUri
                                                        The authorization server's HTTP endpoint capable of issuing
                                                        tokens and refreshing expired tokens.
                                                      • var UriInterface
                                                      private $username
                                                       

                                                      The resource owner's username.

                                                      • var string
                                                      Methods
                                                      private addClientCredentials( $params)
                                                       
                                                      • return array
                                                      private coerceUri( $uri)
                                                       
                                                      • todo handle uri as array
                                                      • return null|\UriInterface
                                                      private isAbsoluteUri( $uri)
                                                       

                                                      Determines if the URI is absolute based on its scheme and host or path
                                                      (RFC 3986).

                                                      • return bool
                                                      private jwtDecode( $idToken, $publicKey, $allowedAlgs)
                                                       
                                                      • return object
                                                      private jwtEncode( $assertion, $signingKey, $signingAlgorithm, $signingKeyId = NULL)
                                                      Properties
                                                      public static $knownGrantTypes = ['authorization_code', 'refresh_token', 'password', 'client_credentials']
                                                       

                                                      The well known grant types.

                                                      • var array
                                                      public static $knownSigningAlgorithms = ['HS256', 'HS512', 'HS384', 'RS256']
                                                       

                                                      TODO: determine known methods from the keys of JWT::methods.

                                                      © 2020 Bruce Wells
                                                      Search Namespaces \ Classes
                                                      ConfigurationNumbers (0-9.) only