A simple PHP implementation of the OAuth 2.0 protocol that uses the BTCjam Authenticated API.
This is a working example that does not include the full functions of the BTCjam API, rather it is more of just a demonstration of the OAuth2 protocol flow necessary to extract data from the API endpoint.
There didn't seem to be any really super-slim OAuth2 libraries in PHP. For example, Google's implementation contains dozens of files and is very difficult to tweak, should your quirky API ask for it.
This repo contains a library that is a simpler sub-set implementation of the RFC 6749. (Not all features added, since we don't need them for most.)
BTCjam.com is the world's largest bitcoin peer-to-peer lending marketplace. Where borrowers get great rates and Investors get great returns. It has been around for years and is very reliable.
RFC 6749: "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." (October 2012)
The uses cases covered by the framework are:
- Web-server applications
- Browser-based applications
- Mobile apps
- Username and password access
- Application access
In all these uses cases, the goal of the OAuth2 protocol is to exchange a token string between the Client and the Resource Server. This token is used to authenticate all the API calls using the Authorization HTTP header. Below is reported an example of the Bearer token (RFC 7650), the most used token type of OAuth2:
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
Some issues include:
- Interoperability prohibits just creating great products
- Must make many modifications to static references
- The authentication protocol must be customized
- There are too many class files, making modification can be complex.
- Requires composer to install the package of classes
- You do not need most of the functions available
All web applications that use OAuth2 must have credentials that identify the application to the OAuth2 server.
To obtain web application credentials for your project, complete these steps:
- Visit the web site of the API provider and open the BTCjam API Settings page.
- Enter a name for this endpoint.
- Enter a Redirect URI, which handles responses from the OAuth2 server.
The standard expiration timeout of the Session state is not long lived.
In order to retain permission to access the API, or to use it outside a web browser interface, we save the token to local file (/tmp/php_session_btcjam.txt).
When the Session expires, the access_token is normally lost and the application redirects to the authorization endpoint again. By caching the 'access_token' we can avoid this and have a long session!
- Jan-03-2016: v1.01 - added SESSION caching to file.
- Dec-21-2015: v1.00 released.
- Dec-15-2015: init repo.
- Brent Shaffer's OAuth 2.0 Server Cookbook
- Knp University: OAuth2 in 8 Steps
- Google Developers: OAuth2 Protocol
- MSDN: Implementing an OAuth-Enabled Application in PHP
- RFC 6749 - "The OAuth 2.0 Authorization Framework"
- The OAuth 2.0 Authorization Protocol (draft-ietf-oauth-v2-22)
- Search the latest updated OAuth RFCs from IETF
- oauth3.net