OroOAuth2ServerBundle
OroOAuth2ServerBundle provides OAuth 2.0 authorization and resource server capabilities implemented on top of thephpleague/oauth2-server library.
Currently, Authorization Code (with PKCE extention), Client Credentials and Password grants are implemented.
See OAuth 2.0 Server Authorization Code Grant and OAuth 2.0 Authorization Code Grant for details of Authorization Code grant.
See OAuth 2.0 Server Client Credentials Grant and OAuth 2.0 Client Credentials Grant for details of the Client Credentials grant.
See OAuth 2.0 Server Resource Owner Password Credentials Grant and OAuth 2.0 Password Grant for details on the Password grant.
Configuration
The default configuration of OroOAuth2ServerBundle is illustrated below:
oro_oauth2_server:
authorization_server:
# The lifetime in seconds of the access token.
access_token_lifetime: 3600 # 1 hour
# The lifetime in seconds of the refresh token.
refresh_token_lifetime: 18144000 # 30 days
# The lifetime in seconds of the authorization code.
auth_code_lifetime: 600 # 10 minutes
# Determines if the refresh token grant is enabled.
enable_refresh_token: true
# Determines if the authorization code grant is enabled.
enable_auth_code: true
# The full path to the private key file that is used to sign JWT tokens.
private_key: '%kernel.project_dir%/var/oauth_private.key'
# The string that is used to encrypt refresh token and authorization token payload.
# How to generate an encryption key: https://oauth2.thephpleague.com/installation/#string-password
encryption_key: '%kernel.secret%'
# The configuration of CORS requests
cors:
# The amount of seconds the user agent is allowed to cache CORS preflight requests
preflight_max_age: 600
# The list of origins that are allowed to send CORS requests
allow_origins: [] # Example: ['https://foo.com', 'https://bar.com']
# The list of headers that are allowed to send by CORS requests.
# This option specifies a list of headers that are sent
# in the "Access-Control-Allow-Headers" response header of CORS preflight requests
allow_headers: [] # Example: ['X-Foo', 'X-Bar']
resource_server:
# The full path to the public key file that is used to verify JWT tokens.
public_key: '%kernel.project_dir%/var/oauth_public.key'
Note
To use OAuth 2.0 authorization, generate the private and public keys and place them into locations specified in the authorization_server / private_key and resource_server / public_key options. See Generating public and private keys for details on how to generate the keys.
Manage OAuth Applications
See Manage OAuth Applications and Manage Customer User OAuth Applications.
Create OAuth Application via Data Fixtures
The OAuth applications can be added using data fixtures. For example:
namespace Oro\Bundle\OAuth2ServerBundle\Migrations\Data\ORM;
use Doctrine\Common\DataFixtures\AbstractFixture;
use Doctrine\Persistence\ObjectManager;
use Oro\Bundle\OAuth2ServerBundle\Entity\Client;
use Oro\Bundle\OAuth2ServerBundle\Entity\Manager\ClientManager;
use Oro\Bundle\OrganizationBundle\Entity\Organization;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerAwareTrait;
class LoadOAuthApplication extends AbstractFixture implements ContainerAwareInterface
{
use ContainerAwareTrait;
/**
* {@inheritdoc}
*/
public function load(ObjectManager $manager)
{
$client = new Client();
$client->setOrganization($manager->getRepository(Organization::class)->getFirst());
$client->setName('My Application');
$client->setGrants(['password']);
$client->setIdentifier('my_client_id');
$client->setPlainSecret('my_client_secret');
$this->container->get(ClientManager::class)->updateClient($client, false);
$manager->persist($client);
$manager->flush();
}
}
To load data fixtures, use either oro:migration:data:load or oro:platform:update command.