Lets Build Documentation

[mtangoo]

There is no documentation and no one seems to care. so here is an issue where anyone can share a bit he knows and code snippets. Then I will Put them together into Nice documentation. Here are loose leading point (they aren't rules so feel free to break them)

1. Components of the extension (Pick one and explain what it does)
2. How does the grant Process work
3. Using Different grants with extension (see [1] for types of grants)
4. Different code snippets (explain in summary what it does)

I hope you guys will help making this extension better

[Patroklo]

Its a shame the little documentation and interest yii2 libraries have in general. I have been working in this framework since it started and I love it, but with this lack of libraries, modules and user support compared to other php frameworks I can only think of switching right now. I have been working 3 days in an implementation for this library to make it more easy to use as a module, but fuck it, doesn't worth the effort when the main working solution it's in dev-master and the 2.0.1 it's faulty. And this is the main oauth2 library in yii2 when searching in github! increible.

I don't have time to make or fix every library I need for yii2, I dont know if we are very little people using this framework and because of that we are in his position or why... Well... I hate laravel as fuck, but it seems that they have a professional oauth2 library... I'll have to switch to that stupid framework.

And mtangoo, very good work with your implementation of this library, lot of effort, loved it.

[mtangoo]

Well it's not my library but its, as you have pointed out lacking documentation. The problem is, no one is ready to write it, so I thought that having such an issue will help us having solid docs. So far I haven't found time to organize docs from main docs and issues. Its shame that such a useful library lacks docs.

[dcb9]

@mtangoo :+1: I'll put my snippets here if I could.

[mtangoo]

Please do so and let's build documentation

[Patroklo]

I think that besides the documentation, it's neccesary to add more libraries into the module, a very good start can be the @mtangoo api version plus some other needs that can be covered with this (support to authorization code, and so on...), main idea (at least mine) it's to let users have the simplest way of having a true fully functional oauth2 server.

I can also help, but I have the feeling that this library it's abandoned or in a somewhat neglected state, maybe it would be advisable to fork.

Edit: a good start about how to make a good documentation https://github.com/lucadegasperi/oauth2-server-laravel/wiki

[mtangoo]

Its not abandoned but only one person @Filsh is the maintainer. So feel free to make PR. I plan to start contributing here once I have little free time!

[Patroklo]

Forked it and already working in documentation basing me in the laravel one (concepts, how it's organized and all that). Only problem I see it's that I think it's not possible to pull requests from wikis...

[mtangoo]

@Filsh

[Patroklo]

https://github.com/Patroklo/yii2-oauth2-server/wiki here is the wiki that right now I'm doing. I have started with the most ""difficul"" granting type, the authentication code, because it will be the one that requires most documentation.

If someone want's to help, I can share the fork with him.

[mtangoo]

Well its great to see documentation progressing quiet well. Can anyone explain in simple terms how Ouath2 scopes plays with Yii2 RBAC? I think its a topic of interest but I don't know that much of scopes to write them in simplistic language

[gowravshekar]

Is there any documentation available for using JWT Bearer grant type with this library ?

[mtangoo]

@gowravshekar did you figure that out?

[gowravshekar]

@mtangoo, I haven't able to get it working. http://oauth2.thephpleague.com/ appears good. However, they don't support JSON Web Tokens yet.

[mtangoo]

So you tried them?

[gowravshekar]

I haven't tried them. Doing few changes with this library. I installed "filsh/yii2-oauth2-server": "2.0.1.x-dev" version. Set use_jwt_access_tokens to true in \Oauth2\Server.php in bshaffer library.

Using the below settings, I was successfully able to get JWT Token & refresh token with password grant type. Get JWT Token using refresh token with refresh_token grant type. But, requesting a protected resource with JWT token fails.

return [
    'class' => 'filsh\yii2\oauth2server\Module',
    'tokenParamName' => 'access_token',
    'tokenAccessLifetime' => 3600 * 24,
    'storageMap' => [
        'user_credentials' => $identityClass,
        'public_key' => 'api\common\storage\PublicKeyStorage',
        // 'client' => 'api\common\storage\FakeStorage',
        // 'refresh_token' => 'api\common\storage\FakeStorage',
        /*
         * Refer: https://github.com/Filsh/yii2-oauth2-server/issues/30
         */
        'access_token' => 'api\common\storage\FakeStorage',
        'authorization_code' => 'api\common\storage\FakeStorage',
        'client_credentials' => 'api\common\storage\FakeStorage',
        'jwt_bearer' => 'api\common\storage\FakeStorage',
        'scope' => 'api\common\storage\FakeStorage'
    ],
    'grantTypes' => [
        'user_credentials' => [
            'class' => 'OAuth2\GrantType\UserCredentials'
        ],
        'refresh_token' =>[
            'class' => 'OAuth2\GrantType\RefreshToken'
        ]
    ],
];

[mtangoo]

Thank you. Let me try it out! BTW did you create Pubkey and PrivKey for signing tokens like it says here ?

[gowravshekar]

As you see from the above code, I override the storage class for public_keys.

<?php
namespace api\common\storage;

class PublicKeyStorage implements \OAuth2\Storage\PublicKeyInterface{

    public function getPublicKey($client_id = null){
        return '--public-key-string--';
    }

    public function getPrivateKey($client_id = null){
        return '--private-key-string--';
    }

    public function getEncryptionAlgorithm($client_id = null){
        return 'HS256';
    }

}

[mtangoo]

Cool thanks!

[gowravshekar]

The reason for failing to access protected resource lies in OAuth2\Encryption\Jwt class verifySignature method. I'm using curl to access protected resource using the following command

curl -i "protected-resource-api-endpoint" -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization: Bearer jwt.token" -XPOST -d '{post-input}'.

Jwt token is requested using the below command.

curl -i -H "Accept:application/json" -H "Content-Type:application/json" "api-end-point/oauth2/token" -XPOST -d '{"grant_type":"password","username":"--username--","password":"--password--","client_id":"--client_id--","client_secret":"--client_secret--"}'

Any ideas to resolve this issue ?

[mtangoo]

@gowravshekar I don't get your question. I will try your solution in few day and (hopeful contribute back to module)

[gowravshekar]

I did few more modifications, it appears to be working now. Adding tokenRefreshLifetime to oauth2 config. Using RS256 instead of HS256 in PublicKeyStorage.

[mtangoo]

can you post your changes to help us in future?

[mtangoo]

@gowravshekar I was trying to implement your suggestions above to make it work with JWT. Here are few problems I met:

Set use_jwt_access_tokens to true in \Oauth2\Server.php in bshaffer library.

I could not find such property in that file. Can you point to version of that library you are using?

Also I see fake storage is full of empty implementation (from issue you linked #30 ). Is that supposed to be so? If no can you share your implementation?

Thanks!

[mtangoo]

@Filsh do you have any idea as to what need to be done to have JWT support to the library? Just s imple direction on where to start will be enough.

[mtangoo]

@gowravshekar I have managed to make it work with JWT. However my tokens are super large (658 chars) which breaks the table column for tokens. How do you deal with that? Varchar cannot hold this big string

[mtangoo]

@gowravshekar I found that using FakeStorage you have to re-invent the wheel and so I tinkled around the library and came up with this PR

Please check it out and test if it works fine. With this you don't touch anything else, it should just work as if it is any other token

[gowravshekar]

I forked v2.0.1 of this library and did few changes. https://github.com/gowravshekar/yii2-oauth2-server is my fork. I also made v2.0.1 as the default branch. Currently, the master branch in this library points to a old dependency of bshaffer oauth2 library, while v2.0.1 uses a much more recent version. I'm not sure why the master version is behind v2.0.1. @mtangoo, your PR is based on the master version.

[mtangoo]

@gowravshekar Yes! My PR is based on master and latest bshaffer library

[mtangoo]

My latest PR is against 2.0.1

[gowravshekar]

Saw your changes at https://github.com/Filsh/yii2-oauth2-server/pull/69/files. You have made access_token mandatory which is not required when using JWT. Also, JWT can be validated without hitting the database, so you don't have to store it in a db.

[mtangoo]

That is the problem I was having and had no way to solve. I just had to juggle around changing some classes (see the readme) so if you can rectify that with PR it'll simplify the matter and hence no more need to modify and classes

[mtangoo]

@gowravshekar I wanted to try our version and could find no explanation. Can you update specific explanations for JWT?