-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME.stub
More file actions
364 lines (254 loc) · 11.2 KB
/
README.stub
File metadata and controls
364 lines (254 loc) · 11.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
# OWN3D ID
PHP OWN3D ID API Client for Laravel 5+
## Table of contents
1. [Installation](#installation)
1. [OAuth2 Documentation](#oauth2-documentation)
2. [Remarks](#remarks)
3. [Socialite Event Listener](#socialite-event-listener)
4. [Configuration](#configuration)
5. [Examples](#examples)
6. [Documentation](#documentation)
7. [Development](#Development)
## Installation
Install the own3d id package with composer:
```
composer require own3d/id
```
## OAuth2 Documentation
You can find the documentation for OAuth2 [here](https://dev.own3d.tv/docs/authorization.html). There you can find all
the information about registering your application and the scopes you can request.
## Remarks
In the StreamTV / OWN3D ID Library all SSO IDs are defined as strings. This comes from the origin that all IDs should become UUIDs. We will simply continue the id assignment on big-integers, since we never implemented this step. We recommend to store all ids as big-integers (20) in your database. It is not guaranteed that we will assign IDs incrementally.
### E-Mail Verification
Every oauth client needs to check itself if they need a (verified) email address from the user.
The current email address can be fetched via `/api/users/@me`, it will be returned in the `email` attribute.
To see if the email is verified by the user, you can lookup the `email_verified_at` attribute.
If the `email` attribute is `null`, this means the user has no email associated with his account.
You need to call `/api/users/@me/update-email` by yourself to assign and trigger the email verification process.
## Socialite Event Listener
- Add `SocialiteProviders\Manager\SocialiteWasCalled` event to your `listen[]` array in `app/Providers/EventServiceProvider`.
- Add your listeners (i.e. the ones from the providers) to the `SocialiteProviders\Manager\SocialiteWasCalled[]` that you just created.
- The listener that you add for this provider is `'Own3d\\Id\\Socialite\\Own3dIdExtendSocialite@handle',`.
- Note: You do not need to add anything for the built-in socialite providers unless you override them with your own providers.
```php
use SocialiteProviders\Manager\SocialiteWasCalled;
use Own3d\Id\Socialite\Own3dIdExtendSocialite;
/**
* The event handler mappings for the application.
*
* @var array
*/
protected $listen = [
SocialiteWasCalled::class => [
// add your listeners (aka providers) here
Own3dIdExtendSocialite::class,
],
];
```
## Configuration
Copy configuration to config folder:
```
$ php artisan vendor:publish --provider="Own3d\Id\Providers\Own3dIdServiceProvider"
```
Add environmental variables to your `.env`
```
OWN3D_ID_KEY=
OWN3D_ID_SECRET=
OWN3D_ID_REDIRECT_URI=${APP_URL}/login/callback
```
You will need to add an entry to the services configuration file so that after config files are cached for usage in production environment (Laravel command `artisan config:cache`) all config is still available.
**Add to `config/services.php`:**
```php
'own3d-id' => [
'client_id' => env('OWN3D_ID_KEY'),
'client_secret' => env('OWN3D_ID_SECRET'),
'redirect' => env('OWN3D_ID_REDIRECT_URI')
],
```
## Examples
#### Basic
```php
$own3dId = new Own3d\Id\Own3dId();
$own3dId->setClientId('abc123');
...
```
#### Setters
```php
$own3dId = new Own3d\Id\Own3dId();
$own3dId->setClientId('abc123');
$own3dId->setClientSecret('abc456');
$own3dId->setToken('abcdef123456');
$own3dId = $own3dId->withClientId('abc123');
$own3dId = $own3dId->withClientSecret('abc123');
$own3dId = $own3dId->withToken('abcdef123456');
```
#### OAuth Tokens
```php
$own3dId = new Own3d\Id\Own3dId();
$own3dId->setClientId('abc123');
$own3dId->setToken('abcdef123456');
$result = $own3dId->getAuthedUser();
$user = $userResult->shift();
```
```php
$own3dId->setToken('uvwxyz456789');
$result = $own3dId->getAuthedUser();
```
```php
$result = $own3dId->withToken('uvwxyz456789')->getAuthedUser();
```
#### Facade
```php
use Own3d\Id\Facades\Own3dId;
Own3dId::withClientId('abc123')->withToken('abcdef123456')->getAuthedUser();
```
## Documentation
<!-- GENERATED-DOCS -->
[**OAuth Scopes Enums**](src/Enums/Scope.php)
### Protecting Routes
#### Via Middleware
OWN3D ID includes an [authentication guard](https://laravel.com/docs/8.x/authentication#adding-custom-guards) that will validate access tokens on incoming requests. Once you have configured the `api` guard to use the `own3d-id` driver, you only need to specify the `auth:api` middleware on any routes that should require a valid access token:
```php
Route::get('/user', function () {
//
})->middleware('auth:api');
```
#### Multiple Authentication Guards
If your application authenticates different types of users that perhaps use entirely different Eloquent models, you will likely need to define a guard configuration for each user provider type in your application. This allows you to protect requests intended for specific user providers. For example, given the following guard configuration the `config/auth.php` configuration file:
```php
'api' => [
'driver' => 'own3d-id',
'provider' => 'users',
],
'api-customers' => [
'driver' => 'own3d-id',
'provider' => 'customers',
],
```
The following route will utilize the api-customers guard, which uses the customers user provider, to authenticate incoming requests:
```php
Route::get('/customer', function () {
//
})->middleware('auth:api-customers');
```
### Token Scopes
Scopes allow your application's users to limit the actions a third-party application can perform on their behalf. For example, not all API consumers will need the ability to fetch entitlements.
#### Defining Scopes
[Scopes](src/Enums/Scope.php) are registered globally by the OWN3D ID service. If a OWN3D first-party specific application needs a additional scope, then they need to define it in the OWN3D ID service.
#### Assigning Scopes To Tokens
When requesting an access token using the authorization code grant, consumers should specify their desired scopes as the `scope` query string parameter. The `scope` parameter should be a space-delimited list of scopes:
```php
Route::get('/redirect', function () {
$query = http_build_query([
'client_id' => 'client-id',
'redirect_uri' => 'http://example.com/callback',
'response_type' => 'code',
'scope' => 'user:read connections',
]);
return redirect('https://id.stream.tv/oauth/authorize?' . $query);
});
```
#### Requesting all Tokens
When using the password grant or client credentials grant, you may wish to authorize the token for all of the scopes supported by your application. You can do this by requesting the `*` scope. If you request the `*` scope, the `can` method on the token instance will always return `true`. This scope may only be assigned to a token that is issued using the `password` or `client_credentials` grant:
```php
TBD
```
### Checking Scopes
> Using the `scopes` and `scope` middleware requires a authorization guard. For first-party apps, you may want to use a special [authentication guard](aultiple-authentication-guards) to create users dynamically.
> If you're interested in machine-to-machine authentication or want to skip the authorization guard, then have a look at [client credentials grant tokens](#client-credentials-grant-tokens).
OWN3D ID includes two middleware that may be used to verify that an incoming request is authenticated with a token that has been granted a given scope. To get started, add the following middleware to the `$routeMiddleware` property of your `app/Http/Kernel.php` file:
```php
'scopes' => \Own3d\Id\Http\Middleware\CheckScopes::class,
'scope' => \Own3d\Id\Http\Middleware\CheckForAnyScope::class,
```
#### Check For All Scopes
The `scopes` middleware may be assigned to a route to verify that the incoming request's access token has all of the listed scopes:
```php
Route::get('/test', function () {
// Access token has both "user:read" and "connections" scopes...
})->middleware(['auth:api', 'user:read,connections']);
```
#### Check For Any Scopes
The `scope` middleware may be assigned to a route to verify that the incoming request's access token has at least one of the listed scopes:
```php
Route::get('/test', function () {
// Access token has either "user:read" or "connections" scope...
})->middleware(['auth:api', 'scope:user:read,connections'])
```
#### Checking Scopes On A Token Instance
Once an access token authenticated request has entered your application, you may still check if the token has a given scope using the `tokenCan` method on the authenticated `App\Models\User` instance:
```php
use Illuminate\Http\Request;
Route::get('/orders', function (Request $request) {
if ($request->user()->tokenCan('user:read')) {
//
}
});
```
### Client Credentials Grant Tokens
The client credentials grant is suitable for machine-to-machine authentication. For example, to performing maintenance tasks over an API.
Before your application can issue tokens via the client credentials grant, you will need to request a client credentials grant client. You may do this by writing to developers@stream.tv.
Next, to use this grant type, you need to add the `CheckClientCredentials` middleware to the `$routeMiddleware` property of your `app/Http/Kernel.php` file:
```php
use Own3d\Id\Http\Middleware\CheckClientCredentials;
protected $routeMiddleware = [
'client' => CheckClientCredentials::class,
];
```
Then, attach the middleware to a route:
```php
Route::get('/test', function (Request $request) {
...
})->middleware('client');
```
To restrict access to the route to specific scopes, you may provide a comma-delimited list of the required scopes when attaching the `client` middleware to the route:
```php
Route::get('/test', function (Request $request) {
...
})->middleware('client:user:read,your-scope');
```
### Using OWN3D ID as API Guard
If you want to accept OWN3D ID Access tokens within you API Server, you can easily add/modify your guards, to enable support.
If you also want to generate users automatically in your local database, then use the `sso-users` provider within your `api` guard.
`config/auth.php`:
```php
'guards' => [
...
'api' => [
'driver' => 'own3d-id',
'provider' => 'sso-users',
],
],
'providers' => [
...
'sso-users' => [
'driver' => 'sso-users',
'model' => App\Models\User::class,
'fields' => ['name', 'email', 'email_verified_at'],
],
],
```
After configure your guards, you need to register the `own3d-id` and `sso-users` drivers within your `AuthServiceProvider`.
```php
use Illuminate\Http\Request;
use Own3d\Id\Auth\Own3dSsoUserProvider;
use Own3d\Id\Own3dId;
public function boot()
{
...
Own3dIdGuard::register();
Own3dSsoUserProvider::register();
}
```
## Development
#### Run Tests
```shell
composer test
```
```shell
BASE_URL=xxxx CLIENT_ID=xxxx CLIENT_KEY=yyyy CLIENT_ACCESS_TOKEN=zzzz composer test
```
#### Generate Documentation
```shell
composer docs
```