Authorization Code Grant

Authorization Code Grant needs an additional auth step compared to other types of grants (exchanging auth code), thus it's explained here in more detail than other grant types.

Usage

You need to complete Installation, Configuration first.

You also need to implement all the required repositories (see more at: Enabling Grants).

Next, go through this document step-by-step.

Enable Authorization Code Grant

First, you need to register Authorization Code Grant in your application:

app/OAuth2GrantProvider/AuthCodeGrantProvider.php
php
<?php

namespace App\OAuth2GrantProvider;

use DateInterval;
use Distantmagic\Resonance\Attribute\ProvidesOAuth2Grant;
use Distantmagic\Resonance\Attribute\Singleton;
use Distantmagic\Resonance\OAuth2GrantProvider;
use Distantmagic\Resonance\SingletonCollection;
use League\OAuth2\Server\Grant\AuthCodeGrant;
use League\OAuth2\Server\Grant\GrantTypeInterface;
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;

#[ProvidesOAuth2Grant]
#[Singleton(collection: SingletonCollection::OAuth2Grant)]
readonly class AuthCodeGrantProvider extends OAuth2GrantProvider
{
    public function __construct(
        private AuthCodeRepositoryInterface $authCodeRepository,
        private RefreshTokenRepositoryInterface $refreshTokenRepository,
    )
    {
    }

    public function provideGrant(): GrantTypeInterface
    {
        return new AuthCodeGrant(
            $this->authCodeRepository,
            $this->refreshTokenRepository,
            new DateInterval('PT1M'),
        );
    }
}

Expose Authorization Endpoint

You also need to create a custom authorization server endpoint (to perform auth code exchange). This step is not required by other grants.

app/HttpResponder/OAuth2AuthorizationServer.php
php
<?php

namespace App\HttpResponder;

use App\HttpRouteSymbol;
use Distantmagic\Resonance\Attribute\RespondsToHttp;
use Distantmagic\Resonance\Attribute\Singleton;
use Distantmagic\Resonance\HttpResponder;
use Distantmagic\Resonance\HttpResponder\OAuth2\Authorization;
use Distantmagic\Resonance\HttpResponderInterface;
use Distantmagic\Resonance\RequestMethod;
use Distantmagic\Resonance\SingletonCollection;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;

#[RespondsToHttp(
    method: RequestMethod::POST,
    pattern: '/oauth2/authorization',
    routeSymbol: HttpRouteSymbol::OAuth2AuthorizationServer,
)]
#[Singleton(collection: SingletonCollection::HttpResponder)]
final readonly class OAuth2AuthorizationServer extends HttpResponder
{
    public function __construct(private Authorization $authorizationServer) {}

    public function respond(ServerRequestInterface $request, ResponseInterface $response): HttpResponderInterface
    {
        return $this->authorizationServer;
    }
}

Implement Authorization Code Grant Controller

While the Authorization server handles the rough edges, you still need to implement some features that are specific to your application.

This is the part in which you want to implement some extra features, like login/password authentication or 2FA.

digraph { authorization_request -> authenticate_user; authenticate_user -> select_scopes; select_scopes -> obtain_access_token; }
Previous
« Enabling Grants
Learn how to add methods of acquiring access tokens.
Next
Persistent Data »
Learn how to persist OAuth2 data.
Edit on GitHub