d4h / pkce
PHP implementation of RFC7636 (Proof Key for Code Exchange by OAuth Public Clients)
Fund package maintenance!
hannesvdvreken
Installs: 18 534
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Requires
- php: ^7.4.0 || ^8.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.8
- phpunit/phpunit: ^8.5 || ^9.2
README
Implementation of RFC 7636
Usage
use function OAuth\PKCE\generatePair; use function OAuth\PKCE\generateChallenge; use function OAuth\PKCE\verifyChallenge; // Generate a pair $pair = generatePair(128); // Store this in session $codeVerifier = $pair->getVerifier(); // Pass this onto the /authorize endpoint of the OAuth server $codeChallenge = $pair->getChallenge(); $queryString = http_build_query([ 'redirect_uri' => 'https://example.com', 'response_type' => 'code', 'client_id' => 'xxxxx', 'code_challenge_method' => 'S256', 'code_challenge' => $codeChallenge, 'state' => $state, ]); // Use the verifier to exchange the auth code for a token $params = [ 'client_id' => 'xxxxx', 'client_secret' => 'xxxxx', // If you have one 'code' => $code, // Received on your redirect uri 'code_verifier' => $codeVerifier, // Fetched from the session ]; // On the server side: if (! verifyChallenge($codeVerifier, $codeChallenge)) { // Throw exception because the given code, code_verifier and code_challenge are not matching. } // Or if you've saved the code with the code_challenge as a key: // Query for a stored token with the given code and generated code_challenge $codeChallenge = generateChallenge($codeVerifier);
Contributing
Feel free to make a pull request. Give a concise but complete description of what is supposed to be added/changed/removed/fixed.
Testing
To test your code before pushing, run the unit test suite.
vendor/bin/phpunit