Commit f7cf3b50 by Alexander Makarov

Guide on auth clients

parent f07ccb0c
...@@ -111,7 +111,7 @@ Security ...@@ -111,7 +111,7 @@ Security
* [Authentication](security-authentication.md) * [Authentication](security-authentication.md)
* [Authorization](security-authorization.md) * [Authorization](security-authorization.md)
* [Working with Passwords](security-passwords.md) * [Working with Passwords](security-passwords.md)
* **TBD** [Auth Clients](security-auth-clients.md) * [Auth Clients](security-auth-clients.md)
* [Best Practices](security-best-practices.md) * [Best Practices](security-best-practices.md)
......
AuthClient Extension for Yii 2 AuthClient Extension for Yii 2
============================== ==============================
This extension adds [OpenID](http://openid.net/), [OAuth](http://oauth.net/) and [OAuth2](http://oauth.net/2/) consumers for the Yii framework 2.0. This extension adds [OpenID](http://openid.net/), [OAuth](http://oauth.net/) and [OAuth2](http://oauth.net/2/) consumers
for the Yii framework 2.0.
Installation Installation
...@@ -12,7 +13,7 @@ The preferred way to install this extension is through [composer](http://getcomp ...@@ -12,7 +13,7 @@ The preferred way to install this extension is through [composer](http://getcomp
Either run Either run
``` ```
php composer.phar require --prefer-dist yiisoft/yii2-authclient "*" composer require --prefer-dist yiisoft/yii2-authclient "*"
``` ```
or add or add
...@@ -51,7 +52,7 @@ You need to setup auth client collection application component: ...@@ -51,7 +52,7 @@ You need to setup auth client collection application component:
] ]
``` ```
Then you need to add [[yii\authclient\AuthAction]] to some of your web controllers: Then you need to add [[yii\authclient\AuthAction]] to web controller:
```php ```php
class SiteController extends Controller class SiteController extends Controller
...@@ -100,33 +101,33 @@ Although, all clients are different they shares same basic interface [[yii\authc ...@@ -100,33 +101,33 @@ Although, all clients are different they shares same basic interface [[yii\authc
which governs some common API. which governs some common API.
Each client has some descriptive data, which can be used for different purposes: Each client has some descriptive data, which can be used for different purposes:
- id - unique client id, which separates it from other clients, it could be used in URLs, logs etc. - `id` - unique client id, which separates it from other clients, it could be used in URLs, logs etc.
- name - external auth provider name, which this client is match too. Different auth clients - `name` - external auth provider name, which this client is match too. Different auth clients
can share the same name, if they refer to the same external auth provider. can share the same name, if they refer to the same external auth provider.
For example: clients for Google OpenID and Google OAuth have same name "google". For example: clients for Google OpenID and Google OAuth have same name "google".
This attribute can be used inside the database, CSS styles and so on. This attribute can be used inside the database, CSS styles and so on.
- title - user friendly name for the external auth provider, it is used to present auth client - `title` - user friendly name for the external auth provider, it is used to present auth client
at the view layer. at the view layer.
Each auth client has different auth flow, but all of them supports "getUserAttributes()" method, Each auth client has different auth flow, but all of them supports `getUserAttributes()` method,
which can be invoked if authentication was successful. which can be invoked if authentication was successful.
This method allows you to get information about external user account, such as id, email address, This method allows you to get information about external user account, such as id, email address,
full name, preferred language etc. full name, preferred language etc.
Defining list of attributes, which external auth provider should return, depends on client type: Defining list of attributes, which external auth provider should return, depends on client type:
- [[yii\authclient\OpenId]]: combination of "requiredAttributes" and "optionalAttributes" - [[yii\authclient\OpenId]]: combination of `requiredAttributes` and `optionalAttributes`
- [[yii\authclient\OAuth1]] and [[yii\authclient\OAuth2]]: field "scope", note that different - [[yii\authclient\OAuth1]] and [[yii\authclient\OAuth2]]: field `scope`, note that different
providers use different formats for the scope. providers use different formats for the scope.
Each auth client has "viewOptions" attribute. It is an array, which stores name-value pairs, Each auth client has `viewOptions` attribute. It is an array, which stores name-value pairs,
which serve to compose client representation in the view. which serve to compose client representation in the view.
For example widget [[yii\authclient\widgets\AuthChoice]] uses keys "popupWidth" and "popupHeight" to For example widget [[yii\authclient\widgets\AuthChoice]] uses keys `popupWidth` and `popupHeight` to
determine the size of authentication popup window. determine the size of authentication popup window.
External API usage External API usage
------------------ ------------------
Both [[yii\authclient\OAuth1]] and [[yii\authclient\OAuth2]] provide method "api()", which Both [[yii\authclient\OAuth1]] and [[yii\authclient\OAuth2]] provide method `api()`, which
can be used to access external auth provider REST API. However this method is very basic and can be used to access external auth provider REST API. However this method is very basic and
it may be not enough to access full external API functionality. This method is mainly used to it may be not enough to access full external API functionality. This method is mainly used to
fetch the external user account data. fetch the external user account data.
...@@ -147,20 +148,20 @@ Predefined auth clients ...@@ -147,20 +148,20 @@ Predefined auth clients
----------------------- -----------------------
This extension provides the list of ready to use auth clients, which covers most This extension provides the list of ready to use auth clients, which covers most
popular external authentication providers. These clients are located under "yii\authclient\clients" popular external authentication providers. These clients are located under `yii\authclient\clients`
namespace. namespace.
Following predefined auth clients are available: Following predefined auth clients are available:
- [[yii\authclient\clients\Facebook]] - [Facebook](https://www.facebook.com/) OAuth2 client - [[yii\authclient\clients\Facebook]] - [Facebook](https://www.facebook.com/) OAuth2 client.
- [[yii\authclient\clients\GitHub]] - [GitHub](https://github.com/) OAuth2 client - [[yii\authclient\clients\GitHub]] - [GitHub](https://github.com/) OAuth2 client.
- [[yii\authclient\clients\GoogleOAuth]] - [Google](https://www.google.com/) OAuth2 client - [[yii\authclient\clients\GoogleOAuth]] - [Google](https://www.google.com/) OAuth2 client.
- [[yii\authclient\clients\GoogleOpenId]] - [Google](https://www.google.com/) OpenID client - [[yii\authclient\clients\GoogleOpenId]] - [Google](https://www.google.com/) OpenID client.
- [[yii\authclient\clients\LinkedIn]] - [LinkedIn](http://www.linkedin.com/) OAuth2 client - [[yii\authclient\clients\LinkedIn]] - [LinkedIn](http://www.linkedin.com/) OAuth2 client.
- [[yii\authclient\clients\Live]] - [Microsoft Live](http://live.com/) OAuth2 client - [[yii\authclient\clients\Live]] - [Microsoft Live](http://live.com/) OAuth2 client.
- [[yii\authclient\clients\Twitter]] - [Twitter](https://twitter.com/) OAuth1 client - [[yii\authclient\clients\Twitter]] - [Twitter](https://twitter.com/) OAuth1 client.
- [[yii\authclient\clients\VKontakte]] - [VKontakte](http://vk.com/) OAuth2 client - [[yii\authclient\clients\VKontakte]] - [VKontakte](http://vk.com/) OAuth2 client.
- [[yii\authclient\clients\YandexOAuth]] - [Yandex](http://www.yandex.ru/) OAuth2 client - [[yii\authclient\clients\YandexOAuth]] - [Yandex](http://www.yandex.ru/) OAuth2 client.
- [[yii\authclient\clients\YandexOpenId]] - [Yandex](http://www.yandex.ru/) OpenID client - [[yii\authclient\clients\YandexOpenId]] - [Yandex](http://www.yandex.ru/) OpenID client.
Please, refer to the particular client class documentation for its actual usage. Please, refer to the particular client class documentation for its actual usage.
...@@ -199,9 +200,10 @@ You may create your own auth client for any external auth provider, which suppor ...@@ -199,9 +200,10 @@ You may create your own auth client for any external auth provider, which suppor
OpenId or OAuth protocol. To do so, first of all, you need to find out which protocol is OpenId or OAuth protocol. To do so, first of all, you need to find out which protocol is
supported by the external auth provider, this will give you the name of the base class supported by the external auth provider, this will give you the name of the base class
for your extension: for your extension:
- for OAuth 2 use [[yii\authclient\OAuth2]]
- for OAuth 1/1.0a use [[yii\authclient\OAuth1]] - For OAuth 2 use [[yii\authclient\OAuth2]].
- for OpenID use [[yii\authclient\OpenId]] - For OAuth 1/1.0a use [[yii\authclient\OAuth1]].
- For OpenID use [[yii\authclient\OpenId]].
At this stage you can determine auth client default name, title and view options, declaring At this stage you can determine auth client default name, title and view options, declaring
corresponding methods: corresponding methods:
...@@ -233,9 +235,9 @@ class MyAuthClient extends OAuth2 ...@@ -233,9 +235,9 @@ class MyAuthClient extends OAuth2
Depending on actual base class, you will need to redeclare different fields and methods. Depending on actual base class, you will need to redeclare different fields and methods.
1) [[yii\authclient\OpenId]] ### [[yii\authclient\OpenId]]
All you need is specify auth URL, by redeclaring "authUrl" field. All you need is to specify auth URL, by redeclaring `authUrl` field.
You may also setup default required and/or optional attributes. You may also setup default required and/or optional attributes.
For example: For example:
...@@ -257,13 +259,14 @@ class MyAuthClient extends OpenId ...@@ -257,13 +259,14 @@ class MyAuthClient extends OpenId
} }
``` ```
2) [[yii\authclient\OAuth2]] ### [[yii\authclient\OAuth2]]
You will need to specify: You will need to specify:
- authorize URL - redeclare "authUrl" field
- token request URL - redeclare "tokenUrl" field - Auth URL by redeclaring `authUrl` field.
- API base URL - redeclare "apiBaseUrl" field - Token request URL by redeclaring `tokenUrl` field.
- User attribute fetching strategy - redeclare "initUserAttributes" method - API base URL by redeclaring `apiBaseUrl` field.
- User attribute fetching strategy by redeclaring `initUserAttributes()` method.
For example: For example:
...@@ -287,17 +290,18 @@ class MyAuthClient extends OAuth2 ...@@ -287,17 +290,18 @@ class MyAuthClient extends OAuth2
You may also specify default auth scopes. You may also specify default auth scopes.
Note: some OAuth providers may not follow OAuth standards clearly, introducing > Note: Some OAuth providers may not follow OAuth standards clearly, introducing
some differences, which may require additional efforts to apply. differences, and may require additional efforts to implement clients for.
3) [[yii\authclient\OAuth1]] ### [[yii\authclient\OAuth1]]
You will need to specify: You will need to specify:
- authorize URL - redeclare "authUrl" field
- request token URL - redeclare "requestTokenUrl" field - Auth URL by redeclaring `authUrl` field.
- access token URL - redeclare "accessTokenUrl" field - Request token URL by redeclaring `requestTokenUrl` field.
- API base URL - redeclare "apiBaseUrl" field - Access token URL by redeclaring `accessTokenUrl` field.
- User attribute fetching strategy - redeclare "initUserAttributes" method - API base URL by redeclaring `apiBaseUrl` field.
- User attribute fetching strategy by redeclaring `initUserAttributes()` method.
For example: For example:
...@@ -323,5 +327,6 @@ class MyAuthClient extends OAuth1 ...@@ -323,5 +327,6 @@ class MyAuthClient extends OAuth1
You may also specify default auth scopes. You may also specify default auth scopes.
Note: some OAuth providers may not follow OAuth standards clearly, introducing > Note: Some OAuth providers may not follow OAuth standards clearly, introducing
some differences, which may require additional efforts to apply. differences, and may require additional efforts to implement clients for.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment