README

基于PHP League's OAuth2 Server的TYPO3 OAuth2服务器。

特性

• 支持PHP League's OAuth2 Server的所有授权类型
• 作用域可以限制为客户端
• 授权类型可以限制为客户端
• 可以用来保护API免受其他扩展的影响

安装

仅支持composer！

$ composer require r3h6/oauth2-server

Web服务器

注意，根据您的Web服务器和PHP集成，您可能需要进行一些额外的配置。

特别是Apache + CGI (PHP-FPM)需要额外的vhost/htaccess配置，以正确处理authorization头。

SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

另请参阅：https://symfony.com.cn/doc/current/setup/web_server_configuration.html#using-mod-proxy-fcgi-with-apache-2-4

集成

创建您自己的公钥和私钥。
仅将提供的密钥对用于开发。

您必须在网站配置yaml中明确启用OAuth2服务器，至少添加以下配置

oauth2: []

对于授权码授权，您必须创建一个前端登录和一个同意页面。
此扩展提供了一个带有基本设计的TypoScript设置。

创建一个sys文件夹并添加一个客户端记录。

端点

配置

oauth2:
  # Optional. Defaults to 'true'
  enabled: true

  # Path to private key
  # Type: string
  privateKey: 'EXT:oauth2_server/Resources/Private/Keys/private.key'

  # Path to public key
  # Type: string
  publicKey: 'EXT:oauth2_server/Resources/Private/Keys/public.key'

  # Access token lifetime
  # Type: string
  accessTokensExpireIn: 'P1M'

  # Refresh token lifetime
  # Type: string
  refreshTokensExpireIn: 'P1M'

  # Requires all public clients to provide a PKCE code challenge
  # See https://oauth2.thephpleague.com/upgrade-guide/
  # Type: boolean
  requireCodeChallengeForPublicClients: true

  # Page uid with "Oauth2: Consent" plugin
  # Type: int
  consentPageUid: 0

  # Page uid for frontend login (otherwise users are redirected to the root page)
  # Type: int
  loginPageUid: 0

  # Scopes
  # Type: array
  scopes:
    - scope1
    - { identifier: scope2, description: 'Description or LLL path', consent: true }

  # Configuration for protected resources
  resources:

    # Resource name
    my_resource:

      # Resource route, string, a regex matching the request path
      # Type: string
      path: /rest/.*

      # Defines whether authorization is required
      # Note: A given authorization header is still processed even if this is disabled.
      #       This is great for APIs with optional authentication
      # Type: boolean
      authorization: true

      # Resource methods (optional)
      # Type: string|array
      methods: POST|GET

      # Resource target (optional)
      # Type: string
      target: Controller::action

      # Firewall rule, checks if a user is authenticated (optional)
      # Type: boolean
      authenticated: false

      # Firewall rule, check if client ip matches given pattern (optional)
      # Type: string
      ip: '127.*'

      # Firewall rule, check if request is using https (optional)
      # Type: boolean
      https: true

      # Firewall rule, check if access token has at least one of the scopes (optional)
      # Type: string|array
      scope: 'read|write'

      # Firewall rule, check if access token has all scopes (optional)
      # Type: string|array
      scope: 'read,write'

保护资源免受Extbase插件的影响。

具有路由的Extbase插件可以通过查询参数调用。
此类请求绕过了本扩展的请求验证。
因此，您应该创建一些htaccess规则拒绝此类请求，
自行实现请求验证，或
使用ExtbaseGuard检查请求是否通过了验证。

class ExtbaseController extends ActionController
{
    /**
     * @var \R3H6\Oauth2Server\Security\ExtbaseGuard
     * @TYPO3\CMS\Extbase\Annotation\Inject
     */
    protected $guard;

    public function initializeAction()
    {
        $this->guard->checkAccess($GLOBALS['TYPO3_REQUEST'], 'my_resource', $this->response); //v10
        $this->guard->checkAccess($GLOBALS['TYPO3_REQUEST'], 'my_resource'); //v11
    }
}

中间件

此扩展向堆栈中添加了多个中间件。它们必须按预期顺序执行才能正常工作。

...
typo3/cms-frontend/site
...
r3h6/oauth2-server/configuration
r3h6/oauth2-server/routing
r3h6/oauth2-server/authentication
...
typo3/cms-frontend/authentication
...
r3h6/oauth2-server/firewall
r3h6/oauth2-server/dispatcher
...
typo3/cms-frontend/base-redirect-resolver
...

鸣谢

• Marco Huber，他将扩展密钥移交并分享了他的想法