OAuth 2.0 PHP sample script

These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens.

Authorization Code Grant Type

<?php
 
$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";
 
//  callback URL specified when the application was defined--has to match what the application says
$callback_uri = "<<redirect_uri>>";
 
$test_api_url = "<<your API>>";
 
//  client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
 
 
 
if ($_POST["authorization_code"]) {
    //  what to do if there's an authorization code
    $access_token = getAccessToken($_POST["authorization_code"]);
    $resource = getResource($access_token);
    echo $resource;
} elseif ($_GET["code"]) {
    $access_token = getAccessToken($_GET["code"]);
    $resource = getResource($access_token);
    echo $resource;
} else {
    //  what to do if there's no authorization code
    getAuthorizationCode();
}
 
 
 
//  step A - simulate a request from a browser on the authorize_url
//      will return an authorization code after the user is prompted for credentials
function getAuthorizationCode() {
    global $authorize_url, $client_id, $callback_uri;
 
    $authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";
 
    header("Location: " . $authorization_redirect_url);
 
    //  if you don't want to redirect
    // echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='authorization_code' /><br /><input type='submit'></form>";
}
 
//  step I, J - turn the authorization code into an access token, etc.
function getAccessToken($authorization_code) {
    global $token_url, $client_id, $client_secret, $callback_uri;
 
    $authorization = base64_encode("$client_id:$client_secret");
    $header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
    $content = "grant_type=authorization_code&code=$authorization_code&redirect_uri=$callback_uri";
 
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_URL => $token_url,
        CURLOPT_HTTPHEADER => $header,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $content
    ));
    $response = curl_exec($curl);
    curl_close($curl);
 
    if ($response === false) {
        echo "Failed";
        echo curl_error($curl);
        echo "Failed";
    } elseif (json_decode($response)->error) {
        echo "Error:<br />";
        echo $authorization_code;
        echo $response;
    }
 
    return json_decode($response)->access_token;
}
 
//  we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
    global $test_api_url;
 
    $header = array("Authorization: Bearer {$access_token}");
 
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_URL => $test_api_url,
        CURLOPT_HTTPHEADER => $header,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_RETURNTRANSFER => true
    ));
    $response = curl_exec($curl);
    curl_close($curl);
 
    return json_decode($response, true);
}
 
?>

Implicit Grant Type

<?php
 
$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";
 
//  callback URL specified when the application was defined--must match what API says
$callback_uri = "<<redirect_uri>>";
 
$test_api_url = "<<your API>>";
 
//  client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
 
if ($_POST["access_token"]) {
    //  what to do if there's an access token
    $resource = getResource($_POST["access_token"]);
    echo $resource;
} elseif ($_POST["hidden_token"]) {
    $resource = getResource($_POST["hidden_token"]);
    echo $resource;
} else {
    //  what to do if there's no access token
    getAccessToken();
}
 
 
 
//  step A - single call with client ID and callback on the URL
function getAccessToken() {
    global $authorize_url, $client_id, $callback_uri, $token_url;
 
    $authorization_redirect_url = $authorize_url . "?response_type=token&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";
 
    //  create form
    echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form id='get_token' action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='access_token' /><br /><input type='submit'><input type='hidden' name='hidden_token' id='hidden_token'/></form>";
 
    //  use JavaScript to check for access_token in URL
    //      redirects if it doesn't exist
    //      submits form if it does
    echo "<script type='text/javascript'>if (window.location.hash.length > 0) {var accessToken = window.location.hash; accessToken = accessToken.slice(accessToken.indexOf('access_token') + 13); accessToken = accessToken.slice(0, accessToken.indexOf('&')); document.getElementById('hidden_token').value = accessToken; document.getElementById('get_token').submit();} else {window.location.replace('$authorization_redirect_url');}</script>";
}
 
//  we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
    global $test_api_url;
 
    $header = array("Authorization: Bearer {$access_token}");
 
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_URL => $test_api_url,
        CURLOPT_HTTPHEADER => $header,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_RETURNTRANSFER => true
    ));
    $response = curl_exec($curl);
    curl_close($curl);
 
    return json_decode($response, true);
}
 
?>

Resource Owner Password Credentials Grant Type

<?php
$url="https://api.byu.edu/byuapi/personsummary/v1/<<your netid goes here>>";
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
$tokenUrl = "https://api.byu.edu/token";
$tokenContent = "grant_type=password&username=<<username>>&password=<<password>>";
$authorization = base64_encode("$client_id:$client_secret");
echo "$authorization \n";
$tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$token = curl_init();
curl_setopt($token, CURLOPT_URL, $tokenUrl);
curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders);
curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($token, CURLOPT_RETURNTRANSFER, true);
curl_setopt($token, CURLOPT_POST, true);
curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent);
$response = curl_exec($token);
curl_close ($token);
echo $response;
$token_array = json_decode($response, true);
print_r($token_array);
echo "\n now calling $url \n";
$headers = array('Content-Type: application/json',"Authorization: Bearer {$token_array["access_token"]}");
$process = curl_init();
curl_setopt($process, CURLOPT_URL, $url);
curl_setopt($process, CURLOPT_HTTPHEADER, $headers);
curl_setopt($process, CURLOPT_CUSTOMREQUEST, "GET");
#curl_setopt($process, CURLOPT_HEADER, 1);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_HTTPGET, 1);
#curl_setopt($process, CURLOPT_VERBOSE, 1);
curl_setopt($process, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE);
$return = curl_exec($process);
curl_close($process);
echo $return;
?>

Client Credentials Grant Type

<?php
 
$token_url = "https://api.byu.edu/token";
 
$test_api_url = "<<your API>>";
 
//  client (application) credentials on apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
 
 
 
$access_token = getAccessToken();
$resource = getResource($access_token);
echo $resource;
 
 
 
//  step A, B - single call with client credentials as the basic auth header
//      will return access_token
function getAccessToken() {
    global $token_url, $client_id, $client_secret;
 
    $content = "grant_type=client_credentials";
    $authorization = base64_encode("$client_id:$client_secret");
    $header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
 
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_URL => $token_url,
        CURLOPT_HTTPHEADER => $header,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $content
    ));
    $response = curl_exec($curl);
    curl_close($curl);
 
    return json_decode($response)->access_token;
}
 
//  step B - with the returned access_token we can make as many calls as we want
function getResource($access_token) {
    global $test_api_url;
 
    $header = array("Authorization: Bearer {$access_token}");
 
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_URL => $test_api_url,
        CURLOPT_HTTPHEADER => $header,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_RETURNTRANSFER => true
    ));
    $response = curl_exec($curl);
    curl_close($curl);
 
    return json_decode($response, true);
}
 
?>