Fork me on GitHub

Authorization Server

The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

Authorization server's endpoints usually without GUI, but just RESTful API interface. Read though routing.php to see how we implement it.

The authorization process utilizes two authorization server endpoints (HTTP resources):

Authorization Endpoint (/api/oauth2/authorize and /demo/authorize)

The authorization endpoint is used to interact with the resource owner and obtain an authorization grant.

Authorization endpoint (HTTP Basic Authentication and Form-based Authentication) are protected by Silex's SecurityServiceProvider in this example. Read though security.php to see how we implement it.

Direct browser access is possible, authentication request will therefore triggered, and able to login with following testing account:

  • Username: demousername1
  • Password: demopassword1

After successful login, by default if access this endpoint without addition parameters, an error message {"error":"invalid_request"} should be shown in JSON format.

Token Endpoint (/api/oauth2/token)

The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token.

Token endpoint is protected by OAuth2's AuthBucketOAuth2ServiceProvider in this example. Read though security.php to see how we implement it.

By default this endpoint shouldn't access by browser directly with GET, else an error message {"error":"invalid_request"} should be show in JSON format.

For debug purpose, may consider send out POST request to this endpoint by HttpRequester.

Following endpoints are excluded from RFC6749, but live implementation should consider it.

Form-based Authentication (/demo/login)

Form-based Authentication implemented by Silex's SecurityServiceProvider in this example. Read though routing.php and login.html.twig for more information.

This is used for protect above Authorization Endpoints.

Debug Endpoint (/api/oauth2/debug)

Debug Endpoint clone the idea of Facebook's Debug API Endpoint, return raw information of corresponding access_token provided. Read though security.php and routing.php for more information.

When working with an access token, you may need to check what information is associated with it, such as its user or expiry. To use this endpoint, you can issue a GET/POST request, e.g.:

GET /api/oauth2/debug?access_token={access_token} HTTP/1.1
  • access_token: the access token you want to get information about

The response of the API call is a JSON array containing a map of fields. For example:

        "access_token": "5dc0bdbb2f66a842cb46a02b6d559131",
        "client_id": "authorization_code_grant",
        "expires": 1404641243,
        "scope": [
        "token_type": "bearer",
        "username": "demousername1"

Remote Resource Server may also utilize this debug endpoint to verfiy the supplied access token.