These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens.
Authorization Code Grant Type
<?php $authorize_url = "https://api.byu.edu/authorize"; $token_url = "https://api.byu.edu/token"; // callback URL specified when the application was defined--has to match what the application says $callback_uri = "<<redirect_uri>>"; $test_api_url = "<<your API>>"; // client (application) credentials - located at apim.byu.edu $client_id = "<<client_id>>"; $client_secret = "<<client_secret>>"; if ($_POST["authorization_code"]) { // what to do if there's an authorization code $access_token = getAccessToken($_POST["authorization_code"]); $resource = getResource($access_token); echo $resource; } elseif ($_GET["code"]) { $access_token = getAccessToken($_GET["code"]); $resource = getResource($access_token); echo $resource; } else { // what to do if there's no authorization code getAuthorizationCode(); } // step A - simulate a request from a browser on the authorize_url // will return an authorization code after the user is prompted for credentials function getAuthorizationCode() { global $authorize_url, $client_id, $callback_uri; $authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid"; header("Location: " . $authorization_redirect_url); // if you don't want to redirect // echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='authorization_code' /><br /><input type='submit'></form>"; } // step I, J - turn the authorization code into an access token, etc. function getAccessToken($authorization_code) { global $token_url, $client_id, $client_secret, $callback_uri; $authorization = base64_encode("$client_id:$client_secret"); $header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded"); $content = "grant_type=authorization_code&code=$authorization_code&redirect_uri=$callback_uri"; $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => $token_url, CURLOPT_HTTPHEADER => $header, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => $content )); $response = curl_exec($curl); curl_close($curl); if ($response === false) { echo "Failed"; echo curl_error($curl); echo "Failed"; } elseif (json_decode($response)->error) { echo "Error:<br />"; echo $authorization_code; echo $response; } return json_decode($response)->access_token; } // we can now use the access_token as much as we want to access protected resources function getResource($access_token) { global $test_api_url; $header = array("Authorization: Bearer {$access_token}"); $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => $test_api_url, CURLOPT_HTTPHEADER => $header, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_RETURNTRANSFER => true )); $response = curl_exec($curl); curl_close($curl); return json_decode($response, true); } ?>
Implicit Grant Type
<?php $authorize_url = "https://api.byu.edu/authorize"; $token_url = "https://api.byu.edu/token"; // callback URL specified when the application was defined--must match what API says $callback_uri = "<<redirect_uri>>"; $test_api_url = "<<your API>>"; // client (application) credentials - located at apim.byu.edu $client_id = "<<client_id>>"; $client_secret = "<<client_secret>>"; if ($_POST["access_token"]) { // what to do if there's an access token $resource = getResource($_POST["access_token"]); echo $resource; } elseif ($_POST["hidden_token"]) { $resource = getResource($_POST["hidden_token"]); echo $resource; } else { // what to do if there's no access token getAccessToken(); } // step A - single call with client ID and callback on the URL function getAccessToken() { global $authorize_url, $client_id, $callback_uri, $token_url; $authorization_redirect_url = $authorize_url . "?response_type=token&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid"; // create form echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form id='get_token' action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='access_token' /><br /><input type='submit'><input type='hidden' name='hidden_token' id='hidden_token'/></form>"; // use JavaScript to check for access_token in URL // redirects if it doesn't exist // submits form if it does echo "<script type='text/javascript'>if (window.location.hash.length > 0) {var accessToken = window.location.hash; accessToken = accessToken.slice(accessToken.indexOf('access_token') + 13); accessToken = accessToken.slice(0, accessToken.indexOf('&')); document.getElementById('hidden_token').value = accessToken; document.getElementById('get_token').submit();} else {window.location.replace('$authorization_redirect_url');}</script>"; } // we can now use the access_token as much as we want to access protected resources function getResource($access_token) { global $test_api_url; $header = array("Authorization: Bearer {$access_token}"); $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => $test_api_url, CURLOPT_HTTPHEADER => $header, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_RETURNTRANSFER => true )); $response = curl_exec($curl); curl_close($curl); return json_decode($response, true); } ?>
Resource Owner Password Credentials Grant Type
<?php $url="https://api.byu.edu/byuapi/personsummary/v1/<<your netid goes here>>"; $client_id = "<<client_id>>"; $client_secret = "<<client_secret>>"; $tokenUrl = "https://api.byu.edu/token"; $tokenContent = "grant_type=password&username=<<username>>&password=<<password>>"; $authorization = base64_encode("$client_id:$client_secret"); echo "$authorization \n"; $tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded"); $token = curl_init(); curl_setopt($token, CURLOPT_URL, $tokenUrl); curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders); curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($token, CURLOPT_RETURNTRANSFER, true); curl_setopt($token, CURLOPT_POST, true); curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent); $response = curl_exec($token); curl_close ($token); echo $response; $token_array = json_decode($response, true); print_r($token_array); echo "\n now calling $url \n"; $headers = array('Content-Type: application/json',"Authorization: Bearer {$token_array["access_token"]}"); $process = curl_init(); curl_setopt($process, CURLOPT_URL, $url); curl_setopt($process, CURLOPT_HTTPHEADER, $headers); curl_setopt($process, CURLOPT_CUSTOMREQUEST, "GET"); #curl_setopt($process, CURLOPT_HEADER, 1); curl_setopt($process, CURLOPT_TIMEOUT, 30); curl_setopt($process, CURLOPT_HTTPGET, 1); #curl_setopt($process, CURLOPT_VERBOSE, 1); curl_setopt($process, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE); $return = curl_exec($process); curl_close($process); echo $return; ?>
Client Credentials Grant Type
<?php $token_url = "https://api.byu.edu/token"; $test_api_url = "<<your API>>"; // client (application) credentials on apim.byu.edu $client_id = "<<client_id>>"; $client_secret = "<<client_secret>>"; $access_token = getAccessToken(); $resource = getResource($access_token); echo $resource; // step A, B - single call with client credentials as the basic auth header // will return access_token function getAccessToken() { global $token_url, $client_id, $client_secret; $content = "grant_type=client_credentials"; $authorization = base64_encode("$client_id:$client_secret"); $header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded"); $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => $token_url, CURLOPT_HTTPHEADER => $header, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => $content )); $response = curl_exec($curl); curl_close($curl); return json_decode($response)->access_token; } // step B - with the returned access_token we can make as many calls as we want function getResource($access_token) { global $test_api_url; $header = array("Authorization: Bearer {$access_token}"); $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => $test_api_url, CURLOPT_HTTPHEADER => $header, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_RETURNTRANSFER => true )); $response = curl_exec($curl); curl_close($curl); return json_decode($response, true); } ?>