These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens.

Authorization Code Grant Type

<?php

$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";

//	callback URL specified when the application was defined--has to match what the application says
$callback_uri = "<<redirect_uri>>";

$test_api_url = "<<your API>>";

//	client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";



if ($_POST["authorization_code"]) {
	//	what to do if there's an authorization code
	$access_token = getAccessToken($_POST["authorization_code"]);
	$resource = getResource($access_token);
	echo $resource;
} elseif ($_GET["code"]) {
	$access_token = getAccessToken($_GET["code"]);
	$resource = getResource($access_token);
	echo $resource;
} else {
	//	what to do if there's no authorization code
	getAuthorizationCode();
}



//	step A - simulate a request from a browser on the authorize_url
//		will return an authorization code after the user is prompted for credentials
function getAuthorizationCode() {
	global $authorize_url, $client_id, $callback_uri;

	$authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";

	header("Location: " . $authorization_redirect_url);

	//	if you don't want to redirect
	// echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='authorization_code' /><br /><input type='submit'></form>";
}

//	step I, J - turn the authorization code into an access token, etc.
function getAccessToken($authorization_code) {
	global $token_url, $client_id, $client_secret, $callback_uri;

	$authorization = base64_encode("$client_id:$client_secret");
	$header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
	$content = "grant_type=authorization_code&code=$authorization_code&redirect_uri=$callback_uri";

	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $token_url,
		CURLOPT_HTTPHEADER => $header,
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_POST => true,
		CURLOPT_POSTFIELDS => $content
	));
	$response = curl_exec($curl);
	curl_close($curl);

	if ($response === false) {
		echo "Failed";
		echo curl_error($curl);
		echo "Failed";
	} elseif (json_decode($response)->error) {
		echo "Error:<br />";
		echo $authorization_code;
		echo $response;
	}

	return json_decode($response)->access_token;
}

//	we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
	global $test_api_url;

	$header = array("Authorization: Bearer {$access_token}");

	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $test_api_url,
		CURLOPT_HTTPHEADER => $header,
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_RETURNTRANSFER => true
	));
	$response = curl_exec($curl);
	curl_close($curl);

	return json_decode($response, true);
}

?>

 

Implicit Grant Type

<?php

$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";

//	callback URL specified when the application was defined--must match what API says
$callback_uri = "<<redirect_uri>>";

$test_api_url = "<<your API>>";

//	client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";

if ($_POST["access_token"]) {
	//	what to do if there's an access token
	$resource = getResource($_POST["access_token"]);
	echo $resource;
} elseif ($_POST["hidden_token"]) {
	$resource = getResource($_POST["hidden_token"]);
	echo $resource;
} else {
	//	what to do if there's no access token
	getAccessToken();
}



//	step A - single call with client ID and callback on the URL
function getAccessToken() {
	global $authorize_url, $client_id, $callback_uri, $token_url;

	$authorization_redirect_url = $authorize_url . "?response_type=token&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";

	//	create form
	echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form id='get_token' action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='access_token' /><br /><input type='submit'><input type='hidden' name='hidden_token' id='hidden_token'/></form>";

	//	use JavaScript to check for access_token in URL
	//		redirects if it doesn't exist
	//		submits form if it does
	echo "<script type='text/javascript'>if (window.location.hash.length > 0) {var accessToken = window.location.hash; accessToken = accessToken.slice(accessToken.indexOf('access_token') + 13); accessToken = accessToken.slice(0, accessToken.indexOf('&')); document.getElementById('hidden_token').value = accessToken; document.getElementById('get_token').submit();} else {window.location.replace('$authorization_redirect_url');}</script>";
}

//	we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
	global $test_api_url;

	$header = array("Authorization: Bearer {$access_token}");

	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $test_api_url,
		CURLOPT_HTTPHEADER => $header,
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_RETURNTRANSFER => true
	));
	$response = curl_exec($curl);
	curl_close($curl);

	return json_decode($response, true);
}

?>

 

Resource Owner Password Credentials Grant Type

<?php
$url="https://api.byu.edu/byuapi/personsummary/v1/<<your netid goes here>>";
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
$tokenUrl = "https://api.byu.edu/token";
$tokenContent = "grant_type=password&username=<<username>>&password=<<password>>";
$authorization = base64_encode("$client_id:$client_secret");
echo "$authorization \n";
$tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$token = curl_init();
curl_setopt($token, CURLOPT_URL, $tokenUrl);
curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders);
curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($token, CURLOPT_RETURNTRANSFER, true);
curl_setopt($token, CURLOPT_POST, true);
curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent);
$response = curl_exec($token);
curl_close ($token);
echo $response;
$token_array = json_decode($response, true);
print_r($token_array);
echo "\n now calling $url \n";
$headers = array('Content-Type: application/json',"Authorization: Bearer {$token_array["access_token"]}");
$process = curl_init();
curl_setopt($process, CURLOPT_URL, $url);
curl_setopt($process, CURLOPT_HTTPHEADER, $headers);
curl_setopt($process, CURLOPT_CUSTOMREQUEST, "GET");
#curl_setopt($process, CURLOPT_HEADER, 1);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_HTTPGET, 1);
#curl_setopt($process, CURLOPT_VERBOSE, 1);
curl_setopt($process, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE);
$return = curl_exec($process);
curl_close($process);
echo $return;
?>

 

Client Credentials Grant Type

<?php

$token_url = "https://api.byu.edu/token";

$test_api_url = "<<your API>>";

//	client (application) credentials on apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";



$access_token = getAccessToken();
$resource = getResource($access_token);
echo $resource;



//	step A, B - single call with client credentials as the basic auth header
//		will return access_token
function getAccessToken() {
	global $token_url, $client_id, $client_secret;

	$content = "grant_type=client_credentials";
	$authorization = base64_encode("$client_id:$client_secret");
	$header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");

	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $token_url,
		CURLOPT_HTTPHEADER => $header,
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_POST => true,
		CURLOPT_POSTFIELDS => $content
	));
	$response = curl_exec($curl);
	curl_close($curl);

	return json_decode($response)->access_token;
}

//	step B - with the returned access_token we can make as many calls as we want
function getResource($access_token) {
	global $test_api_url;

	$header = array("Authorization: Bearer {$access_token}");

	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $test_api_url,
		CURLOPT_HTTPHEADER => $header,
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_RETURNTRANSFER => true
	));
	$response = curl_exec($curl);
	curl_close($curl);

	return json_decode($response, true);
}

?>