These sample scripts illustrate the interaction necessary to obtain and use OAuth 2.0 access tokens.
Authorization Code Grant Type
<?php
$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";
// callback URL specified when the application was defined--has to match what the application says
$callback_uri = "<<redirect_uri>>";
$test_api_url = "<<your API>>";
// client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
if ($_POST["authorization_code"]) {
// what to do if there's an authorization code
$access_token = getAccessToken($_POST["authorization_code"]);
$resource = getResource($access_token);
echo $resource;
} elseif ($_GET["code"]) {
$access_token = getAccessToken($_GET["code"]);
$resource = getResource($access_token);
echo $resource;
} else {
// what to do if there's no authorization code
getAuthorizationCode();
}
// step A - simulate a request from a browser on the authorize_url
// will return an authorization code after the user is prompted for credentials
function getAuthorizationCode() {
global $authorize_url, $client_id, $callback_uri;
$authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";
header("Location: " . $authorization_redirect_url);
// if you don't want to redirect
// echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='authorization_code' /><br /><input type='submit'></form>";
}
// step I, J - turn the authorization code into an access token, etc.
function getAccessToken($authorization_code) {
global $token_url, $client_id, $client_secret, $callback_uri;
$authorization = base64_encode("$client_id:$client_secret");
$header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$content = "grant_type=authorization_code&code=$authorization_code&redirect_uri=$callback_uri";
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $token_url,
CURLOPT_HTTPHEADER => $header,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $content
));
$response = curl_exec($curl);
curl_close($curl);
if ($response === false) {
echo "Failed";
echo curl_error($curl);
echo "Failed";
} elseif (json_decode($response)->error) {
echo "Error:<br />";
echo $authorization_code;
echo $response;
}
return json_decode($response)->access_token;
}
// we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
global $test_api_url;
$header = array("Authorization: Bearer {$access_token}");
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $test_api_url,
CURLOPT_HTTPHEADER => $header,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_RETURNTRANSFER => true
));
$response = curl_exec($curl);
curl_close($curl);
return json_decode($response, true);
}
?>
Implicit Grant Type
<?php
$authorize_url = "https://api.byu.edu/authorize";
$token_url = "https://api.byu.edu/token";
// callback URL specified when the application was defined--must match what API says
$callback_uri = "<<redirect_uri>>";
$test_api_url = "<<your API>>";
// client (application) credentials - located at apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
if ($_POST["access_token"]) {
// what to do if there's an access token
$resource = getResource($_POST["access_token"]);
echo $resource;
} elseif ($_POST["hidden_token"]) {
$resource = getResource($_POST["hidden_token"]);
echo $resource;
} else {
// what to do if there's no access token
getAccessToken();
}
// step A - single call with client ID and callback on the URL
function getAccessToken() {
global $authorize_url, $client_id, $callback_uri, $token_url;
$authorization_redirect_url = $authorize_url . "?response_type=token&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=openid";
// create form
echo "Go <a href='$authorization_redirect_url'>here</a>, copy the code, and paste it into the box below.<br /><form id='get_token' action=" . $_SERVER["PHP_SELF"] . " method = 'post'><input type='text' name='access_token' /><br /><input type='submit'><input type='hidden' name='hidden_token' id='hidden_token'/></form>";
// use JavaScript to check for access_token in URL
// redirects if it doesn't exist
// submits form if it does
echo "<script type='text/javascript'>if (window.location.hash.length > 0) {var accessToken = window.location.hash; accessToken = accessToken.slice(accessToken.indexOf('access_token') + 13); accessToken = accessToken.slice(0, accessToken.indexOf('&')); document.getElementById('hidden_token').value = accessToken; document.getElementById('get_token').submit();} else {window.location.replace('$authorization_redirect_url');}</script>";
}
// we can now use the access_token as much as we want to access protected resources
function getResource($access_token) {
global $test_api_url;
$header = array("Authorization: Bearer {$access_token}");
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $test_api_url,
CURLOPT_HTTPHEADER => $header,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_RETURNTRANSFER => true
));
$response = curl_exec($curl);
curl_close($curl);
return json_decode($response, true);
}
?>
Resource Owner Password Credentials Grant Type
<?php
$url="https://api.byu.edu/byuapi/personsummary/v1/<<your netid goes here>>";
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
$tokenUrl = "https://api.byu.edu/token";
$tokenContent = "grant_type=password&username=<<username>>&password=<<password>>";
$authorization = base64_encode("$client_id:$client_secret");
echo "$authorization \n";
$tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$token = curl_init();
curl_setopt($token, CURLOPT_URL, $tokenUrl);
curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders);
curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($token, CURLOPT_RETURNTRANSFER, true);
curl_setopt($token, CURLOPT_POST, true);
curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent);
$response = curl_exec($token);
curl_close ($token);
echo $response;
$token_array = json_decode($response, true);
print_r($token_array);
echo "\n now calling $url \n";
$headers = array('Content-Type: application/json',"Authorization: Bearer {$token_array["access_token"]}");
$process = curl_init();
curl_setopt($process, CURLOPT_URL, $url);
curl_setopt($process, CURLOPT_HTTPHEADER, $headers);
curl_setopt($process, CURLOPT_CUSTOMREQUEST, "GET");
#curl_setopt($process, CURLOPT_HEADER, 1);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_HTTPGET, 1);
#curl_setopt($process, CURLOPT_VERBOSE, 1);
curl_setopt($process, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($process, CURLOPT_RETURNTRANSFER, TRUE);
$return = curl_exec($process);
curl_close($process);
echo $return;
?>
Client Credentials Grant Type
<?php
$token_url = "https://api.byu.edu/token";
$test_api_url = "<<your API>>";
// client (application) credentials on apim.byu.edu
$client_id = "<<client_id>>";
$client_secret = "<<client_secret>>";
$access_token = getAccessToken();
$resource = getResource($access_token);
echo $resource;
// step A, B - single call with client credentials as the basic auth header
// will return access_token
function getAccessToken() {
global $token_url, $client_id, $client_secret;
$content = "grant_type=client_credentials";
$authorization = base64_encode("$client_id:$client_secret");
$header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $token_url,
CURLOPT_HTTPHEADER => $header,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $content
));
$response = curl_exec($curl);
curl_close($curl);
return json_decode($response)->access_token;
}
// step B - with the returned access_token we can make as many calls as we want
function getResource($access_token) {
global $test_api_url;
$header = array("Authorization: Bearer {$access_token}");
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $test_api_url,
CURLOPT_HTTPHEADER => $header,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_RETURNTRANSFER => true
));
$response = curl_exec($curl);
curl_close($curl);
return json_decode($response, true);
}
?>
