oauth2.0服务端与客户端搭建

oauth2.0服务端与客户端搭建 - 推酷

今天搭建了oauth2.0服务端与客户端。把搭建的过程记录一下。具体实现的功能是：client.ruanwenwu.cn的用户能够通过 server.ruanwenwu.cn的用户名和密码登陆client.ruanwenwu.cn。并且登陆 后，client.ruanwenwu.cn的用户能获取server.ruanwenwu.cn哪里的一些资源。

我的个人博客原文地址： http://www.ruanwenwu.cn/2015/12/oauth-server-and-client-install.html 

一、oauth2.0的作用

1、搭建第三方登录平台（就像你用很多网站支持qq登录。其实是qq提供的oauth2.0服务端支持。网站作为第三方，只要用oauth2.0标准请求服务端，求能得到用户信息，并实现登录）。

2、公共资源管理。

就 像你（Y）想通过一个打印照片的网站（A)来打印你存放在google(B)的照片。你就要通过这个A来获取B的照片。B肯定要验证是否是他的用户Y的请 求，验证通过才把照片传递给A实现打印。问题是Y不想把账号密码直接给A。用oauth2.0就是来解决这个问题的：

A先 把Y导向B的站点进行授权。授权通过，B向A发送oauth_code。A拿到这个oauth_code，连同A的client_id和 oauth_secrete发送给B，如果数据正确，B就会给A发送oauth_token。有了这个token,A就可以获取B的相关资源的。

基本的流程是这样。下面是具体的实现过程。

二、oauth2.0服务端的搭建。

oauth2.0的服务端分为验证服务器和资源服务器。这两个服务器也可以是同一个服务器（只不过把这两个功能用一个 服务器来完成罢了）。

说明：我的实现都在Thinkphp3.2.3框架下实现。

1、下载thinkphp3.2.3。

2、配置虚拟机server.ruanwenwu.cn

3、在Thinkphp的Home应用下修改配置文件（server.ruanwenwu.cn/Application/Home/Conf/config.php）如下所示：

<?php
return array(
    //'配置项'=>'配置值'
    //数据库设置
        'DB_TYPE' => 'mysql',
        'DB_HOST' => '127.0.0.1',//localhost
        'DB_NAME' => 'oauth',
        'DB_USER' => 'root',
        'DB_PWD'  => 'root',
        'DB_PORT' => '3306',
    

    'SCOPE_INFO'  => array(    //这是授权选项。根据你自己的项目来
        array(
            'name' => '个人信息',
            'value' => 'basicinfo'
        ),
        array(
            'name' => '论坛发帖回帖',
            'value' => 'bbsinfo'
        ),
    ),
    
    'OAUTH2_CODES_TABLE'   =>'oauth_code',    //这里是oauth项目需要用的三个基础表
    'OAUTH2_CLIENTS_TABLE' =>'oauth_client',
    'OAUTH2_TOKEN_TABLE'   =>'oauth_token',
    
    'SECRETKYE' => 'Mumayi!@#',    //下面是一些网站自定义的项目。可以根据自己的情况来写或者不写
    //session 有效期
    'SESSION_EXPIRES' => 1200,
    //key 有效期
    'PASS_KEY_EXPIRES' => 86400,
    //key 有效期
    'PHONE_KEY_EXPIRES' => 300,
    //key 加密 整型 数字 必须为 int
    'PASS_KEY_CALC' => 1314,
);

4、建oauth表。

SET FOREIGN_KEY_CHECKS=0;

-- ----------------------------
-- Table structure for oauth_client
-- ----------------------------
DROP TABLE IF EXISTS `oauth_client`;
CREATE TABLE `oauth_client` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `client_id` varchar(32) NOT NULL,
  `client_secret` varchar(32) NOT NULL,
  `redirect_uri` varchar(200) NOT NULL,
  `create_time` int(11) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;

-- ----------------------------
-- Table structure for oauth_code
-- ----------------------------
DROP TABLE IF EXISTS `oauth_code`;
CREATE TABLE `oauth_code` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `client_id` varchar(32) NOT NULL,
  `user_id` int(11) NOT NULL DEFAULT '1',
  `code` varchar(40) NOT NULL,
  `redirect_uri` varchar(200) NOT NULL,
  `expires` int(11) NOT NULL,
  `scope` varchar(250) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=57 DEFAULT CHARSET=utf8;

-- ----------------------------
-- Table structure for oauth_token
-- ----------------------------
DROP TABLE IF EXISTS `oauth_token`;
CREATE TABLE `oauth_token` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `client_id` varchar(32) NOT NULL,
  `user_id` int(11) NOT NULL,
  `access_token` varchar(40) NOT NULL,
  `refresh_token` varchar(40) NOT NULL,
  `expires_in` int(11) NOT NULL,
  `scope` varchar(200) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=26 DEFAULT CHARSET=utf8;

5、引入oauth2.0服务端类文件。

5-1、在\server.ruanwenwu.cn\ThinkPHP\Library\Vendor\目录下建立oauth目录。

5-2、引入oauth2.0服务端PHP脚本。

在刚建立的oauth目录下引入OAuth2.class.php这个文件基本不用做修改。我们的操作都在继承这个类的子类上完成。类的代码如下：

<?php

/**
 * @mainpage
 * OAuth 2.0 server in PHP, originally written for
 * <a href="http://www.opendining.net/"> Open Dining</a>. Supports
 * <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-10">IETF draft v10</a>.
 *
 * Source repo has sample servers implementations for
 * <a href="http://php.net/manual/en/book.pdo.php"> PHP Data Objects</a> and
 * <a href="http://www.mongodb.org/">MongoDB</a>. Easily adaptable to other
 * storage engines.
 *
 * PHP Data Objects supports a variety of databases, including MySQL,
 * Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample
 * to see how it all works.
 *
 * We're expanding the wiki to include more helpful documentation, but for
 * now, your best bet is to view the oauth.php source - it has lots of
 * comments.
 *
 * @author Tim Ridgely <tim.ridgely@gmail.com>
 * @author Aaron Parecki <aaron@parecki.com>
 * @author Edison Wong <hswong3i@pantarei-design.com>
 *
 * @see http://code.google.com/p/oauth2-php/
 */


/**
 * The default duration in seconds of the access token lifetime.
 */
define("OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME", 3600);

/**
 * The default duration in seconds of the authorization code lifetime.
 */
define("OAUTH2_DEFAULT_AUTH_CODE_LIFETIME", 30);

/**
 * The default duration in seconds of the refresh token lifetime.
 */
define("OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME", 1209600);


/**
 * @defgroup oauth2_section_2 Client Credentials
 * @{
 *
 * When interacting with the authorization server, the client identifies
 * itself using a client identifier and authenticates using a set of
 * client credentials. This specification provides one mechanism for
 * authenticating the client using password credentials.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2
 */

/**
 * Regex to filter out the client identifier (described in Section 2 of IETF draft).
 *
 * IETF draft does not prescribe a format for these, however I've arbitrarily
 * chosen alphanumeric strings with hyphens and underscores, 3-32 characters
 * long.
 *
 * Feel free to change.
 */
define("OAUTH2_CLIENT_ID_REGEXP", "/^[a-z0-9-_]{3,32}$/i");

/**
 * @}
 */


/**
 * @defgroup oauth2_section_3 Obtaining End-User Authorization
 * @{
 *
 * When the client interacts with an end-user, the end-user MUST first
 * grant the client authorization to access its protected resources.
 * Once obtained, the end-user access grant is expressed as an
 * authorization code which the client uses to obtain an access token.
 * To obtain an end-user authorization, the client sends the end-user to
 * the end-user authorization endpoint.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
 */

/**
 * Denotes "token" authorization response type.
 */
define("OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN", "token");

/**
 * Denotes "code" authorization response type.
 */
define("OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE", "code");

/**
 * Denotes "code-and-token" authorization response type.
 */
define("OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN", "code-and-token");

/**
 * Regex to filter out the authorization response type.
 */
define("OAUTH2_AUTH_RESPONSE_TYPE_REGEXP", "/^(token|code|code-and-token)$/");

/**
 * @}
 */


/**
 * @defgroup oauth2_section_4 Obtaining an Access Token
 * @{
 *
 * The client obtains an access token by authenticating with the
 * authorization server and presenting its access grant (in the form of
 * an authorization code, resource owner credentials, an assertion, or a
 * refresh token).
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4
 */

/**
 * Denotes "authorization_code" grant types (for token obtaining).
 */
define("OAUTH2_GRANT_TYPE_AUTH_CODE", "authorization_code");

/**
 * Denotes "password" grant types (for token obtaining).
 */
define("OAUTH2_GRANT_TYPE_USER_CREDENTIALS", "password");

/**
 * Denotes "assertion" grant types (for token obtaining).
 */
define("OAUTH2_GRANT_TYPE_ASSERTION", "assertion");

/**
 * Denotes "refresh_token" grant types (for token obtaining).
 */
define("OAUTH2_GRANT_TYPE_REFRESH_TOKEN", "refresh_token");

/**
 * Denotes "none" grant types (for token obtaining).
 */
define("OAUTH2_GRANT_TYPE_NONE", "none");

/**
 * Regex to filter out the grant type.
 */
define("OAUTH2_GRANT_TYPE_REGEXP", "/^(authorization_code|password|assertion|refresh_token|none)$/");

/**
 * @}
 */


/**
 * @defgroup oauth2_section_5 Accessing a Protected Resource
 * @{
 *
 * Clients access protected resources by presenting an access token to
 * the resource server. Access tokens act as bearer tokens, where the
 * token string acts as a shared symmetric secret. This requires
 * treating the access token with the same care as other secrets (e.g.
 * end-user passwords). Access tokens SHOULD NOT be sent in the clear
 * over an insecure channel.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5
 */

/**
 * Used to define the name of the OAuth access token parameter (POST/GET/etc.).
 *
 * IETF Draft sections 5.1.2 and 5.1.3 specify that it should be called
 * "oauth_token" but other implementations use things like "access_token".
 *
 * I won't be heartbroken if you change it, but it might be better to adhere
 * to the spec.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.2
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.3
 */
define("OAUTH2_TOKEN_PARAM_NAME", "oauth_token");

/**
 * @}
 */


/**
 * @defgroup oauth2_http_status HTTP status code
 * @{
 */

/**
 * "Found" HTTP status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
 */
define("OAUTH2_HTTP_FOUND", "302 Found");

/**
 * "Bad Request" HTTP status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_HTTP_BAD_REQUEST", "400 Bad Request");

/**
 * "Unauthorized" HTTP status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_HTTP_UNAUTHORIZED", "401 Unauthorized");

/**
 * "Forbidden" HTTP status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_HTTP_FORBIDDEN", "403 Forbidden");

/**
 * @}
 */


/**
 * @defgroup oauth2_error Error handling
 * @{
 *
 * @todo Extend for i18n.
 */

/**
 * The request is missing a required parameter, includes an unsupported
 * parameter or parameter value, or is otherwise malformed.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_ERROR_INVALID_REQUEST", "invalid_request");

/**
 * The client identifier provided is invalid.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 */
define("OAUTH2_ERROR_INVALID_CLIENT", "invalid_client");

/**
 * The client is not authorized to use the requested response type.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 */
define("OAUTH2_ERROR_UNAUTHORIZED_CLIENT", "unauthorized_client");

/**
 * The redirection URI provided does not match a pre-registered value.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 */
define("OAUTH2_ERROR_REDIRECT_URI_MISMATCH", "redirect_uri_mismatch");

/**
 * The end-user or authorization server denied the request.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 */
define("OAUTH2_ERROR_USER_DENIED", "access_denied");

/**
 * The requested response type is not supported by the authorization server.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 */
define("OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE", "unsupported_response_type");

/**
 * The requested scope is invalid, unknown, or malformed.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 */
define("OAUTH2_ERROR_INVALID_SCOPE", "invalid_scope");

/**
 * The provided access grant is invalid, expired, or revoked (e.g. invalid
 * assertion, expired authorization token, bad end-user password credentials,
 * or mismatching authorization code and redirection URI).
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 */
define("OAUTH2_ERROR_INVALID_GRANT", "invalid_grant");

/**
 * The access grant included - its type or another attribute - is not
 * supported by the authorization server.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1
 */
define("OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE", "unsupported_grant_type");

/**
 * The access token provided is invalid. Resource servers SHOULD use this
 * error code when receiving an expired token which cannot be refreshed to
 * indicate to the client that a new authorization is necessary. The resource
 * server MUST respond with the HTTP 401 (Unauthorized) status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_ERROR_INVALID_TOKEN", "invalid_token");

/**
 * The access token provided has expired. Resource servers SHOULD only use
 * this error code when the client is expected to be able to handle the
 * response and request a new access token using the refresh token issued
 * with the expired access token. The resource server MUST respond with the
 * HTTP 401 (Unauthorized) status code.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_ERROR_EXPIRED_TOKEN", "expired_token");

/**
 * The request requires higher privileges than provided by the access token.
 * The resource server SHOULD respond with the HTTP 403 (Forbidden) status
 * code and MAY include the "scope" attribute with the scope necessary to
 * access the protected resource.
 *
 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1
 */
define("OAUTH2_ERROR_INSUFFICIENT_SCOPE", "insufficient_scope");

/**
 * @}
 */

/**
 * OAuth2.0 draft v10 server-side implementation.
 *
 * @author Originally written by Tim Ridgely <tim.ridgely@gmail.com>.
 * @author Updated to draft v10 by Aaron Parecki <aaron@parecki.com>.
 * @author Debug, coding style clean up and documented by Edison Wong <hswong3i@pantarei-design.com>.
 */
abstract class OAuth2 {

  /**
   * Array of persistent variables stored.
   */
  protected $conf = array();

  /**
   * Returns a persistent variable.
   *
   * To avoid problems, always use lower case for persistent variable names.
   *
   * @param $name
   *   The name of the variable to return.
   * @param $default
   *   The default value to use if this variable has never been set.
   *
   * @return
   *   The value of the variable.
   */
  public function getVariable($name, $default = NULL) {
    return isset($this->conf[$name]) ? $this->conf[$name] : $default;
  }

  /**
   * Sets a persistent variable.
   *
   * To avoid problems, always use lower case for persistent variable names.
   *
   * @param $name
   *   The name of the variable to set.
   * @param $value
   *   The value to set.
   */
  public function setVariable($name, $value) {
    $this->conf[$name] = $value;
    return $this;
  }

  // Subclasses must implement the following functions.

  /**
   * Make sure that the client credentials is valid.
   *
   * @param $client_id
   *   Client identifier to be check with.
   * @param $client_secret
   *   (optional) If a secret is required, check that they've given the right one.
   *
   * @return
   *   TRUE if client credentials are valid, and MUST return FALSE if invalid.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2.1
   *
   * @ingroup oauth2_section_2
   */
  abstract protected function checkClientCredentials($client_id, $client_secret = NULL);

  /**
   * Get the registered redirect URI of corresponding client_id.
   *
   * OAuth says we should store request URIs for each registered client.
   * Implement this function to grab the stored URI for a given client id.
   *
   * @param $client_id
   *   Client identifier to be check with.
   *
   * @return
   *   Registered redirect URI of corresponding client identifier, and MUST
   *   return FALSE if the given client does not exist or is invalid.
   *
   * @ingroup oauth2_section_3
   */
  abstract protected function getRedirectUri($client_id);

  /**
   * Look up the supplied oauth_token from storage.
   *
   * We need to retrieve access token data as we create and verify tokens.
   *
   * @param $oauth_token
   *   oauth_token to be check with.
   *
   * @return
   *   An associative array as below, and return NULL if the supplied oauth_token
   *   is invalid:
   *   - client_id: Stored client identifier.
   *   - expires: Stored expiration in unix timestamp.
   *   - scope: (optional) Stored scope values in space-separated string.
   *
   * @ingroup oauth2_section_5
   */
  abstract protected function getAccessToken($oauth_token);

  /**
   * Store the supplied access token values to storage.
   *
   * We need to store access token data as we create and verify tokens.
   *
   * @param $oauth_token
   *   oauth_token to be stored.
   * @param $client_id
   *   Client identifier to be stored.
   * @param $expires
   *   Expiration to be stored.
   * @param $user_id
   *   User ID
   * @param $scope
   *   (optional) Scopes to be stored in space-separated string.
   *
   * @ingroup oauth2_section_4
   */
  abstract protected function setAccessToken($oauth_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token='');

  // Stuff that should get overridden by subclasses.
  //
  // I don't want to make these abstract, because then subclasses would have
  // to implement all of them, which is too much work.
  //
  // So they're just stubs. Override the ones you need.

  /**
   * Return supported grant types.
   *
   * You should override this function with something, or else your OAuth
   * provider won't support any grant types!
   *
   * @return
   *   A list as below. If you support all grant types, then you'd do:
   * @code
   * return array(
   *   OAUTH2_GRANT_TYPE_AUTH_CODE,
   *   OAUTH2_GRANT_TYPE_USER_CREDENTIALS,
   *   OAUTH2_GRANT_TYPE_ASSERTION,
   *   OAUTH2_GRANT_TYPE_REFRESH_TOKEN,
   *   OAUTH2_GRANT_TYPE_NONE,
   * );
   * @endcode
   *
   * @ingroup oauth2_section_4
   */
  protected function getSupportedGrantTypes() {
    return array();
  }

  /**
   * Return supported authorization response types.
   *
   * You should override this function with your supported response types.
   *
   * @return
   *   A list as below. If you support all authorization response types,
   *   then you'd do:
   * @code
   * return array(
   *   OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE,
   *   OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN,
   *   OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN,
   * );
   * @endcode
   *
   * @ingroup oauth2_section_3
   */
  protected function getSupportedAuthResponseTypes() {
    return array(
      OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE,
      OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN,
      OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN
    );
  }

  /**
   * Return supported scopes.
   *
   * If you want to support scope use, then have this function return a list
   * of all acceptable scopes (used to throw the invalid-scope error).
   *
   * @return
   *   A list as below, for example:
   * @code
   * return array(
   *   'my-friends',
   *   'photos',
   *   'whatever-else',
   * );
   * @endcode
   *
   * @ingroup oauth2_section_3
   */
  protected function getSupportedScopes() {
    return array();
  }

  /**
   * Check restricted authorization response types of corresponding Client
   * identifier.
   *
   * If you want to restrict clients to certain authorization response types,
   * override this function.
   *
   * @param $client_id
   *   Client identifier to be check with.
   * @param $response_type
   *   Authorization response type to be check with, would be one of the
   *   values contained in OAUTH2_AUTH_RESPONSE_TYPE_REGEXP.
   *
   * @return
   *   TRUE if the authorization response type is supported by this
   *   client identifier, and FALSE if it isn't.
   *
   * @ingroup oauth2_section_3
   */
  protected function checkRestrictedAuthResponseType($client_id, $response_type) {
    return TRUE;
  }

  /**
   * Check restricted grant types of corresponding client identifier.
   *
   * If you want to restrict clients to certain grant types, override this
   * function.
   *
   * @param $client_id
   *   Client identifier to be check with.
   * @param $grant_type
   *   Grant type to be check with, would be one of the values contained in
   *   OAUTH2_GRANT_TYPE_REGEXP.
   *
   * @return
   *   TRUE if the grant type is supported by this client identifier, and
   *   FALSE if it isn't.
   *
   * @ingroup oauth2_section_4
   */
  protected function checkRestrictedGrantType($client_id, $grant_type) {
    return TRUE;
  }

  // Functions that help grant access tokens for various grant types.

  /**
   * Fetch authorization code data (probably the most common grant type).
   *
   * Retrieve the stored data for the given authorization code.
   *
   * Required for OAUTH2_GRANT_TYPE_AUTH_CODE.
   *
   * @param $code
   *   Authorization code to be check with.
   *
   * @return
   *   An associative array as below, and NULL if the code is invalid:
   *   - client_id: Stored client identifier.
   *   - redirect_uri: Stored redirect URI.
   *   - expires: Stored expiration in unix timestamp.
   *   - scope: (optional) Stored scope values in space-separated string.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.1
   *
   * @ingroup oauth2_section_4
   */
  protected function getAuthCode($code) {
    return NULL;
  }

  /**
   * Take the provided authorization code values and store them somewhere.
   *
   * This function should be the storage counterpart to getAuthCode().
   *
   * If storage fails for some reason, we're not currently checking for
   * any sort of success/failure, so you should bail out of the script
   * and provide a descriptive fail message.
   *
   * Required for OAUTH2_GRANT_TYPE_AUTH_CODE.
   *
   * @param $code
   *   Authorization code to be stored.
   * @param $client_id
   *   Client identifier to be stored.
   * @param $redirect_uri
   *   Redirect URI to be stored.
   * @param $expires
   *   Expiration to be stored.
   * @param $scope
   *   (optional) Scopes to be stored in space-separated string.
   *
   * @ingroup oauth2_section_4
   */
  protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $userId, $scope = NULL) {
  }

  /**
   * Grant access tokens for basic user credentials.
   *
   * Check the supplied username and password for validity.
   *
   * You can also use the $client_id param to do any checks required based
   * on a client, if you need that.
   *
   * Required for OAUTH2_GRANT_TYPE_USER_CREDENTIALS.
   *
   * @param $client_id
   *   Client identifier to be check with.
   * @param $username
   *   Username to be check with.
   * @param $password
   *   Password to be check with.
   *
   * @return
   *   TRUE if the username and password are valid, and FALSE if it isn't.
   *   Moreover, if the username and password are valid, and you want to
   *   verify the scope of a user's access, return an associative array
   *   with the scope values as below. We'll check the scope you provide
   *   against the requested scope before providing an access token:
   * @code
   * return array(
   *   'scope' => <stored scope values (space-separated string)>,
   * );
   * @endcode
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2
   *
   * @ingroup oauth2_section_4
   */
  protected function checkUserCredentials($client_id, $username, $password) {
    return FALSE;
  }

  /**
   * Grant access tokens for assertions.
   *
   * Check the supplied assertion for validity.
   *
   * You can also use the $client_id param to do any checks required based
   * on a client, if you need that.
   *
   * Required for OAUTH2_GRANT_TYPE_ASSERTION.
   *
   * @param $client_id
   *   Client identifier to be check with.
   * @param $assertion_type
   *   The format of the assertion as defined by the authorization server.
   * @param $assertion
   *   The assertion.
   *
   * @return
   *   TRUE if the assertion is valid, and FALSE if it isn't. Moreover, if
   *   the assertion is valid, and you want to verify the scope of an access
   *   request, return an associative array with the scope values as below.
   *   We'll check the scope you provide against the requested scope before
   *   providing an access token:
   * @code
   * return array(
   *   'scope' => <stored scope values (space-separated string)>,
   * );
   * @endcode
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3
   *
   * @ingroup oauth2_section_4
   */
  protected function checkAssertion($client_id, $assertion_type, $assertion) {
    return FALSE;
  }

  /**
   * Grant refresh access tokens.
   *
   * Retrieve the stored data for the given refresh token.
   *
   * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.
   *
   * @param $refresh_token
   *   Refresh token to be check with.
   *
   * @return
   *   An associative array as below, and NULL if the refresh_token is
   *   invalid:
   *   - client_id: Stored client identifier.
   *   - expires: Stored expiration unix timestamp.
   *   - scope: (optional) Stored scope values in space-separated string.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4
   *
   * @ingroup oauth2_section_4
   */
  protected function getRefreshToken($refresh_token) {
    return NULL;
  }

  /**
   * Take the provided refresh token values and store them somewhere.
   *
   * This function should be the storage counterpart to getRefreshToken().
   *
   * If storage fails for some reason, we're not currently checking for
   * any sort of success/failure, so you should bail out of the script
   * and provide a descriptive fail message.
   *
   * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN.
   *
   * @param $refresh_token
   *   Refresh token to be stored.
   * @param $client_id
   *   Client identifier to be stored.
   * @param $expires
   *   expires to be stored.
   * @param $scope
   *   (optional) Scopes to be stored in space-separated string.
   *
   * @ingroup oauth2_section_4
   */
  protected function setRefreshToken($refresh_token, $client_id, $expires, $scope = NULL) {
    return;
  }

  /**
   * Expire a used refresh token.
   *
   * This is not explicitly required in the spec, but is almost implied.
   * After granting a new refresh token, the old one is no longer useful and
   * so should be forcibly expired in the data store so it can't be used again.
   *
   * If storage fails for some reason, we're not currently checking for
   * any sort of success/failure, so you should bail out of the script
   * and provide a descriptive fail message.
   *
   * @param $refresh_token
   *   Refresh token to be expirse.
   *
   * @ingroup oauth2_section_4
   */
  protected function unsetRefreshToken($refresh_token) {
    return;
  }

  /**
   * Grant access tokens for the "none" grant type.
   *
   * Not really described in the IETF Draft, so I just left a method
   * stub... Do whatever you want!
   *
   * Required for OAUTH2_GRANT_TYPE_NONE.
   *
   * @ingroup oauth2_section_4
   */
  protected function checkNoneAccess($client_id) {
    return FALSE;
  }

  /**
   * Get default authentication realm for WWW-Authenticate header.
   *
   * Change this to whatever authentication realm you want to send in a
   * WWW-Authenticate header.
   *
   * @return
   *   A string that you want to send in a WWW-Authenticate header.
   *
   * @ingroup oauth2_error
   */
  protected function getDefaultAuthenticationRealm() {
    return "Service";
  }

  // End stuff that should get overridden.

  /**
   * Creates an OAuth2.0 server-side instance.
   *
   * @param $config
   *   An associative array as below:
   *   - access_token_lifetime: (optional) The lifetime of access token in
   *     seconds.
   *   - auth_code_lifetime: (optional) The lifetime of authorization code in
   *     seconds.
   *   - refresh_token_lifetime: (optional) The lifetime of refresh token in
   *     seconds.
   *   - display_error: (optional) Whether to show verbose error messages in
   *     the response.
   */
  public function __construct($config = array()) {
    foreach ($config as $name => $value) {
      $this->setVariable($name, $value);
    }
  }

  // Resource protecting (Section 5).

  /**
   * Check that a valid access token has been provided.
   *
   * The scope parameter defines any required scope that the token must have.
   * If a scope param is provided and the token does not have the required
   * scope, we bounce the request.
   *
   * Some implementations may choose to return a subset of the protected
   * resource (i.e. "public" data) if the user has not provided an access
   * token or if the access token is invalid or expired.
   *
   * The IETF spec says that we should send a 401 Unauthorized header and
   * bail immediately so that's what the defaults are set to.
   *
   * @param $scope
   *   A space-separated string of required scope(s), if you want to check
   *   for scope.
   * @param $exit_not_present
   *   If TRUE and no access token is provided, send a 401 header and exit,
   *   otherwise return FALSE.
   * @param $exit_invalid
   *   If TRUE and the implementation of getAccessToken() returns NULL, exit,
   *   otherwise return FALSE.
   * @param $exit_expired
   *   If TRUE and the access token has expired, exit, otherwise return FALSE.
   * @param $exit_scope
   *   If TRUE the access token does not have the required scope(s), exit,
   *   otherwise return FALSE.
   * @param $realm
   *   If you want to specify a particular realm for the WWW-Authenticate
   *   header, supply it here.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5
   *
   * @ingroup oauth2_section_5
   */
  public function verifyAccessToken($scope = NULL, $exit_not_present = TRUE, $exit_invalid = TRUE, $exit_expired = TRUE, $exit_scope = TRUE, $realm = NULL) {
    $token_param = $this->getAccessTokenParams();
    if ($token_param === FALSE) // Access token was not provided
      return $exit_not_present ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_BAD_REQUEST, $realm, OAUTH2_ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', NULL, $scope) : FALSE;
    // Get the stored token data (from the implementing subclass)
    $token = $this->getAccessToken($token_param);
    if ($token === NULL)
      return $exit_invalid ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_INVALID_TOKEN, 'The access token provided is invalid.', NULL, $scope) : FALSE;

    // Check token expiration (I'm leaving this check separated, later we'll fill in better error messages)
    if (isset($token["expires"]) && time() > $token["expires"])
      return $exit_expired ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_EXPIRED_TOKEN, 'The access token provided has expired.', NULL, $scope) : FALSE;

    // Check scope, if provided
    // If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an error
    if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"])))
      return $exit_scope ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_FORBIDDEN, $realm, OAUTH2_ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', NULL, $scope) : FALSE;

    return TRUE;
  }

  /**
   * Check if everything in required scope is contained in available scope.
   *
   * @param $required_scope
   *   Required scope to be check with.
   * @param $available_scope
   *   Available scope to be compare with.
   *
   * @return
   *   TRUE if everything in required scope is contained in available scope,
   *   and False if it isn't.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5
   *
   * @ingroup oauth2_section_5
   */
  private function checkScope($required_scope, $available_scope) {
    // The required scope should match or be a subset of the available scope
    if (!is_array($required_scope))
      $required_scope = explode(" ", $required_scope);

    if (!is_array($available_scope))
      $available_scope = explode(" ", $available_scope);

    return (count(array_diff($required_scope, $available_scope)) == 0);
  }

  /**
   * Pulls the access token out of the HTTP request.
   *
   * Either from the Authorization header or GET/POST/etc.
   *
   * @return
   *   Access token value if present, and FALSE if it isn't.
   *
   * @todo Support PUT or DELETE.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1
   *
   * @ingroup oauth2_section_5
   */
  private function getAccessTokenParams() {
    $auth_header = $this->getAuthorizationHeader();
    if ($auth_header !== FALSE) {
      // Make sure only the auth header is set
      if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME]) || isset($_POST[OAUTH2_TOKEN_PARAM_NAME]))
        $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth token found in GET or POST when token present in header');

      $auth_header = trim($auth_header);

      // Make sure it's Token authorization
      if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0)
        $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth header found that doesn\'t start with "OAuth"');

      // Parse the rest of the header
      if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0 || count($matches) < 2)
        $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Malformed auth header');

      return $matches[1];
    }

    if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME])) {
      if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) // Both GET and POST are not allowed
        $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Only send the token in GET or POST, not both');

      return $_GET[OAUTH2_TOKEN_PARAM_NAME];
    }

    if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME]))
      return $_POST[OAUTH2_TOKEN_PARAM_NAME];

    return FALSE;
  }

  // Access token granting (Section 4).

  /**
   * Grant or deny a requested access token.
   *
   * This would be called from the "/token" endpoint as defined in the spec.
   * Obviously, you can call your endpoint whatever you want.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4
   *
   * @ingroup oauth2_section_4
   */
  public function grantAccessToken() {

    $filters = array(
      "grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
      "scope" => array("flags" => FILTER_REQUIRE_SCALAR),
      "code" => array("flags" => FILTER_REQUIRE_SCALAR),
      "redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
      "username" => array("flags" => FILTER_REQUIRE_SCALAR),
      "password" => array("flags" => FILTER_REQUIRE_SCALAR),
      "assertion_type" => array("flags" => FILTER_REQUIRE_SCALAR),
      "assertion" => array("flags" => FILTER_REQUIRE_SCALAR),
      "refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR),
    );
    
    $input = filter_input_array(INPUT_POST, $filters);
    // Grant Type must be specified.
    if (!$input["grant_type"])
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
    
    // Make sure we've implemented the requested grant type
    if (!in_array($input["grant_type"], $this->getSupportedGrantTypes()))
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE);

    // Authorize the client
    $client = $this->getClientCredentials();

    if ($this->checkClientCredentials($client[0], $client[1]) === FALSE)
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);

    if (!$this->checkRestrictedGrantType($client[0], $input["grant_type"]))
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNAUTHORIZED_CLIENT);

    // Do the granting
    switch ($input["grant_type"]) {
      case OAUTH2_GRANT_TYPE_AUTH_CODE:
        if (!$input["code"] || !$input["redirect_uri"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);

        $stored = $this->getAuthCode($input["code"]);
        // Ensure that the input uri starts with the stored uri
        if ($stored === NULL || (strcasecmp(substr($input["redirect_uri"], 0, strlen($stored["redirect_uri"])), $stored["redirect_uri"]) !== 0) || $client[0] != $stored["client_id"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);

        if ($stored["expires"] < time())
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN);

        break;
      case OAUTH2_GRANT_TYPE_USER_CREDENTIALS:
        if (!$input["username"] || !$input["password"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required');

        $stored = $this->checkUserCredentials($client[0], $input["username"], $input["password"]);

        if ($stored === FALSE)
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);

        break;
      case OAUTH2_GRANT_TYPE_ASSERTION:
        if (!$input["assertion_type"] || !$input["assertion"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);

        $stored = $this->checkAssertion($client[0], $input["assertion_type"], $input["assertion"]);

        if ($stored === FALSE)
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);

        break;
      case OAUTH2_GRANT_TYPE_REFRESH_TOKEN:
        if (!$input["refresh_token"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');

        $stored = $this->getRefreshToken($input["refresh_token"]);

        if ($stored === NULL || $client[0] != $stored["client_id"])
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT);

        if ($stored["expires"] < time())
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN);

        // store the refresh token locally so we can delete it when a new refresh token is generated
        $this->setVariable('_old_refresh_token', $stored["token"]);

        break;
      case OAUTH2_GRANT_TYPE_NONE:
        $stored = $this->checkNoneAccess($client[0]);

        if ($stored === FALSE)
          $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST);
    }

    // Check scope, if provided
    if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"])))
      $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_SCOPE);

    if (!$input["scope"])
      $input["scope"] = NULL;
    
    $token = $this->createAccessToken($client[0], $input["scope"], $stored["user_id"]);
    
    //TOKEN 为 数组 (包括 TOKEN 值， 有效时间， 权限)
    // $this->sendJsonHeaders();
    echo json_encode($token);
  }

  /**
   * Internal function used to get the client credentials from HTTP basic
   * auth or POST data.
   *
   * @return
   *   A list containing the client identifier and password, for example
   * @code
   * return array(
   *   $_POST["client_id"],
   *   $_POST["client_secret"],
   * );
   * @endcode
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2
   *
   * @ingroup oauth2_section_2
   */
  protected function getClientCredentials() {
    
    if (isset($_SERVER["PHP_AUTH_USER"]) && $_POST && isset($_POST["client_id"]))
        $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
    
    // Try basic auth
    if (isset($_SERVER["PHP_AUTH_USER"]))
        return array($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
      
    // Try POST
    if ($_POST && isset($_POST["client_id"])) {
      if (isset($_POST["client_secret"]))
        return array($_POST["client_id"], $_POST["client_secret"]);

      return array($_POST["client_id"], NULL);
    }

    // No credentials were specified
    $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT);
  }

  // End-user/client Authorization (Section 3 of IETF Draft).

  /**
   * Pull the authorization request data out of the HTTP request.
   *
   * @return
   *   The authorization parameters so the authorization server can prompt
   *   the user for approval if valid.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
   *
   * @ingroup oauth2_section_3
   */
  public function getAuthorizeParams() {
    $filters = array(
      "client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
      "response_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_AUTH_RESPONSE_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
      "redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
      "state" => array("flags" => FILTER_REQUIRE_SCALAR),
      "scope" => array("flags" => FILTER_REQUIRE_SCALAR),
    );

    $input = filter_input_array(INPUT_GET, $filters);
    
    // Make sure a valid client id was supplied
    if (!$input["client_id"]) {
      if ($input["redirect_uri"])
        $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]);

      $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_CLIENT); // We don't have a good URI to use
    }

    // redirect_uri is not required if already established via other channels
    // check an existing redirect URI against the one supplied
    $redirect_uri = $this->getRedirectUri($input["client_id"]);

    // At least one of: existing redirect URI or input redirect URI must be specified
    if (!$redirect_uri && !$input["redirect_uri"])
      $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_REQUEST);

    // getRedirectUri() should return FALSE if the given client ID is invalid
    // this probably saves us from making a separate db call, and simplifies the method set
    if ($redirect_uri === FALSE)
      $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]);

    // If there's an existing uri and one from input, verify that they match
    if ($redirect_uri && $input["redirect_uri"]) {
      // Ensure that the input uri starts with the stored uri
      if (strcasecmp(substr($input["redirect_uri"], 0, strlen($redirect_uri)), $redirect_uri) !== 0)
        $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_REDIRECT_URI_MISMATCH, NULL, NULL, $input["state"]);
    }
    elseif ($redirect_uri) { // They did not provide a uri from input, so use the stored one
      $input["redirect_uri"] = $redirect_uri;
    }

    // type and client_id are required
    if (!$input["response_type"])
      $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_REQUEST, 'Invalid response type.', NULL, $input["state"]);

    // Check requested auth response type against the list of supported types
    if (array_search($input["response_type"], $this->getSupportedAuthResponseTypes()) === FALSE)
      $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, NULL, $input["state"]);

    // Restrict clients to certain authorization response types
    if ($this->checkRestrictedAuthResponseType($input["client_id"], $input["response_type"]) === FALSE)
      $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNAUTHORIZED_CLIENT, NULL, NULL, $input["state"]);

    // Validate that the requested scope is supported
    if ($input["scope"] && !$this->checkScope($input["scope"], $this->getSupportedScopes()))
      $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_SCOPE, NULL, NULL, $input["state"]);
    
    return $input;
  }

  /**
   * Redirect the user appropriately after approval.
   *
   * After the user has approved or denied the access request the
   * authorization server should call this function to redirect the user
   * appropriately.
   *
   * @param $is_authorized
   *   TRUE or FALSE depending on whether the user authorized the access.
   * @param $params
   *   An associative array as below:
   *   - response_type: The requested response: an access token, an
   *     authorization code, or both.
   *   - client_id: The client identifier as described in Section 2.
   *   - redirect_uri: An absolute URI to which the authorization server
   *     will redirect the user-agent to when the end-user authorization
   *     step is completed.
   *   - scope: (optional) The scope of the access request expressed as a
   *     list of space-delimited strings.
   *   - state: (optional) An opaque value used by the client to maintain
   *     state between the request and callback.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
   *
   * @ingroup oauth2_section_3
   */
  public function finishClientAuthorization($is_authorized, $params = array()) {
    $params += array(
      // 'scope' => NULL,
      'state' => NULL,
    );
    
    extract($params);
    
    if ($state !== NULL)
      $result["query"]["state"] = $state;

    if ($is_authorized === FALSE) {
      $result["query"]["error"] = OAUTH2_ERROR_USER_DENIED;
    }
    else {
      if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN)
        $result["query"]["code"] = $this->createAuthCode($client_id, $redirect_uri, $user_id, $scope);

      if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN)
        $result["fragment"] = $this->createAccessToken($client_id, $scope, $user_id);
    }
    
    $result['display'] = !empty($display) ? $display : '';

    $this->doRedirectUriCallback($redirect_uri, $result);
  }

  // Other/utility functions.

  /**
   * Redirect the user agent.
   *
   * Handle both redirect for success or error response.
   *
   * @param $redirect_uri
   *   An absolute URI to which the authorization server will redirect
   *   the user-agent to when the end-user authorization step is completed.
   * @param $params
   *   Parameters to be pass though buildUri().
   *
   * @ingroup oauth2_section_3
   */
  private function doRedirectUriCallback($redirect_uri, $params) {
    header("HTTP/1.1 ". OAUTH2_HTTP_FOUND);
    if($params['display'] == 'frame') {
        
        echo '<script>window.top.location.href="'.$this->buildUri($redirect_uri, $params).'";</script>';
        
    } else {
        header("Location: " . $this->buildUri($redirect_uri, $params));
    }
    exit;
  }

  /**
   * Build the absolute URI based on supplied URI and parameters.
   *
   * @param $uri
   *   An absolute URI.
   * @param $params
   *   Parameters to be append as GET.
   *
   * @return
   *   An absolute URI with supplied parameters.
   *
   * @ingroup oauth2_section_3
   */
  private function buildUri($uri, $params) {
    session_start();
    $parse_url = parse_url($uri);

    // Add our params to the parsed uri
    foreach ($params as $k => $v) {
      if (isset($parse_url[$k]))
        $parse_url[$k] .= "&" . http_build_query($v);
      else
        $parse_url[$k] = http_build_query($v);
    }

    // Put humpty dumpty back together
    $return =
      ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "")
      . ((isset($parse_url["user"])) ? $parse_url["user"] . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "")
      . ((isset($parse_url["host"])) ? $parse_url["host"] : "")
      . ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "")
      . ((isset($parse_url["path"])) ? $parse_url["path"] : "")
      . ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : "")
      . ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "") . "&ssid=".base64_encode('2egc83'.session_id());
    return $return;
  }

  /**
   * Handle the creation of access token, also issue refresh token if support.
   *
   * This belongs in a separate factory, but to keep it simple, I'm just
   * keeping it here.
   *
   * @param $client_id
   *   Client identifier related to the access token.
   * @param $scope
   *   (optional) Scopes to be stored in space-separated string.
   *
   * @ingroup oauth2_section_4
   */
  protected function createAccessToken($client_id, $scope = NULL, $user_id = 10) {
    $token = array(
      "access_token" => $this->genAccessToken(),
      "expires_in" => $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME),
      "user_id" => $user_id,
      "scope" => $scope
    );
    $refresh_token = '';
    // Issue a refresh token also, if we support them
    if (in_array(OAUTH2_GRANT_TYPE_REFRESH_TOKEN, $this->getSupportedGrantTypes())) {
      $refresh_token = $this->genAccessToken();
      // $this->setRefreshToken($token["refresh_token"], $client_id, time() + $this->getVariable('refresh_token_lifetime', OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME), $user_id, $scope);
      $token["refresh_token"] = $refresh_token;
      // If we've granted a new refresh token, expire the old one
      if ($this->getVariable('_old_refresh_token'))
        $this->unsetRefreshToken($this->getVariable('_old_refresh_token'));
    }
    $access_token = $token['access_token'];

    $this->setAccessToken($access_token, $client_id, time() + $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), $token['user_id'], $scope, $refresh_token);

    return $token;
  }

  /**
   * Handle the creation of auth code.
   *
   * This belongs in a separate factory, but to keep it simple, I'm just
   * keeping it here.
   *
   * @param $client_id
   *   Client identifier related to the access token.
   * @param $redirect_uri
   *   An absolute URI to which the authorization server will redirect the
   *   user-agent to when the end-user authorization step is completed.
   * @param $scope
   *   (optional) Scopes to be stored in space-separated string.
   *
   * @ingroup oauth2_section_3
   */
  private function createAuthCode($client_id, $redirect_uri, $userId, $scope = NULL) {
    $code = $this->genAuthCode();
    $this->setAuthCode($code, $client_id, $redirect_uri, time() + $this->getVariable('auth_code_lifetime', OAUTH2_DEFAULT_AUTH_CODE_LIFETIME), $userId, $scope);
    return $code;
  }

  /**
   * Generate unique access token.
   *
   * Implementing classes may want to override these function to implement
   * other access token or auth code generation schemes.
   *
   * @return
   *   An unique access token.
   *
   * @ingroup oauth2_section_4
   */
  protected function genAccessToken() {
    return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));
  }

  /**
   * Generate unique auth code.
   *
   * Implementing classes may want to override these function to implement
   * other access token or auth code generation schemes.
   *
   * @return
   *   An unique auth code.
   *
   * @ingroup oauth2_section_3
   */
  protected function genAuthCode() {
    return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid())));
  }

  /**
   * Pull out the Authorization HTTP header and return it.
   *
   * Implementing classes may need to override this function for use on
   * non-Apache web servers.
   *
   * @return
   *   The Authorization HTTP header, and FALSE if does not exist.
   *
   * @todo Handle Authorization HTTP header for non-Apache web servers.
   *
   * @ingroup oauth2_section_5
   */
  private function getAuthorizationHeader() {
    if (array_key_exists("HTTP_AUTHORIZATION", $_SERVER))
      return $_SERVER["HTTP_AUTHORIZATION"];

    if (function_exists("apache_request_headers")) {
      $headers = apache_request_headers();

      if (array_key_exists("Authorization", $headers))
        return $headers["Authorization"];
    }
    
    return FALSE;
  }

  /**
   * Send out HTTP headers for JSON.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3
   *
   * @ingroup oauth2_section_4
   */
  private function sendJsonHeaders() {
    header("Content-Type: application/json");
    header("Cache-Control: no-store");
  }

  /**
   * Redirect the end-user's user agent with error message.
   *
   * @param $redirect_uri
   *   An absolute URI to which the authorization server will redirect the
   *   user-agent to when the end-user authorization step is completed.
   * @param $error
   *   A single error code as described in Section 3.2.1.
   * @param $error_description
   *   (optional) A human-readable text providing additional information,
   *   used to assist in the understanding and resolution of the error
   *   occurred.
   * @param $error_uri
   *   (optional) A URI identifying a human-readable web page with
   *   information about the error, used to provide the end-user with
   *   additional information about the error.
   * @param $state
   *   (optional) REQUIRED if the "state" parameter was present in the client
   *   authorization request. Set to the exact value received from the client.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2
   *
   * @ingroup oauth2_error
   */
  private function errorDoRedirectUriCallback($redirect_uri, $error, $error_description = NULL, $error_uri = NULL, $state = NULL) {
    $result["query"]["error"] = $error;

    if ($state)
      $result["query"]["state"] = $state;

    if ($this->getVariable('display_error') && $error_description)
      $result["query"]["error_description"] = $error_description;

    if ($this->getVariable('display_error') && $error_uri)
      $result["query"]["error_uri"] = $error_uri;

    $this->doRedirectUriCallback($redirect_uri, $result);
  }

  /**
   * Send out error message in JSON.
   *
   * @param $http_status_code
   *   HTTP status code message as predefined.
   * @param $error
   *   A single error code.
   * @param $error_description
   *   (optional) A human-readable text providing additional information,
   *   used to assist in the understanding and resolution of the error
   *   occurred.
   * @param $error_uri
   *   (optional) A URI identifying a human-readable web page with
   *   information about the error, used to provide the end-user with
   *   additional information about the error.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3
   *
   * @ingroup oauth2_error
   */
  private function errorJsonResponse($http_status_code, $error, $error_description = NULL, $error_uri = NULL) {
    $result['error'] = $error;

    if ($this->getVariable('display_error') && $error_description)
      $result["error_description"] = $error_description;

    if ($this->getVariable('display_error') && $error_uri)
      $result["error_uri"] = $error_uri;

    header("HTTP/1.1 " . $http_status_code);
    $this->sendJsonHeaders();
    echo json_encode($result);

    exit;
  }

  /**
   * Send a 401 unauthorized header with the given realm and an error, if
   * provided.
   *
   * @param $http_status_code
   *   HTTP status code message as predefined.
   * @param $realm
   *   The "realm" attribute is used to provide the protected resources
   *   partition as defined by [RFC2617].
   * @param $scope
   *   A space-delimited list of scope values indicating the required scope
   *   of the access token for accessing the requested resource.
   * @param $error
   *   The "error" attribute is used to provide the client with the reason
   *   why the access request was declined.
   * @param $error_description
   *   (optional) The "error_description" attribute provides a human-readable text
   *   containing additional information, used to assist in the understanding
   *   and resolution of the error occurred.
   * @param $error_uri
   *   (optional) The "error_uri" attribute provides a URI identifying a human-readable
   *   web page with information about the error, used to offer the end-user
   *   with additional information about the error. If the value is not an
   *   absolute URI, it is relative to the URI of the requested protected
   *   resource.
   *
   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2
   *
   * @ingroup oauth2_error
   */
  private function errorWWWAuthenticateResponseHeader($http_status_code, $realm, $error, $error_description = NULL, $error_uri = NULL, $scope = NULL) {
    
    $realm = $realm === NULL ? $this->getDefaultAuthenticationRealm() : $realm;
    $result = "WWW-Authenticate: OAuth realm='" . $realm . "'";

    if ($error)
      $result .= ", error='" . $error . "'";

    if ($this->getVariable('display_error') && $error_description)
      $result .= ", error_description='" . $error_description . "'";

    if ($this->getVariable('display_error') && $error_uri)
      $result .= ", error_uri='" . $error_uri . "'";

    if ($scope)
      $result .= ", scope='" . $scope . "'";
    
    header("HTTP/1.1 ". $http_status_code);
    header($result);

    exit;
  }
}

代码比较多。有兴趣的可以细看。

由于采用Vendor方法引入，所以这里的文件都没有采用命名空间。

5-3、在同目录下，建ThinkOAuth2.php文件，这个文件里的类继承上面那个基类：

<?php
require "oauth2.class.php";
class ThinkOAuth2 extends OAuth2{
    private $db;
    private $table;
 
    /**
     * 构造
     */
    public function __construct() {
        parent::__construct();
        $this -> db = M();
        $this -> table = array(
            'auth_codes'=>C('OAUTH2_CODES_TABLE'),
            'clients'=>C('OAUTH2_CLIENTS_TABLE'),
            'tokens'=>C('OAUTH2_TOKEN_TABLE')
        );
    }
 
    /**
     * 析构
     */
    function __destruct() {
        $this->db = NULL; // Release db connection
    }
 
    private function handleException($e) {
        echo "Database error: " . $e->getMessage();
        exit;
    }
 
    /**
     *
     * 增加client
     * @param string $client_id
     * @param string $client_secret
     * @param string $redirect_uri
     */
    public function addClient($client_id, $client_secret, $redirect_uri) {
 
        $time = time();
        $sql = "INSERT INTO {$this -> table['clients']} (client_id, client_secret, redirect_uri,create_time) VALUES ('{$client_id}', '{$client_secret}', '{$redirect_uri}','{$time}')";
        $res = $this -> db -> execute($sql);
        return res;    
        
 
    }
 
    /**
     * Implements OAuth2::checkClientCredentials()
     * @see OAuth2::checkClientCredentials()
     */
    protected function checkClientCredentials($client_id, $client_secret = NULL) {
 
        $sql = "SELECT client_secret FROM {$this -> table['clients']} WHERE client_id = {$client_id}";
 
        $result = $this -> db -> query($sql);
        if ($client_secret === NULL) {
            return $result !== FALSE;
        }
 
        //Log::write("checkClientCredentials : ".$result);
        //Log::write("checkClientCredentials : ".$result[0]);
        //Log::write("checkClientCredentials : ".$result[0]["client_secret"]);
 
        return $result[0]["client_secret"] == $client_secret;
 
    }
 
    /**
     * Implements OAuth2::getRedirectUri().
     * @see OAuth2::getRedirectUri()
     */
    protected function getRedirectUri($client_id) {
 
        $sql = "SELECT redirect_uri FROM {$this -> table['clients']} WHERE client_id = {$client_id}";
 
        $result = $this -> db -> query($sql);
 
        if ($result === FALSE) {
            return FALSE;
        }
 
        //Log::write("getRedirectUri : ".$result);
        //Log::write("getRedirectUri : ".$result[0]);
        //Log::write("getRedirectUri : ".$result[0]["redirect_uri"]);
 
        return isset($result[0]["redirect_uri"]) && $result[0]["redirect_uri"] ? $result[0]["redirect_uri"] : NULL;
 
    }
 
    /**
     * Implements OAuth2::getAccessToken().
     * @see OAuth2::getAccessToken()
     */
    protected function getAccessToken($access_token) {
 
        $sql = "SELECT client_id, expires_in, scope FROM {$this -> table['tokens']} WHERE access_token = '{$access_token}'";
 
        $result = $this -> db -> query($sql);
 
        //Log::write("getAccessToken : ".$result);
        //Log::write("getAccessToken : ".$result[0]);
 
        return $result !== FALSE ? $result : NULL;
 
    }
 
    /**
     * Implements OAuth2::setAccessToken().
     * @see OAuth2::setAccessToken()
     */
    protected function setAccessToken($access_token, $client_id, $expires, $user_id, $scope=NULL, $refresh_token='') {
 
$sql = "INSERT INTO {$this -> table['tokens']} (access_token, client_id, expires_in, scope,user_id,refresh_token) VALUES ('{$access_token}', '{$client_id}', '{$expires}', '{$scope}',{$user_id},'{$refresh_token}')";
        $this -> db -> execute($sql);
 
    }
 
    /**
     * Overrides OAuth2::getSupportedGrantTypes().
     * @see OAuth2::getSupportedGrantTypes()
     */
    protected function getSupportedGrantTypes() {
        return array(
            OAUTH2_GRANT_TYPE_AUTH_CODE
        );
    }
 
    /**
     * Overrides OAuth2::getAuthCode().
     * @see OAuth2::getAuthCode()
     */
    protected function getAuthCode($code) {
 
        $sql = "SELECT user_id, code, client_id, redirect_uri, expires, scope FROM {$this -> table['auth_codes']} WHERE code = '{$code}'";
        $result = $this -> db -> query($sql);
        
        //Log::write("getAuthcode : ".$result);
        //Log::write("getAuthcode : ".$result[0]);
        //Log::write("getAuthcode : ".$result[0]["code"]);
 
        return $result !== FALSE ? $result[0] : NULL;
 
    }
 
    /**
     * Overrides OAuth2::setAuthCode().
     * @see OAuth2::setAuthCode()
     */
    protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $scope = NULL) {
 
        $time = time();
        $sql = "INSERT INTO {$this -> table['auth_codes']} (code, client_id, redirect_uri, expires, scope) VALUES ('{$code}', '{$client_id}', '{$redirect_uri}', '{$expires}', '{$scope}')"; 
        $result = $this -> db -> execute($sql);
  }
 
  /**
   * Overrides OAuth2::checkUserCredentials().
   * @see OAuth2::checkUserCredentials()
   */
  protected function checkUserCredentials($client_id, $username, $password){
      return TRUE;
  }
  

}

这里涉及到一些数据库的操作。继承出来操作，还是比较一目了然的。

5-4、准备好类了。我们就可以实现控制器里的功能代码。动手之前先搞清楚我们的意图。

首先，我们需要分配一个oauth_client和一个oauth_secrete给第三方网站（也就是client.ruanwenwu.cn)来获取oauth服务。

其次，client.ruanwenwu.cn会把用户导入到server.ruanwenwu.cn来进行授权。所以我们我们还需要准备授权页面。

因为涉及到服务端和客户端的数据交互，所以可能服务端和客户端的相关介绍我会交叉进行。

5-4-1、创建oauth_client。

5-4-2、获取oauth_cliest列表。

5-4-3、准备获取用户授权的页面和逻辑。（授权服务器）

5-4-4、准备提供用户数据的逻辑。（资源服务器）

这些逻辑我都写在一个控制器OauthController.class.php里。代码如下：

<?php
namespace Home\Controller;

use Think\Controller;

class OauthController extends Controller{
    private $oauth = NULL;
 
    function _initialize(){
 
        header("Content-Type: application/json");
        Vendor("oauth.ThinkOAuth2");
        $this -> oauth = new \ThinkOAuth2();
 
    }
 
    public function index(){
 
        header("Content-Type:application/json; charset=utf-8");
        $this -> ajaxReturn(null, 'oauth-server-start', 1, 'json');
 
    }
 
    public function access_token() {
 
        $this -> oauth -> grantAccessToken();
 
    }
 
    //权限验证
    public function authorize() {
 
        if (IS_POST) {
            
            if(true){
                //这个地方验证成功后要把用户的uid加进来
                $_POST['user_id'] = 1;
            $this -> oauth -> finishClientAuthorization(true, $_POST);    //第一个参数很重要，是用户是否授权
            }
            return;
        }
 
        ///表单准备
        $auth_params = $this -> oauth -> getAuthorizeParams();
        $this->assign("auth_params",$auth_params);
        $this->display();
 
    }
 
    public function addclient() {
        echo 'jack';
        if (IS_POST) {
            echo 'pd';
            $res = $this -> oauth -> addClient($_POST["client_id"], $_POST["client_secret"], $_POST["redirect_uri"]);
            if($res){
                $this->redirect("/home/Oauth/clientlist");
                die;
            }
        }
 
        $this->display();
    }
    
    public function clientlist(){
        $res = M()->table("oauth_client")->select();
        $this->assign("clients",$res);
        var_dump($res);
        $this->display();
    }
}

顺便我将用到的模板文件（server.ruanwenwu.cn\Application\Home\View\oauth目录下）也贴出来给大家参考一下：

addclient.html

<!doctype html>
    <head>
        <meta charset="utf-8" />
        <title>这里是添加客户端界面</title>
    </head>
    <body>
        <h1>添加客户端</h1>
        <form action="" method="post" >
            clientId:<input type="text" name="client_id" />
            <br />
            client_secrete:<input type="text" name="client_secret" />
            <br />
            callbackUrl:<input type="text" name="redirect_uri" />
            <br />
            <input type="submit" value="submit" />
            
        </form>
    </body>
</html>

authorize.html

<!doctype html>
<html>
    <form action="" method="post">
        用户名：<input type="text" name="username" /> 
        <br />
        密码：<input type="text" name="pwd" />
        <input type="hidden" name="response_type" value="code" />
        <input type="hidden" name="client_id" value="{$auth_params['client_id']}" />
        <input type="hidden" name="redirect_uri" value="{$auth_params['redirect_uri']}" />
        <input type="submit" value="submit" />
    </form>
</html>

注意：我这里用到了几个隐藏域。这个是必须的，在post提交验证时会用到。

5-4-5、创建oauth2.0用户。

打 开server.ruanwenwu.cn/index.php/home/oauth/addcient,输入client_id和 client_secrete还有redirect_uri创建一个oauth2.0用户。其中redirect_uri是用户授权后需要跳转的地方。

到这里服务端的部署就差不多结束了。现在开始部署客户端。

三、oauth2.0客户端搭建。

1、同服务端一样搭建client.ruanwenwu.cn。（也是用thinkphp)。

2、能正常访问后。在类库中加入oauth2.0客户端类。

在\client.ruanwenwu.cn\ThinkPHP\Library\Org\Util目录下建立Oauth2.class.php，代码如下：

<?php
namespace Org\Util;
/**
 * 与 OAuth2 服务器 通讯验证 核心类 (PHP版)
 * 
 * @description OAuth2 说明请大家参考 木蚂蚁接口文档
 *
 *
 * @author   Mumayi-Team (zhaopan赵攀)
 * @version  1.0
 * @datetime 2013-12-31
 */
class Oauth2
{
    /*
     * 以下几个参数 具体作用和用法 详见 木蚂蚁接口文档
     */
    
    //分配的客户端 ID
    public $client_id;
    
    //分配的客户端 密匙
    public $client_secret;
    
    //获得的 用户授权 访问令牌
    public $access_token;
    
    //刷新 访问令牌 (过期时使用)
    public $refresh_token;
    
    
    // 最后一个收到的HTTP代码 (用于调试，忽略)
    public $http_code;
    
    //预留字段 (忽略)
    public $url;
    
    //设置 基础链接
    public $host = "http://server.ruanwenwu.cn/index.php/home/oauth/";
    
    //请求超时时间
    public $timeout = 30;
    
    //链接超时时间
    public $connecttimeout = 30;
    
    //是否验证 SSL 证书
    public $ssl_verifypeer = FALSE;
    
    //请求结果处理格式
    public $format = 'json';
    
    //以 JSON_DECODE 方式解析
    public $decode_json = TRUE;
    
    //预留字段 (忽略)
    public $http_info;
    
    //CURL 函数使用 (验证使用， 忽略)
    public $useragent = 'Mumayi Team OAuth2 v1.0';

    //是否 开启 请求调试 (开启时 将输出 详细的请求结果)
    public $debug = FALSE;

    //边界 (CURL使用 写入在Header的分界线, 忽略)
    public static $boundary = '';

    //返回 OAuth 令牌 请求地址
    function accessTokenURL()  { return $this->host.'access_token'; }
    
    //返回 OAuth 自动授权 请求地址
    function authorizeURL()    { return $this->host.'authorize'; }

    //构造函数 赋值 一些必要参数
    function __construct($client_id, $client_secret, $access_token = NULL, $refresh_token = NULL) {
        $this->client_id = $client_id;
        $this->client_secret = $client_secret;
        $this->access_token = $access_token;
        $this->refresh_token = $refresh_token; 
        // $this->debug = true;
    }

    /**
     * authorize接口
     *
     * 对应API：{@link http://u.mumayi.com/oauth/authorize Oauth2/authorize}
     *
     * @param string $url 授权后的回调地址,站外应用需与回调地址一致,站内应用需要填写canvas page的地址
     * @param string $response_type 支持的值包括 code 和token 默认值为code
     * @param string $state 用于保持请求和回调的状态。在回调时,会在Query Parameter中回传该参数
     * @param string $display 授权页面类型 可选范围: 
     *  - default        默认授权页面
     *  - mobile        支持html5的手机
     *  - popup            弹窗授权页
     *  - wap1.2        wap1.2页面
     *  - wap2.0        wap2.0页面
     *  - js            js-sdk 专用 授权页面是弹窗，返回结果为js-sdk回掉函数
     *  - apponweibo    站内应用专用,站内应用不传display参数,并且response_type为token时,默认使用改display.授权后不会返回access_token，只是输出js刷新站内应用父框架
     * @return array
     */
    function getAuthorizeURL( $url, $response_type = 'code', $state = NULL, $display = NULL ) {
        $params = array();
        $params['client_id'] = $this->client_id;
        $params['redirect_uri'] = $url;
        $params['response_type'] = $response_type;
        $params['state'] = $state;
        $params['display'] = $display;
        return $this->authorizeURL() . "&" . http_build_query($params);
    }

    /**
     * access_token接口
     *
     * 对应API：{@link http://open.weibo.com/wiki/OAuth2/access_token OAuth2/access_token}
     *
     * @param string $type 请求的类型,可以为:code, password, token
     * @param array $keys 其他参数：
     *  - 当$type为code时： array('code'=>..., 'redirect_uri'=>...)
     *  - 当$type为password时： array('username'=>..., 'password'=>...)
     *  - 当$type为token时： array('refresh_token'=>...)
     * @return array
     */
    function getAccessToken( $type = 'code', $keys ) {
        $params = array();
        $params['client_id'] = $this->client_id;
        $params['client_secret'] = $this->client_secret;
        if ( $type === 'token' ) {
            $params['grant_type'] = 'refresh_token';
            $params['refresh_token'] = $keys['refresh_token'];
        } elseif ( $type === 'code' ) {
            $params['grant_type'] = 'authorization_code';
            $params['code'] = $keys['code'];
            $params['redirect_uri'] = $keys['redirect_uri'];
        } elseif ( $type === 'password' ) {
            $params['grant_type'] = 'password';
            $params['username'] = $keys['username'];
            $params['password'] = $keys['password'];
        } else {
            echo json_encode(array('error' => '错误的授权类型['.$type.'(token, code)]'));
            die;
        }
        
        $response = $this->oAuthRequest($this->accessTokenURL(), 'POST', $params);
        //var_dump($response);die;
        $token = json_decode($response, true);
        
        if ( is_array($token) && !isset($token['error']) ) {
            $this->access_token = $token['access_token'];
            //$this->refresh_token = $token['refresh_token'];
        } else {
            echo json_encode(array('error' => '获取访问令牌失败。['.$token['error'].']'));
            die;
        }
        return $token;
    }

    /**
     * 解析 signed_request
     *
     * @param string $signed_request 应用框架在加载iframe时会通过向Canvas URL post的参数signed_request
     *
     * @return array
     */
    function parseSignedRequest($signed_request) {
        list($encoded_sig, $payload) = explode('.', $signed_request, 2); 
        $sig = self::base64decode($encoded_sig) ;
        $data = json_decode(self::base64decode($payload), true);
        if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') return '-1';
        $expected_sig = hash_hmac('sha256', $payload, $this->client_secret, true);
        return ($sig !== $expected_sig)? '-2':$data;
    }

    /**
     * @ignore
     */
    function base64decode($str) {
        return base64_decode(strtr($str.str_repeat('=', (4 - strlen($str) % 4)), '-_', '+/'));
    }

    /**
     * 读取jssdk授权信息，用于和jssdk的同步登录
     *
     * @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false
     */
    function getTokenFromJSSDK() {
        $key = "mumayijs_" . $this->client_id;
        if ( isset($_COOKIE[$key]) && $cookie = $_COOKIE[$key] ) {
            parse_str($cookie, $token);
            if ( isset($token['access_token']) && isset($token['refresh_token']) ) {
                $this->access_token = $token['access_token'];
                $this->refresh_token = $token['refresh_token'];
                return $token;
            } else {
                return false;
            }
        } else {
            return false;
        }
    }

    /**
     * 从数组中读取access_token和refresh_token
     * 常用于从Session或Cookie中读取token，或通过Session/Cookie中是否存有token判断登录状态。
     *
     * @param array $arr 存有access_token和secret_token的数组
     * @return array 成功返回array('access_token'=>'value', 'refresh_token'=>'value'); 失败返回false
     */
    function getTokenFromArray( $arr ) {
        if (isset($arr['access_token']) && $arr['access_token']) {
            $token = array();
            $this->access_token = $token['access_token'] = $arr['access_token'];
            if (isset($arr['refresh_token']) && $arr['refresh_token']) {
                $this->refresh_token = $token['refresh_token'] = $arr['refresh_token'];
            }

            return $token;
        } else {
            return false;
        }
    }

    /**
     * 以 GET 请求方式 请求 OAuth 验证服务器
     *
     * @return mixed
     */
    function get($url, $parameters = array()) {
        $response = $this->oAuthRequest($url, 'GET', $parameters);
        if ($this->format === 'json' && $this->decode_json) {
            return json_decode($response, true);
        }
        return $response;
    }

    /**
     * 以 POST 请求方式 请求 OAuth 验证服务器
     *
     * @return mixed
     */
    function post($url, $parameters = array(), $multi = false) {
        $response = $this->oAuthRequest($url, 'POST', $parameters, $multi );
        if ($this->format === 'json' && $this->decode_json) {
            return json_decode($response, true);
        }
        return $response;
    }

    /**
     * 请求 OAuth 验证服务器 进行验证
     *
     * @return string
     */
    function oAuthRequest($url, $method, $parameters, $multi = false) {

        if (strrpos($url, 'http://') !== 0 && strrpos($url, 'https://') !== 0) {
            $url = "{$this->host}{$url}.{$this->format}";
        }

        switch ($method) {
            case 'GET':
                if(!empty($parameters))
                    $url = $url . '&' . http_build_query($parameters);

                return $this->http($url, 'GET');
            default:
                $headers = array();
                if (!$multi && (is_array($parameters) || is_object($parameters)) ) {
                    $body = http_build_query($parameters);
                } else {
                    $body = self::build_http_query_multi($parameters);
                    $headers[] = "Content-Type: multipart/form-data; boundary=" . self::$boundary;
                }
                
                //return $this->http($url, $method, $body, $headers);
                return $this->http($url, $method, $body, $headers);
        }
    }

    /**
     * 使用 CURL 模拟一个 HTTP 请求 
     *
     * @description (需要开启 CURL 扩展)
     * 
     * @return string API results
     * 
     */
    function http($url, $method, $postfields = NULL, $headers = array()) {
        $this->http_info = array();
        $ci = curl_init();
        /* Curl settings */
        curl_setopt($ci, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
        curl_setopt($ci, CURLOPT_USERAGENT, $this->useragent);
        curl_setopt($ci, CURLOPT_CONNECTTIMEOUT, $this->connecttimeout);
        curl_setopt($ci, CURLOPT_TIMEOUT, $this->timeout);
        curl_setopt($ci, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ci, CURLOPT_ENCODING, "");
        curl_setopt($ci, CURLOPT_SSL_VERIFYPEER, $this->ssl_verifypeer);
        curl_setopt($ci, CURLOPT_SSL_VERIFYHOST, 1);
        curl_setopt($ci, CURLOPT_HEADERFUNCTION, array($this, 'getHeader'));
        curl_setopt($ci, CURLOPT_HEADER, FALSE);

        switch ($method) {
            case 'POST':
                curl_setopt($ci, CURLOPT_POST, TRUE);
                if (!empty($postfields)) {
                    curl_setopt($ci, CURLOPT_POSTFIELDS, $postfields);
                    $this->postdata = $postfields;
                }
                break;
            case 'DELETE':
                curl_setopt($ci, CURLOPT_CUSTOMREQUEST, 'DELETE');
                if (!empty($postfields)) {
                    $url = "{$url}?{$postfields}";
                }
        }

        if ( isset($this->access_token) && $this->access_token )
            $headers[] = "Authorization: OAuth2 ".$this->access_token;

        if ( !empty($this->remote_ip) ) {
            if ( defined('SAE_ACCESSKEY') ) {
                $headers[] = "SaeRemoteIP: " . $this->remote_ip;
            } else {
                $headers[] = "API-RemoteIP: " . $this->remote_ip;
            }
        } else {
            if ( !defined('SAE_ACCESSKEY') ) {
                $headers[] = "API-RemoteIP: " . $_SERVER['REMOTE_ADDR'];
            }
        }
        curl_setopt($ci, CURLOPT_URL, $url );
        curl_setopt($ci, CURLOPT_HTTPHEADER, $headers );
        curl_setopt($ci, CURLINFO_HEADER_OUT, TRUE );

        $response = curl_exec($ci);
        $this->http_code = curl_getinfo($ci, CURLINFO_HTTP_CODE);
        $this->http_info = array_merge($this->http_info, curl_getinfo($ci));
        $this->url = $url;
        
        if ($this->debug) {
            echo "=====post data======\r\n";
            var_dump($postfields);

            echo "=====headers======\r\n";
            print_r($headers);

            echo '=====request info====='."\r\n";
            print_r( curl_getinfo($ci) );

            echo '=====response====='."\r\n";
            print_r( $response );
        }
        curl_close ($ci);
        return $response;
    }

    /**
     * 从结果中 获取 header 参数 (CURL 使用)
     *
     * @return int
     * 
     * @ignore (忽略)
     */
    function getHeader($ch, $header) {
        $i = strpos($header, ':');
        if (!empty($i)) {
            $key = str_replace('-', '_', strtolower(substr($header, 0, $i)));
            $value = trim(substr($header, $i + 2));
            $this->http_header[$key] = $value;
        }
        return strlen($header);
    }

    /**
     * 把要传递的参数 重新构造一下 (多维数组)
     * 
     * @ignore (忽略)
     */
    public static function build_http_query_multi($params) {
        if (!$params) return '';

        uksort($params, 'strcmp');

        $pairs = array();

        self::$boundary = $boundary = uniqid('------------------');
        $MPboundary = '--'.$boundary;
        $endMPboundary = $MPboundary. '--';
        $multipartbody = '';

        foreach ($params as $parameter => $value) {

            if( in_array($parameter, array('pic', 'image')) && $value{0} == '@' ) {
                $url = ltrim( $value, '@' );
                $content = file_get_contents( $url );
                $array = explode( '?', basename( $url ) );
                $filename = $array[0];

                $multipartbody .= $MPboundary . "\r\n";
                $multipartbody .= 'Content-Disposition: form-data; name="' . $parameter . '"; filename="' . $filename . '"'. "\r\n";
                $multipartbody .= "Content-Type: image/unknown\r\n\r\n";
                $multipartbody .= $content. "\r\n";
            } else {
                $multipartbody .= $MPboundary . "\r\n";
                $multipartbody .= 'content-disposition: form-data; name="' . $parameter . "\"\r\n\r\n";
                $multipartbody .= $value."\r\n";
            }

        }

        $multipartbody .= $endMPboundary;
        return $multipartbody;
    }
    
      public function get_uid() {
        $hostUrl = 'http://server.ruanwenwu.cn/index.php/home/resource/userinfo?type=mumayi';
        $params = array(
            'access_token' => $this->access_token,
        );
        return $this->get( $hostUrl, $params );
     }
}

注意：这个类的加载跟服务端采用的不同的方式。这里用了命名空间。服务端用的vendor。

3、准备访问链接。

我们通过这个url将用户导向server.ruanwenwu.cn进行授权，发送accesss_code操作。

我在client.ruanwenwu.cn的index控制器中实现的这个url。控制器里没有逻辑，我只贴index.html了：

<!doctype html>
<html>
    <head></head>
    <body>
        <a href="http://server.ruanwenwu.cn/index.php/home/oauth/authorize?redirect_uri=http://client.ruanwenwu.cn/index.php/home/login&response_type=code&client_id=10009174&type=123456">登陆</a>
    </body>
</html>

注 意：这个url中redirect_uri,response_type为必选参数。而且这个redirect_uri必须包含我们在服务端添加 oauth服务时写的那个redirect_uri。否则不能通过验证。（也就是说：在我们这个例子里，这个redirect_uri必须包含：

http://client.ruanwenwu.cn/index.php/home/login

4、点击链接，跳转到服务端对应的url。实际上就是server.ruanwenwu.cn的authorize操作。在这里会对用户进行验证，并判断是否授权。

    //权限验证
    public function authorize() {
 
        if (IS_POST) {
            
            if(true){
                //这个地方验证成功后要把用户的uid加进来
                $_POST['user_id'] = 1;    //这里是写死的，实际上是从数据库读出来
            $this -> oauth -> finishClientAuthorization(true, $_POST);    //第一个参数很重要，是用户是否授权
            }
            return;
        }
 
        ///表单准备
        $auth_params = $this -> oauth -> getAuthorizeParams();
        $this->assign("auth_params",$auth_params);
        $this->display();
 
    }

注意看我在这个操作里写的注释。

验证成功后，页面又跳回到我们之前写的redirect_uri，并带上了code参数，这就是验证服务器向客户端发送的access_code。

5、客户端拿到access_code，向验证服务器请求access_token。

在我的client.ruanwenwu.cn的loginController.class.php中进行：

<?php
namespace Home\Controller;

use Think\Controller;
use Org\Util\Oauth2;
class LoginController extends Controller{
    public function _initialize(){

    }
    
    public function index(){
        $this->oauth = new Oauth2('10009174','123456');
        $keys = array();
        //keys 数组 赋值 code 值 (换取token, 必须参数)
        $keys['code'] = $_GET['code'];
        //keys 数组 赋值 回调地址信息 (换取token, 必须参数)
        $keys['redirect_uri'] = 'http://client.ruanwenwu.cn/index.php/home/login?type=mumayidev';
        //根据 code 获取 token
        //var_dump( $token = $this->oauth->getAccessToken( 'code', $keys )) ;
        $token = $this->oauth->getAccessToken( 'code', $keys ) ;
        
        //现在已经得到token，并且将access_token写到对象里了。就可以请求资源了
        var_dump( $this->oauth->get_uid());
        die;
    }
}

   $token = $this->oauth->getAccessToken( 'code', $keys ) ;    //这就是请求代码。code是验证方式。$keys数组里要code和redirect_uri。在服务器端需要验证

服务端的响应是这样的：

验证client.ruanwenwu.cn的client_id和secrete是否合法，还要判读access_code是否过期

    public function access_token() {
 
        $this -> oauth -> grantAccessToken();    //这个方法里有所有的验证及生成access_token的操作。（会有数据库的写入）
 
    }

服务端生成access_token之后，会返回给客户端。

客户端拿到access_token之后，向资源服务器请求用户资源：

在这里我的验证服务器和资源服务器都是server.ruanwenwu.cn。我用resourceController.class.php来做资源控制：

<?php
namespace Home\Controller;

use Think\Controller;

class ResourceController extends Controller{
    protected $db;
    public function _initialize(){
        $this->db = M();
    }
    public function userinfo(){
        // $arr = array("username"=>"阮文武","sex"=>1,"img"=>"http://weewrerfdf");
                 // echo json_encode($arr);
                 // die;
         if(isset($_GET['access_token']) && $_GET['access_token']){
              $res = $this->db->table("oauth_token")->where("access_token = '".$_GET['access_token']."'")->find();
             if($res && count($res) > 0){
                 if($res['expires_in'] > time()){
                 $arr = array("username"=>"阮文武d","sex"=>1,"img"=>"http://weewrerfdf");
                 echo json_encode($arr);
                 die;
                 }
             }
         };
    }
}

如果access_token有效，就查到用户id，取出用户的信息。我这里只是做测试，所以就直接自己返回了数据。原本写的很详细，后来因为内容字段是text，没保存完整，这会时间比较赶，就写的简单一点。

再抽时间补充吧。

欢迎大家与我讨论哦。

 

 

http://www.tuicool.com/articles/u6beUju