Google Auth Library Client - Class OAuth2 (1.45.2)

Reference documentation and code samples for the Google Auth Library Client class OAuth2.

OAuth2 supports authentication by OAuth2 2-legged flows.

It primary supports

  • service account authorization
  • authorization where a user already has an access token

Namespace

Google \ Auth

Methods

__construct

Create a new OAuthCredentials.

The configuration array accepts various options

  • authorizationUri The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

  • tokenCredentialUri The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

  • clientId A unique identifier issued to the client to identify itself to the authorization server.

  • clientSecret A shared symmetric secret issued by the authorization server, which is used to authenticate the client.

  • scope The scope of the access request, expressed either as an Array or as a space-delimited String.

  • state An arbitrary string designed to allow the client to maintain state.

  • redirectUri The redirection URI used in the initial request.

  • username The resource owner's username.

  • password The resource owner's password.

  • issuer Issuer ID when using assertion profile

  • audience Target audience for assertions

  • expiry Number of seconds assertions are valid for

  • signingKey Signing key when using assertion profile

  • signingKeyId Signing key id when using assertion profile

  • refreshToken The refresh token associated with the access token to be refreshed.

  • accessToken The current access token for this client.

  • idToken The current ID token for this client.

  • extensionParams When using an extension grant type, this is the set of parameters used by that extension.

  • codeVerifier The code verifier for PKCE for OAuth 2.0.

  • resource The target service or resource where the client ntends to use the requested security token.

  • subjectTokenFetcher A fetcher for the "subject_token", which is a security token that represents the identity of the party on behalf of whom the request is being made.

  • subjectTokenType An identifier that indicates the type of the security token in the subjectToken parameter.

  • actorToken A security token that represents the identity of the acting party.

  • actorTokenType An identifier for the representation of the issued security token.

Parameter
Name Description
config array

Configuration array

verifyIdToken

Verifies the idToken if present.

  • if none is present, return null
  • if present, but invalid, raises DomainException.
  • otherwise returns the payload in the idtoken as a PHP object.

The behavior of this method varies depending on the version of firebase/php-jwt you are using. In versions 6.0 and above, you cannot provide multiple $allowed_algs, and instead must provide an array of Key objects as the $publicKey.

Parameters
Name Description
publicKey string|Firebase\JWT\Key|array<Firebase\JWT\Key>

The public key to use to authenticate the token

allowed_algs string|string[]

algorithm or array of supported verification algorithms. Providing more than one algorithm will throw an exception.

Returns
Type Description
null|object

toJwt

Obtains the encoded jwt from the instance data.

Parameter
Name Description
config array

array optional configuration parameters

Returns
Type Description
string

generateCredentialsRequest

Generates a request for token credentials.

Parameters
Name Description
httpHandler callable|null

callback which delivers psr7 request

headers array

[optional] Additional headers to pass to the token endpoint request.

Returns
Type Description
Psr\Http\Message\RequestInterface the authorization Url.

fetchAuthToken

Fetches the auth tokens based on the current state.

Parameters
Name Description
httpHandler callable|null

callback which delivers psr7 request

headers array

[optional] If present, add these headers to the token endpoint request.

Returns
Type Description
array the response

getCacheKey

Obtains a key that can used to cache the results of #fetchAuthToken.

Returns
Type Description
?string a key that may be used to cache the auth token.

getSubjectTokenFetcher

Gets this instance's SubjectTokenFetcher

Returns
Type Description
null|ExternalAccountCredentialSourceInterface

parseTokenResponse

Parses the fetched tokens.

Parameter
Name Description
resp Psr\Http\Message\ResponseInterface

the response.

Returns
Type Description
array the tokens parsed from the response body.

updateToken

Updates an OAuth 2.0 client.

Example:

$oauth->updateToken([
    'refresh_token' => 'n4E9O119d',
    'access_token' => 'FJQbwq9',
    'expires_in' => 3600
]);
Parameter
Name Description
config array

The configuration parameters related to the token.

  • refresh_token The refresh token associated with the access token to be refreshed.

  • access_token The current access token for this client.

  • id_token The current ID token for this client.

  • expires_in The time in seconds until access token expiration.

  • expires_at The time as an integer number of seconds since the Epoch

  • issued_at The timestamp that the token was issued at.

Returns
Type Description
void

buildFullAuthorizationUri

Builds the authorization Uri that the user should be redirected to.

Parameter
Name Description
config array

configuration options that customize the return url.

Returns
Type Description
Psr\Http\Message\UriInterface the authorization Url.

getCodeVerifier

Returns
Type Description
string|null

setCodeVerifier

Parameter
Name Description
codeVerifier string|null

generateCodeVerifier

Generates a random 128-character string for the "code_verifier" parameter in PKCE for OAuth 2.0. This is a cryptographically random string that is determined using random_int, hashed using "hash" and sha256, and base64 encoded.

When this method is called, the code verifier is set on the object.

Returns
Type Description
string

setAuthorizationUri

Sets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

Parameter
Name Description
uri string
Returns
Type Description
void

getAuthorizationUri

Gets the authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.

Returns
Type Description
?\Psr\Http\Message\UriInterface

getTokenCredentialUri

Gets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

Returns
Type Description
?\Psr\Http\Message\UriInterface

setTokenCredentialUri

Sets the authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.

Parameter
Name Description
uri string
Returns
Type Description
void

getRedirectUri

Gets the redirection URI used in the initial request.

Returns
Type Description
?string

setRedirectUri

Sets the redirection URI used in the initial request.

Parameter
Name Description
uri ?string
Returns
Type Description
void

getScope

Gets the scope of the access requests as a space-delimited String.

Returns
Type Description
?string

getSubjectTokenType

Gets the subject token type

Returns
Type Description
?string

setScope

Sets the scope of the access request, expressed either as an Array or as a space-delimited String.

Parameter
Name Description
scope string|string[]|null
Returns
Type Description
void

getGrantType

Gets the current grant type.

Returns
Type Description
?string

setGrantType

Sets the current grant type.

Parameter
Name Description
grantType string
Returns
Type Description
void

getState

Gets an arbitrary string designed to allow the client to maintain state.

Returns
Type Description
string

setState

Sets an arbitrary string designed to allow the client to maintain state.

Parameter
Name Description
state string
Returns
Type Description
void

getCode

Gets the authorization code issued to this client.

Returns
Type Description
string

setCode

Sets the authorization code issued to this client.

Parameter
Name Description
code string
Returns
Type Description
void

getUsername

Gets the resource owner's username.

Returns
Type Description
string

setUsername

Sets the resource owner's username.

Parameter
Name Description
username string
Returns
Type Description
void

getPassword

Gets the resource owner's password.

Returns
Type Description
string

setPassword

Sets the resource owner's password.

Parameter
Name Description
password string
Returns
Type Description
void

getClientId

Sets a unique identifier issued to the client to identify itself to the authorization server.

Returns
Type Description
string

setClientId

Sets a unique identifier issued to the client to identify itself to the authorization server.

Parameter
Name Description
clientId string
Returns
Type Description
void

getClientSecret

Gets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.

Returns
Type Description
string

setClientSecret

Sets a shared symmetric secret issued by the authorization server, which is used to authenticate the client.

Parameter
Name Description
clientSecret string
Returns
Type Description
void

getIssuer

Gets the Issuer ID when using assertion profile.

Returns
Type Description
?string

setIssuer

Sets the Issuer ID when using assertion profile.

Parameter
Name Description
issuer string
Returns
Type Description
void

getSub

Gets the target sub when issuing assertions.

Returns
Type Description
?string

setSub

Sets the target sub when issuing assertions.

Parameter
Name Description
sub string
Returns
Type Description
void

getAudience

Gets the target audience when issuing assertions.

Returns
Type Description
?string

setAudience

Sets the target audience when issuing assertions.

Parameter
Name Description
audience string
Returns
Type Description
void

getSigningKey

Gets the signing key when using an assertion profile.

Returns
Type Description
?string

setSigningKey

Sets the signing key when using an assertion profile.

Parameter
Name Description
signingKey string
Returns
Type Description
void

getSigningKeyId

Gets the signing key id when using an assertion profile.

Returns
Type Description
?string

setSigningKeyId

Sets the signing key id when using an assertion profile.

Parameter
Name Description
signingKeyId string
Returns
Type Description
void

getSigningAlgorithm

Gets the signing algorithm when using an assertion profile.

Returns
Type Description
?string

setSigningAlgorithm

Sets the signing algorithm when using an assertion profile.

Parameter
Name Description
signingAlgorithm ?string
Returns
Type Description
void

getExtensionParams

Gets the set of parameters used by extension when using an extension grant type.

Returns
Type Description
array

setExtensionParams

Sets the set of parameters used by extension when using an extension grant type.

Parameter
Name Description
extensionParams array
Returns
Type Description
void

getExpiry

Gets the number of seconds assertions are valid for.

Returns
Type Description
int

setExpiry

Sets the number of seconds assertions are valid for.

Parameter
Name Description
expiry int
Returns
Type Description
void

getExpiresIn

Gets the lifetime of the access token in seconds.

Returns
Type Description
int

setExpiresIn

Sets the lifetime of the access token in seconds.

Parameter
Name Description
expiresIn ?int
Returns
Type Description
void

getExpiresAt

Gets the time the current access token expires at.

Returns
Type Description
?int

isExpired

Returns true if the acccess token has expired.

Returns
Type Description
bool

setExpiresAt

Sets the time the current access token expires at.

Parameter
Name Description
expiresAt int
Returns
Type Description
void

getIssuedAt

Gets the time the current access token was issued at.

Returns
Type Description
?int

setIssuedAt

Sets the time the current access token was issued at.

Parameter
Name Description
issuedAt int
Returns
Type Description
void

getAccessToken

Gets the current access token.

Returns
Type Description
?string

setAccessToken

Sets the current access token.

Parameter
Name Description
accessToken string
Returns
Type Description
void

getIdToken

Gets the current ID token.

Returns
Type Description
?string

setIdToken

Sets the current ID token.

Parameter
Name Description
idToken string
Returns
Type Description
void

getGrantedScope

Get the granted space-separated scopes (if they exist) for the last fetched token.

Returns
Type Description
string|null

setGrantedScope

Sets the current ID token.

Parameter
Name Description
grantedScope string
Returns
Type Description
void

getRefreshToken

Gets the refresh token associated with the current access token.

Returns
Type Description
?string

setRefreshToken

Sets the refresh token associated with the current access token.

Parameter
Name Description
refreshToken string
Returns
Type Description
void

setAdditionalClaims

Sets additional claims to be included in the JWT token

Parameter
Name Description
additionalClaims array
Returns
Type Description
void

getAdditionalClaims

Gets the additional claims to be included in the JWT token.

Returns
Type Description
array

getIssuedTokenType

Gets the additional claims to be included in the JWT token.

Returns
Type Description
?string

getLastReceivedToken

The expiration of the last received token.

Returns
Type Description
array|null

getClientName

Get the client ID.

Alias of OAuth2::getClientId().

Parameter
Name Description
httpHandler callable|null
Returns
Type Description
string

Constants

DEFAULT_EXPIRY_SECONDS

Value: 3600

DEFAULT_SKEW_SECONDS

Value: 60

JWT_URN

Value: 'urn:ietf:params:oauth:grant-type:jwt-bearer'

STS_URN

Value: 'urn:ietf:params:oauth:grant-type:token-exchange'