OAuth

Ask for permission

Before asking for permission, please have your OAuth client credentials ready. In this example, we assume your OAuth client credentials to have the API key of 4ac0000000000000000000000000035f and an API secret key of 59c0000000000000000000000000007f.

The example also assumes that the store the OAuth client, aka your application, is requesting access to is a store called johns-apparel, which would be located at a link similar to http://johns-apparel.myshopify.com

To create a URI that will be clicked by the store owner of johns-apparel, two builders are used. The scopes builder and the authorize prompt URI builder. The examples shows how they can be used together.

For a full working example, see examples/oauth/authorize-prompt.php in the project source.

use Yaspa\Authentication\OAuth\Builders\AuthorizePromptUri;
use Yaspa\Authentication\OAuth\Builders\Scopes;
use Yaspa\Authentication\OAuth\Models\Credentials;
use Yaspa\Factory;

// Create OAuth credentials model with details for your app
$oAuthCredentials = new Credentials();
$oAuthCredentials
    ->setApiKey('4ac0000000000000000000000000035f')
    ->setApiSecretKey('59c0000000000000000000000000007f');

// Set the scopes we want
$scopes = Factory::make(Scopes::class)
    ->withWriteCustomers()
    ->withWriteOrders();

// Prepare app installation URI
$redirectUri = Factory::make(AuthorizePromptUri::class)
    ->withShop('johns-apparel')
    ->withApiKey($oAuthCredentials->getApiKey())
    ->withNonce('something-the-callback-uri-can-verify')
    ->withScopes($scopes)
    ->withRedirectUri('http://httpbin.org/anything')
    ->withOfflineAccess()
    ->toUri()
    ->__toString();

Confirm installation

Source

In this example, similar to the previous, we assume your OAuth client credentials to have the API key of 4ac0000000000000000000000000035f and an API secret key of 59c0000000000000000000000000007f.

There are two steps involved in confirming an OAuth client application installation, which are:

Receive the authorization code.
Request a permanent access token using the authorization code.

The example shows the dependencies needed to parse the authorization code and request a permanent access token.

Please note that the example is written to work with plain PHP so as to not assume how a framework may abstract request query parameters, which also means the example code will most likely need to be modified if working within a framework.

For a full working example, see examples/oauth/confirm-installation.php in the project source.

use Yaspa\Authentication\OAuth\Models\Credentials;
use Yaspa\Authentication\OAuth\OAuthService;
use Yaspa\Authentication\OAuth\Transformers\AccessToken;
use Yaspa\Authentication\OAuth\Transformers\AuthorizationCode;
use Yaspa\Factory;

// Get dependencies
$authorizationCodeTransformer = Factory::make(AuthorizationCode::class);
$accessTokenTransformer = Factory::make(AccessToken::class);
$oAuthService = Factory::make(OAuthService::class);

// Get OAuth credentials for the test app
$oAuthCredentials = new Credentials();
$oAuthCredentials
    ->setApiKey('4ac0000000000000000000000000035f')
    ->setApiSecretKey('59c0000000000000000000000000007f');

// Parse provided authorization code
$authorizationCode = $authorizationCodeTransformer->fromArray($_GET);

// Get access token
$nonce = 'something-the-callback-uri-can-verify';
$accessToken = $oAuthService->requestPermanentAccessToken($authorizationCode, $oAuthCredentials, $nonce);

Making authenticated requests

Source

Most API requests will require credentials to be provided. The Yaspa\Traits\AuthorizedRequestBuilderTrait contains methods for passing in a credential provider that satisfies the Yaspa\Interfaces\RequestCredentialsInterface.

For convenience, a factory method exists to create an OAuth credential, which the example shows how to do.

The example assumes your application has the OAuth permanent access token of a190000000000000000000000000046a for store johns-apparel.

use Yaspa\Authentication\Factory\ApiCredentials;
use Yaspa\Factory;

$credentials = Factory::make(ApiCredentials::class)
    ->makeOAuth('johns-apparel', 'a190000000000000000000000000046a');

$service = Factory::make(CustomerService::class);
$retrievedCustomer = $service->getCustomer($credentials, 6820000675);

Scopes

Source

Scopes are provided as a builder. The reasoning is so that one does not have to remember what scopes are available and just use your IDE's auto-suggest to get the list you want.

For the full list of available scopes, see Yaspa\Authentication\OAuth\Builders\Scopes

use Yaspa\Authentication\OAuth\Builders\Scopes;
use Yaspa\Factory;

$scopes = Factory::make(Scopes::class)
    ->withWriteCustomers()
    ->withWriteOrders();

API access modes

Source

The API access mode is set when you create an authorization prompt URI. To create one with an online or offline access token use the builder methods withOnlineAccess() or withOfflineAccess()

The example in "Ask for permission" section demonstrated generating a redirect URI that requested an offline access token. The example shown here demonstrates generating a request for an online access token.

use Yaspa\Authentication\OAuth\Builders\AuthorizePromptUri;
use Yaspa\Factory;

$redirectUri = Factory::make(AuthorizePromptUri::class)
    ->withShop('johns-apparel')
    ->withApiKey($oAuthCredentials->getApiKey())
    ->withNonce('something-the-callback-uri-can-verify')
    ->withScopes($scopes)
    ->withRedirectUri('http://httpbin.org/anything')
    ->withOnlineAccess()
    ->toUri()
    ->__toString();

Delegating access to subsystems

Source

Please note that this method requires an access token generated by Shopify, which can be achieved by following the example in section "Confirm installation".

The example assumes that $accessToken exists and is a valid token.

Delegate tokens cannot contain more permissions than their parent token and will be invalid as soon as the parent token is revoked regardless of expiry settings.

use Yaspa\Authentication\OAuth\Builders\Scopes;
use Yaspa\Authentication\OAuth\OAuthService as OAuthService;
use Yaspa\Factory;

$scopes = (new Scopes())
    ->withWriteOrders()
    ->withWriteCustomers();

$delegateAccessTokenRequest = Factory::make(NewDelegateAccessTokenRequest::class)
    ->withShop('johns-apparel')
    ->withAccessToken($accessToken)
    ->withScopes($scopes)
    ->withExpiresIn(10);

// Get the delegate token
$oAuthService = Factory::make(OAuthService::class);
$delegateToken = $oAuthService->createNewDelegateAccessToken($delegateAccessTokenRequest);

Verification

Source

All validation methods are implemented in Yaspa\Authentication\OAuth\SecurityChecks

These security checks are already integrated into the method Yaspa\Authentication\OAuth\OAuthService::asyncRequestPermanentAccessToken, however, if one wishes to verify the correctness of the implementation, or use it for other purposes, the security check class is largely decoupled from the rest of the Yaspa library.

OAuth

OAuth

Ask for permission

Confirm installation

Making authenticated requests

Scopes

API access modes

Delegating access to subsystems

Verification

results matching ""

No results matching ""