PHP
Authentication for PHP websites with Authgear and OAuth2
Using OAuth, you can use Authgear to add user authentication in a vanilla PHP application.
In this guide, we'll cover how to implement OAuth 2.0 login in a regular PHP web application with Authgear as the Identity Provider.
What You Will Learn
At the end of this post, you'll learn the following:
How to create an Authgear Application
How to enable email and password sign-in
How to sign in with Authgear from a PHP app
How to request user info from Authgear
How to use a refresh token
And finally how to log users out and revoke access tokens.
Pre-requisites
To follow along, you'll need the following:
PHP runtime (E.g XAMPP for testing offline on Windows devices)
An Authgear account. Sign up for free if you don't have an account yet.
Composer (PHP package manager) installation
Your preffered code editor (e.g VS Code).
What We Will Build
In this guide, we'll build a basic PHP application that lets a user sign in with their registered email and password.
The application will welcome the user with their email address after they sign in successfully. If the user is not signed in, the application will display links to Register or Login.
The following screenshot shows what the User Interface for the app will look like:
How to Add User Authentication to PHP with Authgear
Now let's dive into the actual steps of how to add Authgear to a PHP application.
Part 1: Configure an Authgear Application
Under this section, we will cover the steps for configuring the Authgear application our PHP website will be connecting to. We'll do all these configurations in the Authgear Portal.
Step 1: Set up Authgear Application
The first step you need to take is to create a new application or configure an existing application on the Authgear Portal.
To do that, log in to the Authgear Portal, and select your project (or create a new one if you don't have any yet). From your project dashboard navigate to the Applications section and enter the details for your new application as shown below:
Once you're done, click on the Save button to continue. Then, click on Next to see the configuration page for your application.
The application configuration page contains basic information like Client ID
and Client Secret
that we'll use later in this tutorial. Hence, try to note the values down.
In addition to basic information, you can find other configuration information including endpoints and Authorized Redirect URIs.
Step 2: Authorized Redirect URIs
The Authorized Redirect URIs section contains a link to the page you want Authgear to redirect users to after login.
Update the value for Authorized Redirect URIs to a page on your application. For our example PHP application the value will be http://localhost
because we plan to test run it offline using XAMPP. Also, try to note this value down as we'll be using it in later steps.
Part 2: Implement PHP Project
Here we will cover the steps for implementing a PHP website that interacts with Authgear using the Open ID Connect (OIDC) standard.
Step 1: Create a PHP Project
Create a new PHP project on your computer and add an index.php
file to the root of the project folder.
Add the following code to index.php to create the User Interface of the example app.
Note: The Login and Logout links in the above code currently point to login.php and logout.php respectively, we'll create both files later.
Step 2: Add Authgear Configuration to PHP Project
In this step, we'll add our Authgear application configuration to the PHP project.
We'll use the OAuth 2.0 Client PHP package for the configuration.
Install the package manually from Github or via Composer by running the following command from your PHP project's root directory:
Next, after the package is installed, create a new config.php
file in the PHP project folder. Add the following code to the file:
Note: Replace the values for clientId
, clientSecret
, redirectUri
with corresponding values from the Authgear application you created in Step 1.
Including the offline_access
scope is required to get a refresh token from Authgear.
Step 3: Add Login Authorization
The flow for Login on our app is as follows:
The user clicks on the Login button
User is redirected to the Authgear authorization page where they can sign in using email and password or any other sign-in methods you have enabled for your Authgear project.
The user is redirected back to your website with an authorization code.
In order to implement the above, you need to create a login.php
file in your project's root directory. Add the following code to the login.php file:
At this point, if you try running the example app in a browser and click the Login link in index.php, your app should redirect to the Authgear login page. If you sign in successfully, you should be redirected back to the redirect URL you specified earlier in your project configuration.
Authgear will redirect to your Authorized Redirect URI with extra parameters like code
or an error message in the URL. The value for the code parameter is your authorization code. In the next step, we'll use the authorization code to generate an access token.
Step 4: Get Access Token and Request User Info
Usually, after successful sign-in, you'll want to start using the current user's info to offer custom experience in your app.
In this step, we'll use the PHP OAuth 2.0 Client once more to interact with our Authgear app.
First, open index.php
and search for the line with the following code:
Replace the above line with this code:
The above code exchanges the authorization code returned in the redirect for an access token. It then stores the access token in the PHP session so that we can use this token in future requests to protected resources.
Now that we have the access token, let's try to get the current user's details. To do that, update the HTML part in index.php like this:
Now test the app on your browser again and you should get the following page after login:
We've successfully added user authentication to our PHP app using Authgear as the identity provider. The above page displays a welcome message with the email address the user registered with on your Authgear project. You can display other info about the user from the value of $userInfo
variable.
Step 5: Getting and Using a Refresh Token
In OAuth 2.0, a refresh token is a key that's usually included in the response from the token endpoint when a client application exchanges the authorization code for an access token.
Access tokens expire after some time. Hence, we can use this refresh token to request a new access token without requiring our application users to log in again. In this step, we'll show you how to use the refresh token.
In the last step, we stored the value for the refresh token in the $_SESSION['refreshToken']
variable. So, to get the refresh token, simply read the value from that variable.
Now, add the following code to index.php to read and use the refresh token to get a new access token:
First, find the line with the following code:
Replace that line with the following blocks of code:
Note: It is required to include offline_access in your OAuth 2.0 scopes to get a refresh token from Authgear.
Step 6: Logout
Authgear provides a token revoke endpoint that you can use to revoke a refresh token and all the access associated with it.
To use the token revoke endpoint to log users out of your application, create a new logout.php
file in your project directory then add the following code to the file:
The above code will revoke your refresh token and delete all the session variables.
Summary
In this post, we covered how to get started with adding Authgear to a regular web app built with PHP and no framework.
We also tried out an example of using the Authgear authorization code to retrieve an access token, then we used the token to access the user info endpoint.
Here's a link complete source code for our example app on Github.
There's so much more you can do with Authgear and you can continue learning by checking out more topics on the documentation page.
Last updated