Knowledge Centre

Simple Oauth

by editor | 08.11.2018

Simple Oauth

Simple Oauth​​ is a module which helps decoupled applications in authentication process. Based on an access token, the end user can login. In case this token expires, it is needed to recreate a new token using the refresh token. If the refresh token expires, it is needed to recreate a new token from scratch.


The access token is a unique hash (string resulting from an SHA-256 Cryptographic Algorithm) which contains claims and scopes.


●  Claims - identity information about users needed inside the client application.

●  Scopes - user roles.


Simple Oauth has only two claims defined: ​mail ​and ​username​. If wanted to add more, you will have to extend the ​AccessTokenEntity ​class and override the ​convertToJWT ​method.


class​ ​MyAccessTokenEntity​ ​extends​ ​AccessTokenEntity​ {

* {@inheritdoc} 

​public​ ​function​ ​convertToJWT​(CryptKey $privateKey) { 
 $private_claims = [];
    ->alter(​'simple_oauth_private_claims'​, $private_claims, ​$this​); 
 ​if​ (!is_array($private_claims)) {
    $message = ​'An implementation of hook_simple_oauth_private_claims_alter '​;
    $message .= ​'returns an invalid $private_claims value. $private_claims '​;
    $message .= ​'must be an array.'​;
    ​throw​ ​new​ \InvalidArgumentException($message);
 $builder = (​new​ Builder()) 
    ->setId(​$this​->getIdentifier(), ​TRUE​) 
    ->set(​'scopes'​, ​$this​->getScopes()); 
 $uid = ​$this​->getUserIdentifier();

// Set other claims.
// $builder->set(​'user_picture'​, ​...​);

​foreach​ ($private_claims ​as​ $claim_name => $value) { 
   $builder->set($claim_name, $value);

  $key = ​new​ Key($privateKey->getKeyPath(),$privateKey->getPassPhrase());
  $token = $builder->sign(​new​ Sha256(), $key)->getToken(); 
} ​
  return​ $token;


In order to call this method, you will need the following code:


class​ ​MyServiceProvider​ ​extends​ ​ServiceProviderBase​ ​implements ServiceProviderInterface​ {

* Alter service.
* @param\Drupal\Core\DependencyInjection\ContainerBuilder $container 
* The container.
  public​ ​function​ ​alter​(ContainerBuilder $container) {
    $definition =
    $definition->setClass(​'Drupal\my_module\Repositories\MyAccessTokenRepositor y'​);

Within the scopes parameter, you will need to specify which roles the user has in order to get him/her access on pages.


The roles should be added with spaces between them. If the scope parameter is not defined, the authenticated role will be the default one. In case the consumer has other roles defined, it will be added in token scopes array. For example, if you put only the authenticated role in the /oauth/token​ request, but the client id used contains the editor role, both roles will be added when new token will be generated.

  • Knowlegde
    Knowledge Centre
    Replace a field's content based on another field using AJAX
  • Knowlegde
    Knowledge Centre
    Port your sites to Drupal 9
  • Knowlegde
    Knowledge Centre
    Drupal 8 or Drupal 9

Post a Comment.