{"id":16668372,"url":"https://github.com/kielabokkie/oauth-proxy","last_synced_at":"2025-10-16T21:56:23.390Z","repository":{"id":57006416,"uuid":"74267843","full_name":"kielabokkie/oauth-proxy","owner":"kielabokkie","description":"OAuth proxy for single-page apps built with Lumen","archived":false,"fork":false,"pushed_at":"2017-04-02T04:06:33.000Z","size":37,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-23T21:23:19.654Z","etag":null,"topics":["lumen","oauth-proxy","spa"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kielabokkie.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-11-20T10:51:56.000Z","updated_at":"2018-04-30T14:24:54.000Z","dependencies_parsed_at":"2022-08-21T14:30:51.982Z","dependency_job_id":null,"html_url":"https://github.com/kielabokkie/oauth-proxy","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kielabokkie%2Foauth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kielabokkie%2Foauth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kielabokkie%2Foauth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kielabokkie%2Foauth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kielabokkie","download_url":"https://codeload.github.com/kielabokkie/oauth-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248097972,"owners_count":21047346,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lumen","oauth-proxy","spa"],"created_at":"2024-10-12T11:24:47.928Z","updated_at":"2025-10-16T21:56:18.337Z","avatar_url":"https://github.com/kielabokkie.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OAuth Proxy\n\nOAuth proxy for single-page apps (SPA) built with [Lumen](https://lumen.laravel.com).\n\n## Introduction\n\nWe all know that keeping secrets is hard when it comes to SPAs, especially when it comes to OAuth. The [OAuth 2.0 spec](https://tools.ietf.org/html/rfc6749) dictates that you should never expose your client id or secret and your access token as well as the refresh token. If you have to use OAuth you'll require some sort of trade-off as you can't keep all of the above a secret. There are a lot of different techniques, all with their own pros and cons.\n\nOAuth Proxy sits between your SPA and your API and provides two endpoints that forward OAuth requests to your API and automatically adds the required client id and client secret. On top of that it can also handle refreshing access tokens using the `refresh_token` grant. Because all of this happens server-side you keep most of your secrets to yourself. The only trade-off is that the client requires the access token. If you use short lived access tokens and always use SSL (which I hope you do!) then the risk is minimised.\n\n## Prerequisites\n\nAs this project is built with [Lumen](https://lumen.laravel.com) it requires a PHP version of `5.6.4` or higher. If you haven’t used Lumen or Laravel before I suggest you first have a look through the documentation.\n\nAt the moment it also depends on [Redis](https://redis.io) as it makes it fast and easy to store key-value pairs with an expiration but I intend to add other providers as well.\n\n## Installation\n\nYou can install OAuth Proxy by running the `composer create-project` command in your terminal:\n\n```\ncomposer create-project --prefer-dist kielabokkie/oauth-proxy\n```\n\n## Configuration\n\nOAuth Proxy provides two endpoints. The first one, to acquire an access token using the `password` grant, is `/oauth/token`. The second endpoint, which lets you refresh access tokens, is `/oauth/token/refresh`.  If you prefer to use different endpoints for the Proxy (maybe to match the style of your API) you can overwrite the endpoints in the `.env` file, more on that later.\n\n### Environment file\n\nIf you are familiar with Lumen (or Laravel) you’ll know that the `.env` file contains various configuration settings. Before you can try out the proxy there are a couple of parameters that you need to enter.\n\nBelow is an example `.env` file:\n\n```\nAPP_ENV=local\nAPP_DEBUG=true\nAPP_KEY=tdXF17HfY1yWpPtIV4DGxrivKEpN4yDh\n\nROUTE_ACCESS_TOKEN='/oauth/token'\nROUTE_REFRESH_TOKEN='/oauth/token/refresh'\n\nAPI_URL='http://api.myapp.dev'\nAPI_ACCESS_TOKEN_ENDPOINT='/v1/oauth/token'\nAPI_REFRESH_TOKEN_ENDPOINT='/v1/oauth/token'\n\nOAUTH_CLIENT_ID=my-spa-client\nOAUTH_CLIENT_SECRET=s3cr3tk3y\nOAUTH_REFRESH_TOKEN_TTL=2592000 # 30 days\n\nCORS_ALLOW_ORIGIN='*'\nCORS_ALLOW_METHODS='OPTIONS, GET, POST, PUT, PATCH, DELETE'\nCORS_ALLOW_HEADERS='Authorization, Content-Type'\n\nREDIS_URI='tcp://127.0.0.1:6379'\n```\n\nThe first three parameters are standard Lumen ones that you have to changed based on your environment (e.g. don’t set `APP_DEBUG` to `true` on production environments). The `APP_KEY` can be set automatically by running the `php artisan key:generate` command.\n\nThe `ROUTE_ACCESS_TOKEN` and `ROUTE_REFRESH_TOKEN` are used to customise the endpoints of the Proxy (as mentioned earlier).\n\nThe next set of parameters are all related to your actual API, the `API_URL` is the full URL of your API. `API_ACCESS_TOKEN_ENDPOINT` and `API_REFRESH_TOKEN_ENDPOINT` allow you to specify what endpoint on your API should be used for getting an access token and refreshing an access token.\n\nNext we have the OAuth related parameters. Here you specify the client id and client secret and the TTL of your refresh tokens. For this last parameter you have to make sure it matches the TTL you have set for refresh tokens on your OAuth server. It’s important that these are the same as the TTL is used to automatically remove them from the datastore after they expire.\n\nThe next three parameters are all to handle CORS headers.\n\nLastly we have the optional `REDIS_URI` variable. If you don't add this variable to your `.env` file the application uses the following URI for the Redis connection `tcp://127.0.0.1:6379`. The `REDIS_URI` variable allows you to customise the URI in case you want to use a custom IP address or port.\n\n### Webserver setup\n\nAs this Proxy is separate from your API and front-end you will need to setup your webserver to serve this application. You can either setup a subdomain (e.g. `proxy.myapp.com`) or have your webserver switch to your proxy based on the uri of your endpoints.\n\n## Usage\n\nSo you have everything setup now and your Proxy is ready to be used!\n\n### Password grant\n\nThe `/oauth/token` endpoint requires a `POST` request with the `username` and `password` as parameters. Below is a example CURL command that sends the username and password as `x-www-form-urlencoded` data (as per the OAuth 2.0 spec):\n\n```\ncurl -X POST -H \"Content-Type: application/x-www-form-urlencoded\" -d 'username=wouter@myapp.com\u0026password=password' \"http://proxy.myapp.com/oauth/token\"\n```\n\nIf you prefer to send JSON encoded data you can also do that:\n\n```\ncurl -X POST -H \"Content-Type: application/json\" -d '{\"username\": \"wouter@myapp.com\", \"password\": \"password\"}' \"http://proxy.myapp.com/oauth/token\"\n```\n\n### Refresh token grant\n\nThe `/oauth/token/refresh` endpoint requires a `GET` request with the `Authorization` header containing the bearer token (e.g. the access token that expired). Below is an example of such request:\n\n```\ncurl -X GET -H \"Authorization: Bearer F9kqePKN424Ci3hRDqk5vzsGjP3qnXrnqGUxxiE9\" \"http://proxy.myapp.com/oauth/token/refresh\"\n```\n\nThat's it, happy Proxying!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkielabokkie%2Foauth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkielabokkie%2Foauth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkielabokkie%2Foauth-proxy/lists"}