API Authentication ClientCredentialAuthentication - evansims/openfga-php GitHub Wiki
OAuth 2.0 Client Credentials authentication strategy for OpenFGA client. This authentication strategy implements the OAuth 2.0 Client Credentials flow for authenticating with the OpenFGA API. It automatically handles token acquisition, caching, and refresh when tokens expire. The strategy requires client credentials (client ID and secret) along with the OAuth issuer and audience parameters. It automatically requests new tokens when the current token expires.
Table of Contents
OpenFGA\Authentication
public function clearToken(): voidClear the current access token and force re-authentication. Removes the stored access token, forcing the authentication strategy to request a new token on the next API call. This is useful for handling authentication errors or forcing token refresh.
void
public function getAuthenticationRequest(
Psr\Http\Message\StreamFactoryInterface $streamFactory,
): ?OpenFGA\Network\RequestContextGet an authentication request context if this strategy requires token acquisition. Returns a RequestContext for making an authentication request (such as OAuth token request) if the strategy needs to obtain tokens dynamically. Returns null for strategies that don't require authentication requests (like pre-shared tokens).
| Name | Type | Description |
|---|---|---|
$streamFactory |
StreamFactoryInterface |
Factory for creating request body streams |
RequestContext | null — The authentication request context, or null if not needed
public function getAuthorizationHeader(): ?stringGet the authorization header value for API requests. Returns the authorization header value to be included in HTTP requests to the OpenFGA API. The format and content depend on the specific authentication strategy implementation. For strategies that need to perform authentication requests (like OAuth), this method may trigger an authentication flow using getAuthenticationRequest().
string | null — The authorization header value, or null if no authentication is needed
public function getToken(): AccessTokenInterface|nullGet the current access token if available. Returns the stored access token, which may be null if no authentication has been performed yet or if the token has been explicitly cleared. The returned token may be expired; use the token's isExpired() method to check validity.
AccessTokenInterface | null — The current access token, or null if not authenticated
public function handleAuthenticationResponse(ResponseInterface $response): voidHandle the authentication response and update the stored token. Processes the OAuth token response and creates a new access token from the response data. This method is automatically called by the Client after a successful authentication request. For JWT tokens, this method validates the issuer and audience claims against the OAuth configuration to ensure the token was issued by the expected authorization server and is intended for the correct audience.
| Name | Type | Description |
|---|---|---|
$response |
ResponseInterface |
The authentication response from the OAuth server |
void
public function requiresAuthentication(): boolCheck if authentication is required for this strategy.
bool — True if this strategy provides authentication, false for no-auth strategies