How to Build an OAuth2 Authorization Code Server in PHP

OAuth is an open standard for delegating access to user resources to third‑party applications. It operates over HTTP, separating the user from the resource server and providing a secure, reliable authorization flow. This article shows how to build an OAuth2 authorization‑code server using PHP.

The authorization‑code grant, the most common OAuth2 flow, proceeds as follows:

The client sends an authorization request to the authorization server.

The server authenticates the user and asks for consent.

After the user approves, the server issues an authorization code to the client.

The client exchanges the code, together with its client ID and secret, for an access token.

The server validates the client information and the code, then issues the access token.

The client uses the access token to request the protected resource from the resource server.

First, install a popular PHP OAuth2 library such as bshaffer/oauth2-server-php via Composer:

composer require bshaffer/oauth2-server-php

Create an index.php file that sets up the PDO storage, the OAuth2 server, adds the authorization‑code grant type, and handles the authorization request and user consent. The full source code is shown below:

addGrantType(new OAuth2GrantTypeAuthorizationCode($storage));

// Handle the authorization request
$request = OAuth2Request::createFromGlobals();
$response = new OAuth2Response();
if (!$server->validateAuthorizeRequest($request, $response)) {
    $response->send();
    die;
}

// Show the authorization form
if (empty($_POST)) {
    exit(''
Username:
Password:
'');
}

// Process the authorization decision
$is_authorized = ($_POST['username'] == 'admin' && $_POST['password'] == 'admin');
$server->handleAuthorizeRequest($request, $response, $is_authorized);
if ($is_authorized) {
    $response->send();
} else {
    echo 'Authorization failed';
}
?>

Next, create a MySQL table to store client credentials:

CREATE TABLE `oauth_clients` (
  `client_id` varchar(80) COLLATE utf8_unicode_ci NOT NULL,
  `client_secret` varchar(80) COLLATE utf8_unicode_ci NOT NULL,
  `redirect_uri` varchar(2000) COLLATE utf8_unicode_ci NOT NULL DEFAULT '',
  `grant_types` varchar(80) COLLATE utf8_unicode_ci DEFAULT NULL,
  `scope` varchar(100) COLLATE utf8_unicode_ci DEFAULT NULL,
  `user_id` varchar(80) COLLATE utf8_unicode_ci DEFAULT NULL,
  PRIMARY KEY (`client_id`)
);

To test the server, open a browser and visit a URL such as http://localhost/index.php?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=SCOPE , replace placeholders with your client details, log in with username and password “admin”, and obtain an authorization code.

Exchange the code for an access token using curl:

curl -X POST -d "grant_type=authorization_code&code=AUTHORIZATION_CODE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&redirect_uri=YOUR_REDIRECT_URI" http://localhost/token.php

Replace the placeholders with the actual values; a successful request returns an access token. The guide demonstrates the complete steps to set up a secure OAuth2 authorization‑code server in PHP.