Heads up… this article is old!

For an updated version of this article, see Token Authentication in PHP on the Okta developer blog.

I am sure every PHP developer has struggled with storing user information on a server to identify the source of a request. Since HTTP is a stateless system, this has been the only way to tell who a user is. Until now! We’ve built Token Authentication directly into the PHP SDK for your applications.

Token based authentication in the PHP SDK removes the need to store information on the server, and allows you to keep tokens secure on the Client. Using Stormpath to generate and verify these tokens for you, access to your web application can be restricted at any time by removing a token from an account.

The Benefits of Token Authentication in PHP

PHP API authentication is always a pain point for developers. Since PHP is a stateless language, it is up to the developer to decide how to store user information for future requests. Typically, this is done by setting a cookie or some other session variable to keep track, but as we’ve written about before, this can be insecure. Using Token Authentication in your PHP application lets you allow the user to log in with a username and password once, retrieve the access and refresh tokens, and then store those on the client. All future requests will be made using the access token to identify the user. This makes your web application much more secure.

The other primary benefit of using Token Authentication for your PHP application is scalability. If you are storing session information about a user on the server, you would have to make sure your user is always hitting the same server for each request. There are some ways to get around this, but the easiest way is to store the access token on the client side and just sign each request with this.

Configuring OAuth Access and Refresh Tokens

The first thing to do is set up your application to allow for Token Management. A new resource has been added to the PHP SDK for managing your application’s OAuth policies. This resource gives you access to the TTLs for application tokens. The TTL values are stored and set as ISO 8601 durations. By default, the application access token is set to 1 hour (PT1H) and the refresh token is set to 60 days (P60D).

To get the values of the OAuth policy, run the following code:

You can modify the TTLs as well.

Generating OAuth Access Tokens

Now that you have your TTLs setup for your application, you can generate an access token. During the login process, you would make a request to generate an access token for the user. This is now built into the PHP SDK and can be accomplished in just a few lines of code.

This allows you to store the access and refresh tokens on the client side for all future requests.

Verifying OAuth Access Tokens

Verification of the access token is an important part of using Token Authentication. There are two ways to verify the token. The first way, which we think is the simplest and most effective, is to let Stormpath verify it for you. The second way is to validate it locally. However, there are a few things that you will miss out on by validating it locally.

Token Validation Table

Verify Access Tokens via Stormpath

In order to let Stormpath verify the access token for you, you only need to request it from the resource.

To verify locally, you can use the same method but pass in a flag to trigger local validation.

Refreshing OAuth Access Tokens

While you are using your access tokens, there will be a time when you need to refresh them. We’ve also built this into the PHP SDK to make it an easy task to accomplish.

This will return a new access token that you can use for future requests.

Deleting OAuth Access Tokens

There may come a time when you may want to remove a user’s access to your application. Easily accomplishing this is one of the powerful applications of using tokens for authentication in PHP. Looking at the old way of doing things, if you needed to restrict a user’s access, they could still use the system if you were storing a session or cookie. This could cause a headache for you if the user was doing things to hurt your application. With token verification via Stormpath, the user will not be allowed to make the very next request.

To delete a token, run the following code:

That’s it! On the next request they make, you will be able to check the access token and find out they are not allowed into your system. You could even display a fun little message.

Give It a Try

There are great reasons why you would want to use Token Authentication on your next PHP web application. Give the PHP SDK a try for your next project or even integrate it into your existing applications now.

Feel free to drop a line over to Support or to Me personally anytime.

Like what you see? to keep up with the latest releases.