PHP OAuth 2.0 Server VS PHP Dotenv

For creating a PHP OAuth2 server take a look at https://oauth2.thephpleague.com/ it is not a complete server, but will do most of the work for you.

For the server side, I'll use the OAuth 2.0 server library. The implementation here is more complex, as there are many moving parts that need to be in place.

I looked at the phpleague oauth2-server and there, they say that a SPA (front end in angular or react) should use Authorization code grant and not password grant (it seems password grant is not recommended to use anymore).

Laravel Passport facilitates full OAuth2 server implementation for Laravel Apps in less time. Developing an OAuth2 server from scratch can be tedious and time-consuming, but Laravel Passport is a local OAuth 2 server for Laravel apps. The Laravel Passport package embodies routes, middleware, and database migrations to develop an authorization server that will return access tokens for giving access permission to server resources. It uses the League OAuth2 Server package as a dependency and has a straightforward, easy-to-learn, and easy-to-implement language structure.

Disclosure: I work for FusionAuth.

Depends on what you are looking for.

If you want a standalone auth server, you can use FusionAuth in docker/docker-compose: https://fusionauth.io/docs/v1/tech/installation-guide/docker

You can also package up a library; most major languages have one or more OAuth/OIDC libraries: https://github.com/doorkeeper-gem/doorkeeper for Ruby, https://spring.io/projects/spring-security for Spring/Java, https://oauth2.thephpleague.com/ for PHP, https://pypi.org/project/oauthlib/ for Python.

https://oauth.net/code/ has a further selection of libraries in a variety of languages.

I completely agree with this!! Sometimes there's too much hubris in OSS; classes made final, methods made private- because the author has made their mind up about how the library should work and be used. But sometimes it's not possible to imagine every use case. If software is extensible and someone breaks their app by extending your library and doing something wrong, that's their problem. Take a look at this for example: https://github.com/thephpleague/oauth2-server/issues/885 here the authors don't want to make it more extensible because some people might encode too many claims into their tokens and run into problems with header size. Ffs get off your high horse and let people use their own judgement !! /rant

https://github.com/thephpleague/oauth2-server is also good

Otherwise, if I need something larger, then I would go towards OAuth and than in particular OAuth2 from the PHP league. It provides a good framework to work with to implement authentication in your project. Setting up is a bit of work, but when it works, you don't need to look at it again.

After successfully setting up our project, you'll observe that certain packages come pre-installed. One of these packages is vlucas/phpdotenv. This package serves the purpose of facilitating the loading of .env variables within your projects. These variables, stored in a file named '.env', allow for the configuration of various settings without hardcoding them directly into your code. Instead, you can define environment-specific variables such as database credentials, API keys, or any other sensitive information in the .env file, providing a more flexible and secure approach to configuration management.

Recently, I jumped to reading on the documentation of the function putenv() and define() and the array $_ENV to understand the different between all. Also, I looked at the library phpdotenv and how it handles environment variables since its the standard approach to go with when dealing with environment variables in PHP.

So to get down to it, what are some of the best practices here? First off, things that you would normally do, like utilize some sort of secrets manager, that won't be available to you. You also can't utilize environment variables with apache. So you're going to have to have some sort of local secret (password/passphrase) to perform the encryption/decryption. With that said, mysql does provide AES encryption with their AES_ENCRYPT/AES_DECRYPT calls, so in that manner, yes you can safely store PII or other values in a shared MySQL. You can use a php library like https://github.com/vlucas/phpdotenv The decryption password(s) should be in the .ENV file Nothing prevents you from utilizing some scheme perhaps to provide multiple passwords if you want to, perhaps a separate one for each individual column you plan to encrypt.

DotEnv - a popular library that allows us to use environment variables in our project.

[PHP dotenv.](https://github.com/vlucas/phpdotenv) Loads environment variables from `.env` to `getenv(), $_ENV` and `$_SERVER`

PHP dotenv. Loads environment variables from .env to getenv(), $_ENV and $_SERVER automagically.

Use this library https://github.com/vlucas/phpdotenv. Hopefully you are using composer. If not, please consider using it.

First, we need to have PHP installed as well as Composer (A dependency manager for PHP). Using Composer, we need to install dotenv which will allow us to read .env files.

Here, I'm using the vlucas/phpdotenv library to process .env files.