Third-Party Authentication

Home
Documents
Get Started Auth Third Party

Third-Party Authentication

Third-party authentication allows users to sign in to applications using their existing accounts on third-party services, such as Google, Facebook, or GitHub. This approach simplifies the sign-in process for users by eliminating the need to create and remember new credentials for each application. It also provides developers with a secure and reliable way to authenticate users without having to manage user credentials directly.

Prisma PHP supports third-party authentication through the use of OAuth 2.0, an open standard for authorization that enables applications to access user data from third-party services securely. By integrating OAuth 2.0 providers into your application, you can allow users to sign in using their existing accounts on popular services, such as Google, Facebook, GitHub, and more.

The library used to make the exchange is the guzzlehttp/guzzle package, which is a PHP HTTP client that makes it easy to send HTTP requests and handle responses. Prisma PHP uses Guzzle to send requests to OAuth 2.0 providers and exchange authorization codes for access tokens to access user data.

Setting Up Third-Party Authentication

Setting up third-party authentication in Prisma PHP involves configuring OAuth 2.0 providers to enable users to sign in using their existing accounts. To get started, you'll need to create an application with the third-party service you want to use for authentication and obtain the necessary credentials to authenticate users. Once you have the required credentials, you can configure the OAuth 2.0 provider in your Prisma PHP application to enable third-party authentication.

The callback URL is the URL where users are redirected after signing in with the provider. It's used to exchange the authorization code for an access token to access user data. The scope parameter specifies the permissions your application needs to access user data, such as profile information, email address, and more.

The CLIENT ID and CLIENT SECRET are obtained from the provider when you create an application for authentication. The redirect URI is the URL where users are redirected after signing in with the provider, and the authorization URL and token URL are the endpoints used to authenticate users and obtain access tokens the this going to be set to .env file.

Setting up the .env file.

AUTH_GOOGLE_ID=your-client-id
  AUTH_GOOGLE_SECRET=your-client-secret
  
  AUTH_GITHUB_ID=your-client-id
  AUTH_GITHUB_SECRET=your-client-secret

In you app directory create a new route /api/auth/[...pphpauth]/route.php witch going to handle the signin and the callback from the provider.

Now lets setup the signin

<div class="flex gap-4 item-center">
    <a href="/api/auth/signin/github">
        Github
    </a>
  </div>

As you can see the a tag is pointing to /api/auth/signin/github this is the route that going to handle the signin with github, for google you can use /api/auth/signin/google.

For testing you can use the $dynamicRouteParams to get the information sended to the route, for more information about dynamic rote parameters go to Dynamic Route Parameters.

<?php

  echo json_encode($dynamicRouteParams);

  ?>

Setting up the route file /api/auth/[...pphpauth]/route.php to receive the signin request and the callback from the provider.

<?php

  use Lib\Auth\Auth;
  use Lib\Auth\GithubProvider;
  use Lib\Auth\GoogleProvider;
  
  $auth = Auth::getInstance();
  
  if ($auth->isAuthenticated()) {
      redirect('/dashboard');
  }
  
  $auth->authProviders(
      new GithubProvider(
          $_ENV['AUTH_GITHUB_CLIENT_ID'],
          $_ENV['AUTH_GITHUB_CLIENT_SECRET']
      ),
      new GoogleProvider(
          $_ENV['AUTH_GOOGLE_CLIENT_ID'],
          $_ENV['AUTH_GOOGLE_CLIENT_SECRET'],
          "http://localhost:3000/api/auth/callback/google"
      )
  );
  
  redirect('/dashboard');

Optional: You can pass the maxAge parameter to the authProviders method to set the maximum age of the session cookie by default the maxAge is set to 30 days. The maxAge parameter accepts a string in the format "1d" for one day, "1h" for one hour, "1m" for one minute, and "1s" for one second. for more info go to tokenValidity.

The callback from the provider is going to be handled in the /api/auth/callback/{provider}

if you are working locally you can use http://localhost:3000/api/auth/callback/google for google and http://localhost:3000/api/auth/callback/github for github.

For production you can use https://yourdomain.com/api/auth/callback/google for google and https://yourdomain.com/api/auth/callback/github for github.

**Note:** Only the Google provider requires a redirect URI, which is used to exchange the authorization code for an access token. The redirect URI should match the one specified when creating the application with Google, and it should point to the callback route in your application, but for github you going to set the callback url in the github settings while creating the application.

As you can see the authProviders method is used to set the providers that you want to use for authentication, in this case we are using the GithubProvider and GoogleProvider.

The callback URI is set for development purposes, you can change it when you deploy your application. The callback URI should match the one specified when creating the application with Google, and it should point to the callback route in your application.

**Note:** if you have choose to work with Prisma PHP ORM you can use the following database schema to store user data. It includes all the necessary fields for storing user data.

MySQL

PostgreSQL

SQLite

model User {
    id            String    @id @default(cuid())
    name          String?
    email         String   @unique
    emailVerified DateTime?
    image         String?
    createdAt     DateTime  @default(now())
    updatedAt     DateTime  @updatedAt
  
    Session Session[]
    Account Account?
  }
  
  model Account {
    id                       String   @id @default(cuid())
    type                     String
    provider                 String
    providerAccountId        String
    refresh_token            String?  @db.Text
    access_token             String?  @db.Text
    expires_at               Int?
    token_type               String?
    scope                    String?
    id_token                 String?  @db.Text
    session_state            String?
    createdAt                DateTime @default(now())
    updatedAt                DateTime @updatedAt
  
    userId String @unique
    user   User?  @relation(fields: [userId], references: [id])
  
    @@unique([provider, providerAccountId])
    @@index([userId])
  }
  
  model Session {
    id           String   @id @default(cuid())
    sessionToken String   @unique
    expires      DateTime
    createdAt    DateTime @default(now())
    updatedAt    DateTime @updatedAt
  
    userId String
    user   User   @relation(fields: [userId], references: [id])
  
    @@index([userId])
  }
  
  model VerificationToken {
    identifier String
    token      String
    expires    DateTime
  
    @@unique([identifier, token])
  }

model User {
    id            String    @id @default(cuid())
    name          String?
    email         String    @unique
    emailVerified DateTime?
    image         String?
    createdAt     DateTime  @default(now())
    updatedAt     DateTime  @updatedAt
  
    Accounts Account[]
    Sessions Session[]
  }
  
  model Account {
    id                String   @id @default(cuid())
    type              String
    provider          String
    providerAccountId String
    refresh_token     String?
    access_token      String?
    expires_at        Int?
    token_type        String?
    scope             String?
    id_token          String?
    session_state     String?
    createdAt         DateTime @default(now())
    updatedAt         DateTime @updatedAt
  
    userId String
    user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
  
    @@id([provider, providerAccountId])
  }
  
  model Session {
    id           String   @id @default(cuid())
    sessionToken String   @unique
    expires      DateTime
    createdAt    DateTime @default(now())
    updatedAt    DateTime @updatedAt
  
    userId String
    user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
  }
  
  model VerificationToken {
    identifier String
    token      String
    expires    DateTime
  
    @@id([identifier, token])
  }

model User {
    id            String    @id @default(cuid())
    name          String?
    email         String   @unique
    emailVerified DateTime?
    image         String?
    createdAt     DateTime  @default(now())
    updatedAt     DateTime  @updatedAt
  
    Accounts Account[]
    Sessions Session[]
  }
  
  model Account {
    id                String   @id @default(cuid())
    type              String
    provider          String
    providerAccountId String
    refresh_token     String?
    access_token      String?
    expires_at        Int?
    token_type        String?
    scope             String?
    id_token          String?
    session_state     String?
    createdAt         DateTime @default(now())
    updatedAt         DateTime @updatedAt
  
    userId String
    user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
  
    @@unique([provider, providerAccountId])
  }
  
  model Session {
    id           String   @id @default(cuid())
    sessionToken String   @unique
    expires      DateTime
    createdAt    DateTime @default(now())
    updatedAt    DateTime @updatedAt
  
    userId String
    user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
  }
  
  model VerificationToken {
    identifier String
    token      String
    expires    DateTime
  
    @@unique([identifier, token])
  }

After setting up the database schema, you can create a new controller to handle the authentication flow. The controller should include methods to initiate the authentication process, handle the callback from the provider, and create or update user accounts based on the information received from the provider.

Remember to generate your PHP classes for this to work by running the following command in your terminal:

npx php generate class

For more info go to Prisma PHP Command.

Now lets save the auth info to the database: file location src/Lib/Auth/Auth.php

Remember to import the use Lib\Prisma\Classes\Prisma; class at the top of the file.

copy and paste the code to the function saveAuthInfo in the Auth.php file.

private function saveAuthInfo($responseInfo, $accountData)
  {
      $prisma = Prisma::getInstance();
      $foundUser = $prisma->user->findUnique([
          'where' => [
              'email' => $responseInfo->email,
          ],
      ]);
  
      if (!$foundUser) {
          $userData = [
              'name' => $responseInfo->name,
              'email' => $responseInfo->email,
              'image' => $responseInfo->picture,
              'emailVerified' => $responseInfo->email ? date("Y-m-d H:i:s") : null,
              'Account' => [
                  'create' => $accountData,
              ]
          ];
  
          $createUser = $prisma->user->create([
              'data' => $userData,
          ]);
  
          if (!$createUser) {
              exit("Error occurred. Please try again.");
          }
      }
  }

In conclusion you have successfully setup third-party authentication in Prisma PHP.