OAuth2 with Expressive 2 - Config help needed


I progress on my new api rest project and is time to include some authentication… I know that it exist https://docs.zendframework.com/zend-expressive-authentication-oauth2/ , it is exactly what i need but it still in dev and the documentation is empty at this time… I need to authenticate my requests via OAuth2 and work also with roles.

Someone already use it, implement it or have a little doc?


seems to be in alpha1.

The API should be fairly stable from now on (it will be stable once it
reaches beta1), but as far as I understand, the focus is to ship Expressive
3.0.0 (with PSR-15 support) first.

From what I can see, all you’d need is:

The only bit I’m missing is how to set it up as a firewall in front of
other middleware, which I couldn’t figure out by just looking these 5m at
the code.

Marco Pivetta



Thanks for your answer! Yes i already tried different things in the past weeks.

I added the ConfigProvider files in config.php


Just for testing i added OAuth2Middleware in one of my route like that:

$app->get('/customer/{id}', [Zend\Expressive\Authentication\OAuth2\OAuth2Middleware::class,
                             App\Action\CustomerAction::class], 'customer.get');

And i got a error:

Zend\ServiceManager\Exception\ServiceNotCreatedException thrown with message
"Service with name "League\OAuth2\Server\AuthorizationServer" could not be created.
Reason: OAuth2 User Repository is missing"

I know that i miss something but i’m little lost with all this dependency, factory, aliases.

In the doc of zend-expressive-authentication i read that i need to add 2 aliases in the config for the adapter, but with which value?

'aliases' => [
            AuthenticationInterface::class => Zend\Expressive\Authentication\OAuth2\OAuth2Adapter::class,
            UserRepositoryInterface::class => Zend\Expressive\Authentication\OAuth2\UserRepositoryInterface::class

This seems to have no effect and i’m really not sure if is the right values…

Could you try to get a full trace for that exception?

Also, this section likely needs aliases pointing to concrete instances:

‘aliases’ => [
AuthenticationInterface::class =>
UserRepositoryInterface::class =>

Marco Pivetta



@MichaelB you right, the documentation is missing for zend-expressive-authentication-oauth2. I have this task in my TODO list and I’ll write asap.

In the meantime, regarding your error msg “OAuth2 User Repository is missing” it seems there is no configuration for UserRepositoryInterface::class. The default value is UserRepositoryInterface::class => Pdo\UserRepository in the aliases of ConfigProvider.php file. This is a UserRepository implementation using a PDO database.

You can see a “working” example in test OAuth2PdoMiddlewareTest. Let me know if you need more information.

Hi, @ocramius and @enrico thanks for your answers!

About my error “OAuth2 User Repository is missing”, i first removed 2 aliases that i added (by mistake) in my own ConfigProvider.php. In all case i still have the same error.

Now in the ConfigProvider.php on Zend\Expressive\Authentication\OAuth2 i just discovered that it miss this 2 lines:

use League\OAuth2\Server\Repositories\UserRepositoryInterface;
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;

And that line in “aliases” array is probably wrong:

AuthCodeEntityInterface::class => Pdo\AuthCodeRepository::class,

I replaced by:

AuthCodeRepositoryInterface::class => Pdo\AuthCodeRepository::class,

Is it possible?

Now i got a json response and i think i’m in the good way… no ?

{"error":"unsupported_grant_type","message":"The authorization grant type is not supported by the authorization server.","hint":"Check the `grant_type` parameter"}

Hi @MichaelB, yes you are in the right way :slight_smile:
The error message suggests that you are not using a valid grant_type. You can check the phpleage/oauth2-server documentation regarding the grant type to use and the parameters to pass.
You can also check the usage in OAuth2PdoMiddlewareTest.php.

Hi @enrico, i can now get an JWT “access_token”! Thanks! :slight_smile:

$app->route('/access_token', Zend\Expressive\Authentication\OAuth2\OAuth2Middleware::class, ['GET', 'POST'], 'oauth');

But i have now i little stupid question… I follow some doc and see also your “zendcon2017-api-tutorial”.
For authentication in my action, “zend-expressive-authentication” is used and i can retrieve a UserInterface::class in my action like in your tutorial. So i added this line in my module ConfigProvider.php and adapted for oauth2

use Zend\Expressive\Authentication\AuthenticationInterface;
use Zend\Expressive\Authentication\UserRepositoryInterface;

'aliases' => [
         AuthenticationInterface::class => Zend\Expressive\Authentication\OAuth2\OAuth2Adapter::class,
         UserRepositoryInterface::class => Zend\Expressive\Authentication\OAuth2\UserRepository::class

My route:

$app->get('/customer/{id}', [Zend\Expressive\Authentication\AuthenticationMiddleware::class,
App\Action\CustomerAction::class], 'customer.get');

I guess is almost correct… or not… but i got this error:

Service with name "Zend\Expressive\Authentication\AuthenticationMiddleware" could not be created.
Reason: AuthenticationInterface service is missing

Where this AuthenticationInterface service have to be create? Can you just help me please…

Congrats on getting working the access_token! The Zend\Expressive\Authentication\AuthenticationMiddleware is managed by zend-expressive-authentication. You need to include it in your composer.json. Basically, the idea is to use this generic authentication middleware with different adapters (in your case zend-expressive-authentication-oauth2). This authentication middleware provides the same interface for all the adapters and exposes a UserInterface class to be used as a common reference for the User object, shared in the pipeline as PSR-7 attribute.
You can read the documentation of zend-expressive-authentication for more information.

Thanks @enrico but i already have zend-expressive-authentication installed and ConfigProvider is also loaded in the config.php file… is the reason i’m little blocked :wink:

Can you share the code with us/me on github? In this way, I can help you more easily. Thanks!

I don’t have a github account, i’ll see tomorrow. Thanks!

I just sent this PR https://github.com/zendframework/zend-expressive-authentication-oauth2/pull/19 containing the OAuth2 documentation. Comments and feedbacks are welcome, thanks!

I had the same issue and fixed everything as per this thread, now I am getting an error like

{“error”:“unknown_error”,“message”:“It was not possible to parse your key, reason: error:0906D06C:PEM routines:PEM_read_bio:no start line”}

… any help would be appreciated.
thanks in advance.

This is probably caused by an invalid certificate, which can have several reasons:

  • You are using the wrong file as a certificate (mixed up the cert and the key)
  • On windows it could be caused by a certificate not compatible with windows (invalid characters).
  • On windows invalid encoding. It should be UTF-8 without BOM.

For the next time, please open a new topic as this is a completely different issue. It might help others to find this if they encounter the same issue.

1 Like

@xtreamwayz Thanks for your replay. I’ll open new issue if the suggestion from your side not work.

@xtreamwayz Thanks a lot dear you saved my day. it worked for me… :smile:

1 Like

Hello together,

i got the same Error:
“error”: “unsupported_grant_type”,
“message”: “The authorization grant type is not supported by the authorization server.”,
“hint”: “Check the grant_type parameter”

in my oauth2.global.php:
‘grants’ => [
Grant\ClientCredentialsGrant::class => Grant\ClientCredentialsGrant::class,
Grant\PasswordGrant::class => Grant\PasswordGrant::class,
Grant\AuthCodeGrant::class => Grant\AuthCodeGrant::class,
Grant\ImplicitGrant::class => Grant\ImplicitGrant::class,
Grant\RefreshTokenGrant::class => Grant\RefreshTokenGrant::class,

When sending to the /oauth2/authorize endpoint? What data are you sending?