Provided by: libnet-oauth2-authorizationserver-perl_0.28-1_all 
NAME
Net::OAuth2::AuthorizationServer::Manual - How to use Net::OAuth2::AuthorizationServer
DESCRIPTION
The modules within the Net::OAuth2::AuthorizationServer namespace implement the various
OAuth2 grant type flows. Each module implements a specific grant flow and is designed to
"just work" with minimal detail and effort.
However there are some limitations in using the grant modules in a minimal way, such as
inability to store tokens across restarts or multi-proc and losing tokens over a restart.
You can get around these limitations by supplying a "jwt_secret" or by supplying your own
overrides. The overrides are detailed in the "CALLBACK FUNCTIONS" section below - each
grant module's docs lists the supported callback functions.
If you would still like to use the grant modules in an easy way, but also have tokens
persistent across restarts and shared between multi processes then you can supply a
jwt_secret. What you lose when doing this is the ability for tokens to be revoked. You
could implement the verify_auth_code and verify_access_token methods to handle the
revoking in your app. So that would be halfway between the "simple" and the "realistic"
way. "CLIENT SECRET, TOKEN SECURITY, AND JWT" has more detail about JWTs.
WHICH GRANT TYPE SHOULD I USE?
You are advised to read <https://tools.ietf.org/html/rfc6749> and figure that out
depending on your needs, but to simplify - if you are implementing an app server and need
to give out access tokens you should be using the "Authorization Code Grant" as this is
the most secure flow. If you need to do a call from javascript then the "Implicit Grant"
is probably what you need. You should not use the "Password Grant" or "Client Credentials
Grant" unless your client/server apps are non-public facing or you really know what you
are doing.
The "Authorization Code Grant" is used to obtain both access tokens and refresh tokens and
is optimized for confidential clients. Since this is a redirection-based flow, the client
must be capable of interacting with the resource owner's user-agent (typically a web
browser) and capable of receiving incoming requests (via redirection) from the
authorization server.
The "Implicit Grant" is used to obtain access tokens (it does not support the issuance of
refresh tokens) and is optimized for public clients known to operate a particular
redirection URI. These clients are typically implemented in a browser using a scripting
language such as JavaScript.
The "Password Grant" type MUST NOT be used according to recent draft RFC
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15>
The "Client Credentials Grant" can request an access token using only its client
credentials (or other supported means of authentication) when the client is requesting
access to the protected resources under its control, or those of another resource owner
that have been previously arranged with the authorization server.
CONSTRUCTOR ARGUMENTS
The following are accepted by all grant types
clients
A hashref of client details keyed like so:
clients => {
$client_id => {
client_secret => $client_secret,
redirect_uri => $redirect_uri, # in the case of "Implicit Grant"
scopes => {
eat => 1,
drink => 0,
sleep => 1,
},
},
},
Note that setting a client_secret implies either "Authorization Code Grant" or "Client
Credentials Grant". if this is not set then "Implicit Grant" is implied (that has an
optional redirect_uri parameter)
Note the clients config is not required if you add all of the necessary callback functions
detailed below, but is necessary for running the grant types in their simplest form (when
there are *no* callbacks provided)
users
In the case of the "Password Grant" you should supply a hash of user to password mappings
as well as the above client details:
users => {
test_user => 'reallyletmein',
}
Again, the users config is not required if you add all of the necessary callback functions
detailed below.
jwt_secret
This is optional. If set JWTs will be returned for the auth codes, access, and refresh
tokens. JWTs allow you to validate tokens without doing a db lookup, but there are certain
considerations (see "CLIENT SECRET, TOKEN SECURITY, AND JWT")
jwt_algorithm
This is optional, and sets the algorithm used in the creation of JWTs (see "CLIENT SECRET,
TOKEN SECURITY, AND JWT")
jwt_encoding
This is optional, and sets the encoding used in the creation of JWTs (see "CLIENT SECRET,
TOKEN SECURITY, AND JWT")
access_token_ttl
The validity period of the generated access token in seconds. Defaults to 3600 seconds (1
hour)
CALLBACK FUNCTIONS
These are the callbacks necessary to use the grant modules in a more realistic way, and
are required to make the auth code, access token, refresh token, etc available across
several processes and persistent.
They should be passed to the grant module constructor, each should be a reference to a
subroutine:
my $Grant = Net::OAuth2::AuthorizationServer::AuthorizationCodeGrant->new(
...
confirm_by_resource_owner_cb => \&your_subroutine,
);
The examples below use monogodb (a db helper returns a MongoDB::Database object) for the
code that would be bespoke to your application - such as finding access codes in the
database, and so on. You can refer to the tests in t/ and examples in examples/ in this
distribution for how it could be done and to actually play around with the code both in a
browser and on the command line.
The examples below are also using a "mojo_controller" object within the args hash passed
to the callbacks - you can pass any extra keys/values you want within the args hash so you
can do the necessary things (e.g. logging) along with the required args
confirm_by_resource_owner_cb
A callback to tell the grant module if the Resource Owner allowed or denied access to the
Resource Server by the Client. The args hash should contain the client id, and an array
reference of scopes requested by the client.
The callback should return a list with three elements. The first element is 1 if access is
allowed, 0 if access is not allowed, otherwise undef if the flow was interrupted (e.g.
calling redirect in a controller). The second element should be the error message in the
case of problems with the confirmation of the scopes. The third element should be an array
reference of scopes as the user may choose to modify the list of requested scopes when
confirming them.
my $resource_owner_confirm_scopes_sub = sub {
my ( %args ) = @_;
my ( $obj,$client_id,$scopes_ref,$redirect_uri,$response_type )
= @args{ qw/ mojo_controller client_id scopes redirect_uri response_type / };
my $error;
my $is_allowed = $obj->flash( "oauth_${client_id}" );
# if user hasn't yet allowed the client access, or if they denied
# access last time, we check [again] with the user for access
if ( ! $is_allowed ) {
$obj->flash( client_id => $client_id );
$obj->flash( scopes => $scopes_ref );
# we need to redirect back to the /oauth/authorize route after
# confirm/deny by resource owner (with the original params)
my $uri = join( '?',$obj->url_for('current'),$obj->url_with->query );
$obj->flash( 'redirect_after_login' => $uri );
$obj->redirect_to( '/oauth/confirm_scopes' );
}
return ( $is_allowed,$error,$scopes_ref );
};
Note that you need to pass on the current url (with query) so it can be returned to after
the user has confirmed/denied access, and the confirm/deny result is stored in the flash
(this could be stored in the user session if you do not want the user to confirm/deny
every single time the Client requests access). Also note the caveat regarding flash and
Path as documented above (login_resource_owner)
login_resource_owner_cb
A callback to tell the grant module if the Resource Owner is logged in. You can pass a
hash of arguments should you need to do anything within the callback It should return 1 if
the Resource Owner is logged in, otherwise it should do the required things to login the
resource owner (e.g. redirect) and return 0:
my $resource_owner_logged_in_sub = sub {
my ( %args ) = @_;
my $c = $args{mojo_controller};
if ( ! $c->session( 'logged_in' ) ) {
# we need to redirect back to the /oauth/authorize route after
# login (with the original params)
my $uri = join( '?',$c->url_for('current'),$c->url_with->query );
$c->flash( 'redirect_after_login' => $uri );
$c->redirect_to( '/oauth/login' );
return 0;
}
return 1;
};
Note that you need to pass on the current url (with query) so it can be returned to after
the user has logged in. You can see that the flash is in use here - be aware that the
default routes (if you don't pass them to grant module constructor) for authorize and
access_token are under /oauth/ so it is possible that the flash may have a Path of /oauth/
- the consequence of this is that if your login route is under a different path (likely)
you will not be able to access the value you set in the flash. The solution to this?
Simply create another route under /oauth/ (so in this case /oauth/login) that points to
the same route as the /login route
verify_client_cb
References: <http://tools.ietf.org/html/rfc6749#section-4.1.1>,
<http://tools.ietf.org/html/rfc6749#section-4.2.1>,
<http://tools.ietf.org/html/rfc6749#section-4.3.1>,
<http://tools.ietf.org/html/rfc6749#section-4.4.1>,
A callback to verify if the client asking for authorization is known to the authorization
server and allowed to get authorization for the passed scopes.
The args hash will always contain the client id and an array reference of requested
scopes. Additionally for a ClientCredentials Grant the args hash will also contain the
client secret or for an Implicit Grant response type and optionally redirect uri will be
present, or for a Code Grant response type will be present.
The callback should return a list with three elements. The first element is either 1 or 0
to say that the client is allowed or disallowed, the second element should be the error
message in the case of the client being disallowed and the third should be the amended
scopes_ref denoting the allowed scopes after filtering by the client allowed scopes:
my $verify_client_sub = sub {
my ( %args ) = @_;
my ( $obj,$client_id,$scopes_ref,$client_secret,$redirect_uri,$response_type )
= @args{ qw/ mojo_controller client_id scopes client_secret redirect_uri response_type / };
if (my $client = $obj->db->get_collection( 'clients' )->find_one({ client_id => $client_id })) {
my $client_scopes = [];
# Check scopes
foreach my $scope ( @{ $scopes_ref // [] } ) {
if ( ! exists( $client->{scopes}{$scope} ) ) {
return ( 0,'invalid_scope' );
} elsif ( $client->{scopes}{$scope} ) {
push @{$client_scopes}, $scope;
}
}
# Implicit Grant Checks
if ( $response_type && $response_type eq 'token' ) {
# If 'credentials' have been assigned Implicit Grant should be prevented, so check for secret
return (0, 'unauthorized_grant') if $client->{'secret'};
# Check redirect_uri
return (0, 'access_denied')
if ($client->{'redirect_uri'} && (!$redirect_uri || $redirect_uri ne $client->{'redirect_uri'});
}
# Credentials Grant Checks
if ($client_secret && $client_secret ne $client->{'secret'}) {
return (0, 'access_denied');
}
return ( 1, undef, $client_scopes );
}
return ( 0,'unauthorized_client' );
};
store_auth_code_cb
A callback to allow you to store the generated authorization code. The args hash should
contain the client id, the auth code validity period in seconds, the Client redirect URI,
and a list of the scopes requested by the Client.
You should save the information to your data store, it can then be retrieved by the
verify_auth_code callback for verification:
my $store_auth_code_sub = sub {
my ( %args ) = @_;
my ( $obj,$auth_code,$client_id,$expires_in,$uri,$scopes_ref ) =
@args{qw/ mojo_controller auth_code client_id expires_in redirect_uri scopes / };
my $auth_codes = $obj->db->get_collection( 'auth_codes' );
my $id = $auth_codes->insert({
auth_code => $auth_code,
client_id => $client_id,
user_id => $obj->session( 'user_id' ),
expires => time + $expires_in,
redirect_uri => $uri,
scope => { map { $_ => 1 } @{ $scopes_ref // [] } },
});
return;
};
verify_auth_code_cb
Reference: <http://tools.ietf.org/html/rfc6749#section-4.1.3>
A callback to verify the authorization code passed from the Client to the Authorization
Server. The args hash should contain the client_id, the client_secret, the authorization
code, and the redirect uri.
The callback should verify the authorization code using the rules defined in the reference
RFC above, and return a list with 4 elements. The first element should be a client
identifier (a scalar, or reference) in the case of a valid authorization code or 0 in the
case of an invalid authorization code. The second element should be the error message in
the case of an invalid authorization code. The third element should be a hash reference of
scopes as requested by the client in the original call for an authorization code. The
fourth element should be a user identifier:
my $verify_auth_code_sub = sub {
my ( %args ) = @_;
my ( $obj,$client_id,$client_secret,$auth_code,$uri )
= @args{qw/ mojo_controller client_id client_secret auth_code redirect_uri / };
my $auth_codes = $obj->db->get_collection( 'auth_codes' );
my $ac = $auth_codes->find_one({
client_id => $client_id,
auth_code => $auth_code,
});
my $client = $obj->db->get_collection( 'clients' )
->find_one({ client_id => $client_id });
$client || return ( 0,'unauthorized_client' );
if (
! $ac
or $ac->{verified}
or ( $uri ne $ac->{redirect_uri} )
or ( $ac->{expires} <= time )
or ( $client_secret ne $client->{client_secret} )
) {
if ( $ac->{verified} ) {
# the auth code has been used before - we must revoke the auth code
# and access tokens
$auth_codes->remove({ auth_code => $auth_code });
$obj->db->get_collection( 'access_tokens' )->remove({
access_token => $ac->{access_token}
});
}
return ( 0,'invalid_grant' );
}
# scopes are those that were requested in the authorization request, not
# those stored in the client (i.e. what the auth request restricted scopes
# to and not everything the client is capable of)
my $scope = $ac->{scope};
$auth_codes->update( $ac,{ verified => 1 } );
return ( $client_id,undef,$scope,$ac->{user_id} );
};
store_access_token_cb
A callback to allow you to store the generated access and refresh tokens. The args hash
should contain the client identifier as returned from the verify_auth_code callback, the
authorization code, the access token, the refresh_token, the validity period in seconds,
the scope returned from the verify_auth_code callback, and the old refresh token,
Note that the passed authorization code could be undefined, in which case the access token
and refresh tokens were requested by the Client by the use of an existing refresh token,
which will be passed as the old refresh token variable. In this case you should use the
old refresh token to find out the previous access token and revoke the previous access and
refresh tokens (this is *not* a hard requirement according to the OAuth spec, but I would
recommend it).
The callback does not need to return anything.
You should save the information to your data store, it can then be retrieved by the
verify_access_token callback for verification:
my $store_access_token_sub = sub {
my ( %args ) = @_;
my (
$obj,$client,$auth_code,$access_token,$refresh_token,
$expires_in,$scope,$old_refresh_token
) = @args{qw/
mojo_controller client_id auth_code access_token
refresh_token expires_in scopes old_refresh_token
/ };
my $access_tokens = $obj->db->get_collection( 'access_tokens' );
my $refresh_tokens = $obj->db->get_collection( 'refresh_tokens' );
my $user_id;
if ( ! defined( $auth_code ) && $old_refresh_token ) {
# must have generated an access token via refresh token so revoke the old
# access token and refresh token (also copy required data if missing)
my $prev_rt = $obj->db->get_collection( 'refresh_tokens' )->find_one({
refresh_token => $old_refresh_token,
});
my $prev_at = $obj->db->get_collection( 'access_tokens' )->find_one({
access_token => $prev_rt->{access_token},
});
# access tokens can be revoked, whilst refresh tokens can remain so we
# need to get the data from the refresh token as the access token may
# no longer exist at the point that the refresh token is used
$scope //= $prev_rt->{scope};
$user_id = $prev_rt->{user_id};
# need to revoke the access token
$obj->db->get_collection( 'access_tokens' )
->remove({ access_token => $prev_at->{access_token} });
} else {
$user_id = $obj->db->get_collection( 'auth_codes' )->find_one({
auth_code => $auth_code,
})->{user_id};
}
if ( ref( $client ) ) {
$scope = $client->{scope};
$client = $client->{client_id};
}
# if the client has an existing refresh token we need to revoke it
$refresh_tokens->remove({ client_id => $client, user_id => $user_id });
$access_tokens->insert({
access_token => $access_token,
scope => $scope,
expires => time + $expires_in,
refresh_token => $refresh_token,
client_id => $client,
user_id => $user_id,
});
$refresh_tokens->insert({
refresh_token => $refresh_token,
access_token => $access_token,
scope => $scope,
client_id => $client,
user_id => $user_id,
});
return;
};
verify_access_token_cb
Reference: <http://tools.ietf.org/html/rfc6749#section-7>
A callback to verify the access token. The args hash should contain the access token, an
optional reference to a list of the scopes and if the access_token is actually a refresh
token. Note that the access token could be the refresh token, as this method is also
called when the client uses the refresh token to get a new access token (in which case the
value of the $is_refresh_token variable will be true).
The callback should verify the access code using the rules defined in the reference RFC
above, and return false if the access token is not valid otherwise it should return
something useful if the access token is valid - since this method is called by the call to
$c->oauth you probably need to return a hash of details that the access token relates to
(client id, user id, etc).
In the event of an invalid, expired, etc, access or refresh token you should return a list
where the first element is 0 and the second contains the error message (almost certainly
'invalid_grant' in this case)
my $verify_access_token_sub = sub {
my ( %args ) = @_;
my ( $obj,$access_token,$scopes_ref,$is_refresh_token )
= @args{qw/ mojo_controller access_token scopes is_refresh_token /};
my $rt = $obj->db->get_collection( 'refresh_tokens' )->find_one({
refresh_token => $access_token
});
if ( $is_refresh_token && $rt ) {
if ( $scopes_ref ) {
foreach my $scope ( @{ $scopes_ref // [] } ) {
if ( ! exists( $rt->{scope}{$scope} ) or ! $rt->{scope}{$scope} ) {
return ( 0,'invalid_grant' )
}
}
}
# $rt contains client_id, user_id, etc
return $rt;
}
elsif (
my $at = $obj->db->get_collection( 'access_tokens' )->find_one({
access_token => $access_token,
})
) {
if ( $at->{expires} <= time ) {
# need to revoke the access token
$obj->db->get_collection( 'access_tokens' )
->remove({ access_token => $access_token });
return ( 0,'invalid_grant' )
} elsif ( $scopes_ref ) {
foreach my $scope ( @{ $scopes_ref // [] } ) {
if ( ! exists( $at->{scope}{$scope} ) or ! $at->{scope}{$scope} ) {
return ( 0,'invalid_grant' )
}
}
}
# $at contains client_id, user_id, etc
return $at;
}
return ( 0,'invalid_grant' )
};
verify_user_password_cb
A callback to verify a username and password. The args hash should contain the client_id,
client_secret, username, password, an optional reference to a list of the scopes.
The callback should verify client details and username + password and return a a hash list
with 2 elements. The first element should a hash containing the client id if the client
details + username is valid + scopes + username. The second element should be the error
message in the case of bad credentials.
my $verify_user_password_sub = sub {
my ( $self, %args ) = @_;
my ( $obj, $client_id, $client_secret, $username, $password, $scopes ) =
@args{ qw/ mojo_controller client_id client_secret username password scopes / };
my $client = $obj->db->get_collection( 'clients' )
->find_one({ client_id => $client_id });
$client || return ( 0, 'unauthorized_client' );
my $user = $obj->db->get_collection( 'users' )
->find_one({ username => $username });
if (
! $user
or $client_secret ne $client->{client_secret}
# some routine to check the password against hashed + salted
or ! $obj->passwords_match( $user->{password},$password )
) {
return ( 0, 'invalid_grant' );
}
else {
return ({
client_id => $client_id,
scopes => $scopes,
username => $username,
});
}
};
PUTTING IT ALL TOGETHER
Having defined the above callbacks, customized to your app/data store/etc, you can
configuration the grant module. This example is using the
Net::OAuth2::AuthorizationServer::AuthorizationCodeGrant:
my $Grant = Net::OAuth2::AuthorizationServer::AuthorizationCodeGrant->new(
login_resource_owner_cb => $resource_owner_logged_in_sub,
confirm_by_resource_owner_cb => $resource_owner_confirm_scopes_sub,
verify_client_cb => $verify_client_sub,
store_auth_code_cb => $store_auth_code_sub,
verify_auth_code_cb => $verify_auth_code_sub,
store_access_token_cb => $store_access_token_sub,
verify_access_token_cb => $verify_access_token_sub,
);
Note because we are using the verify_client_cb above we do not need to pass a hashref of
clients - this will be handled in the verify_client_cb sub
SCOPES
Access tokens can have the concept of "scopes", which you can roughly translate to
permissions/privileges on your application side. The RFC covers the details:
<https://tools.ietf.org/html/rfc6749#section-3.3>. You've probably seen this in action
when logging into a service using a social login option, you see a list of things the
service would like to be able to do on your behalf and in most cases you are allowed to
uncheck certain permissions from the list.
The various grant types supported by the modules in this distribution fully support the
use of scopes and the important thing to note is that the various grant types (as used
with no overrides) will validate any requested scopes against the configured scopes with
the following logic:
1) If a scope is requested that the client is not configured to have (does
not exist in the client's scope list) then "invalid_scope" will be returned
2) If a scope is requested that the client is not configured to use (exists
in the client's scope list but is set to false) then "access_denied" wil be
returned
Note that this may change slightly as we figure out the best implementation for various
use cases when no overrides are supplied.
CLIENT SECRET, TOKEN SECURITY, AND JWT
The auth codes and access tokens generated by the grant modules should be unique. When
jwt_secret is not supplied they are generated using a combination of the generation time
(to microsecond precision) + rand() + a call to Crypt::PRNG's random_string function.
These are then base64 encoded to make sure there are no problems with URL encoding.
If jwt_secret is set, which should be a strong secret, the tokens are created with the
Crypt::JWT module and each token should contain a jti using a call to Crypt::PRNG's
random_string function. You can decode the tokens, typically with Crypt::JWT, to get the
information about the client and scopes - but you should not trust the token unless the
signature matches.
If you wish to encrypt JWT, that is to say generate JWE tokens, you can set the
jwt_encoding and jwt_algorithm attributes, these map respectively to the Crypt::JWT enc
and alg attributes - see that module's POD for more info
As the JWT contains the client information and scopes you can, in theory, use this
information to validate an auth code / access token / refresh token without doing a
database lookup. However, it gets somewhat more complicated when you need to revoke
tokens. For more information about JWTs and revoking tokens see
<https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/> and
<https://tools.ietf.org/html/rfc7519>. Ultimately you're going to have to use some shared
store to revoke tokens, but using the jwt_secret config setting means you can simplify
parts of the process as the JWT will contain the client, user, and scope information (JWTs
are also easy to debug: <http://jwt.io>).
When using JWTs expiry dates will be automatically checked (Crypt::JWT has this built in
to the decoding). The claims hash looks something like this:
{
'iat' => 1435225100, # generation time
'exp' => 1435228700, # expiry time
'aud' => undef # redirect uri in case of type: auth
'jti' => 'psclb1AcC2OjAKtVJRg1JjRJumkVTkDj', # unique
'type' => 'access', # auth, access, or refresh
'scopes' => [ 'list','of','scopes' ], # as requested by client
'client' => 'some client id', # as returned from verify_auth_code
'user_id' => 'some user id', # as returned from verify_auth_code
};
If you wish to override the details set above you can pass a jwt_claims_cb in the call to
token. This will be passed the details that are used above, and any returned keys will
override the defaults:
$Grant->token(
...
jwt_claims_cb => sub {
my ( $args ) = @_;
return (
user_id => 'foo', # override default user_id
iss => ... # add extra claims
);
},
);
the args hash passed to the callback looks like so:
{
user_id => $user_id,
client_id => $client_id,
type => $type,
scopes => $scopes_ref,
redirect_uri => $redirect_uri,
jti => $jti,
}
Since a call for an access token requires both the authorization code and the client
secret you don't need to worry too much about protecting the authorization code - however
you obviously need to make sure the client secret and resultant access tokens and refresh
tokens are stored securely. Since if any of these are compromised you will have your app
endpoints open to use by who or whatever has access to them.
You should therefore treat the client secret, access token, and refresh token as you would
treat passwords - so hashed, salted, and probably encrypted. As with the various checking
functions required by the grant module, the securing of this data is left to you. More
information:
<https://stackoverflow.com/questions/1626575/best-practices-around-generating-oauth-tokens>
<https://stackoverflow.com/questions/1878830/securly-storing-openid-identifiers-and-oauth-tokens>
<https://stackoverflow.com/questions/4419915/how-to-keep-the-oauth-consumer-secret-safe-and-how-to-react-when-its-compromis>
FURTHER READING
<http://tools.ietf.org/html/rfc6749> - The OAuth 2.0 Authorization Framework.
<https://tools.ietf.org/html/rfc6819> - OAuth 2.0 Threat Model and Security
Considerations.
<https://tools.ietf.org/html/rfc6750> - The OAuth 2.0 Authorization Framework: Bearer
Token Usage.
<https://tools.ietf.org/html/rfc7521> - Assertion Framework for OAuth 2.0.
<https://tools.ietf.org/html/rfc7522> - Security Assertion Markup Language (SAML) 2.0
Profile for OAuth 2.0 Client Authentication and Authorization Grants.
<https://tools.ietf.org/html/rfc7523> - JSON Web Token (JWT) Profile for OAuth 2.0 Client
Authentication and Authorization Grants.
<https://tools.ietf.org/html/rfc7636> - Proof Key for Code Exchange by OAuth Public
Clients
<https://tools.ietf.org/html/rfc8705> - OAuth 2.0 Mutual-TLS Client Authentication and
Certificate-Bound Access Tokens,
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15> - OAuth 2.0 Security
Best Current Practice (Draft).
REFERENCES
• <http://oauth.net/documentation/>
• <http://tools.ietf.org/html/rfc6749>
EXAMPLES
There are examples included with this distribution in the examples/ dir. See
examples/README for more information about these examples.
AUTHOR
Lee Johnson - "leejo@cpan.org"
LICENSE
This library is free software; you can redistribute it and/or modify it under the same
terms as Perl itself. If you would like to contribute documentation or file a bug report
then please raise an issue / pull request:
https://github.com/Humanstate/net-oauth2-authorizationserver
perl v5.30.3 2020-11-Net::OAuth2::AuthorizationServer::Manual(3pm)