controller.php

<?php defined('SYSPATH') or die('No direct script access.');

/**
 *
 *
 * @package    OAuth2
 * @category   Library
 * @author     Managed I.T.
 * @copyright  (c) 2011 Managed I.T.
 */
class Controller_OAuth2 extends Controller {
	/**
	 * @var OAuth2
	 */
	protected $_oauth;

	public function before()
	{
		$this->_oauth = OAuth2_Provider::factory($this->request);
	}

	public function action_authorize()
	{
		Auth::instance()->force_login(ORM::factory('user', 1));

		/**
		 * Check if the user is logged in
		 */
		if (Auth::instance()->logged_in())
		{
			$user = Auth::instance()->get_user();

			$auth_params = $this->_oauth->validate_authorize_params();


			// Form has been submitted
			if ($request->method() == Request::POST)
			{
				$accepted = ($this->request->post('accepted') == 'Yes');

				// Validate custom form stuff .. whatever

				// authorize always ends up in a rediret .. no if's no but's..
				$redirect_url = $this->_oauth->authorize($accepted, $user);
				$this->request->redirect($redirect_url);
			}
			
			
			$client = Model_OAuth2_Client::find_client($auth_params['client_id']);

			$this->response->body(View::factory('oauth2/authorize', array(
				'auth_params' => $auth_params,
				'client'      => $client,
				'user'        => $user,
			)));
		}
		else
		{
			$this->request->redirect(Route::url('login'));
		}
	}
}

provider.php

<?php defined('SYSPATH') or die('No direct script access.');

/**
 *
 *
 * @package    OAuth2
 * @category   Library
 * @author     Managed I.T.
 * @copyright  (c) 2011 Managed I.T.
 */
class OAuth2_Provider {

	public static function factory()
	{
		return new OAuth2_Provider();
	}

	/**
	 *
	 * @param  Request  $request
	 * @return array
	 */
	protected function _get_authorize_params(Request $request)
	{
		return Arr::extract($request->query(), array(
			'client_id',
			'response_type',
			'redirect_uri',
			'state',
			'scope',
		));
	}

	/**
	 *
	 * @param  Request  $request
	 * @return array
	 */
	protected function _validate_authorize_params(Request $request)
	{
		$params = $this->_get_authorize_params($request);

		$validation = Validation::factory($params)
			->rule('client_id',     'not_empty')
			->rule('client_id',     'regex',     array(':value', OAuth2::CLIENT_ID_REGEXP))
			->rule('response_type', 'not_empty')
			->rule('response_type', 'regex',     array(':value', OAuth2::RESPONSE_TYPE_REGEXP))
			->rule('redirect_uri',  'url');

		if ( ! $validation->check())
		{
			// TODO: Get a better message
			throw new OAuth2_Exception_InvalidRequest('Invalid Request...');
		}

		// Check we have a valid client
		$client = Model_OAuth2_Client::find_client($params['client_id']);

		if ( ! $client->loaded())
		{
			throw new OAuth2_Exception_InvalidClient('Invalid \'client_id\'');
		}

		// Lookup the redirect_uri if none was supplied in the URL
		if ( ! Valid::url($params['redirect_uri']))
		{
			$params['redirect_uri'] = $client->redirect_uri;

			// Is the redirect_uri still empty? Error if so..
			if ( ! Valid::url($params['redirect_uri']))
				throw new OAuth2_Exception_InvalidRequest('\'redirect_uri\' is required');
		}

		// Check if this client is allowed use this response_type
		if ( ! in_array($params['response_type'], $client->allowed_response_types()))
			throw new OAuth2_Exception_UnauthorizedClient('You are not allowed use the \':response_type\' response_type', array(
				':response_type' => $params['response_type']
			));

		// Is the scope valid?
		if (Valid::not_empty($params['scope']))
		{
			if ( ! in_array($params['scope'], OAuth2::$supported_scopes))
				throw new OAuth2_Exception_UnauthorizedClient('Invalid scope \':scope\'', array(
					':scope' => $params['scope']
				));
		}

		return $params;
	}

	/**
	 *
	 * @param  Request  $request
	 * @return array
	 */
	public function authorize(Request $request, Model_User $user)
	{
		/**
		 * Request Validation
		 */
		$params = $this->_validate_authorize_params($params);

		if ($request->method() == Request::GET)
		{
			// If this is a GET request, return the params for use in the form.
			return $params;
		}
		else if ($request->method() == Request::POST)
		{
			// Form has been submitted .. Lets check if they agreed.
			// TODO ..
			$is_authorized = TRUE;
			$remember = FALSE;

			$url  = $params['redirect_uri'];

			if ( ! $is_authorized)
			{
				$url .= 'error='.OAuth2::ERROR_ACCESS_DENIED;
			}
			else
			{
				// Generate a code...
				$auth_code = Model_OAuth2_Auth_Code::create_code($params['client_id'], $params['redirect_uri'], $params['scope']);

				if ($params['response_type'] == OAuth2::RESPONSE_TYPE_CODE OR $params['response_type'] == OAuth2::RESPONSE_TYPE_CODE_AND_TOKEN)
				{
					$url .= '?code='.urlencode($auth_code->code);

					if (Valid::not_empty($params['state']))
					{
						$url .= '&state='.urlencode($params['state']);
					}

					if (Valid::not_empty($params['scope']))
					{
						$url .= '&scope='.urlencode($params['scope']);
					}
				}

				if ($params['response_type'] == OAuth2::RESPONSE_TYPE_TOKEN OR $params['response_type'] == OAuth2::RESPONSE_TYPE_CODE_AND_TOKEN)
				{
					// Generate a token
					$access_token = Model_OAuth2_Token::create_token($params['client_id'], $params['scope']);

					$url .= '#access_token='.$access_token->access_token;

					if (Valid::not_empty($params['state']))
					{
						$url .= '&state='.urlencode($params['state']);
					}

					if (Valid::not_empty($params['scope']))
					{
						$url .= '&scope='.urlencode($params['scope']);
					}
				}
			}

			// Send the user back to the 3rd party..
			$request->redirect($url);
		}
	}
}