Your SlideShare is downloading. ×
0
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using OAuth with PHP

6,720

Published on

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a …

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

Published in: Technology, Self Improvement
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,720
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
75
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  • 2. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  • 3. What is OAuth anyway?
  • 4. A long time ago, in a website not far away. . .
  • 5. Connect!
  • 6. Connect! U:KittehLuvr P:hunter2
  • 7. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 8. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 9. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 10. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
  • 11. Full access
  • 12. Full access Fragile
  • 13. Full access Fragile Revoking is painful
  • 14. YOU REVEAL YOUR USERNAME AND PASSWORD
  • 15. YOUR USERNAME AND PASSWORD
  • 16. Who uses it?
  • 17. Building a Consumer
  • 18. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  • 19. Step 1: Register with the provider
  • 20. I would like my OAuth application to consume your service please, Mr. Provider.
  • 21. Certainly. I just need to take a few details from you, and we’ll be all set.
  • 22. OK. Here you go.
  • 23. Consumer key Consumer secret
  • 24. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 25. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 26. User Consumer Provider User clicks connect
  • 27. User Consumer Provider C C Ask provider for request token
  • 28. User Consumer Provider C C R R Provider returns request token and request secret
  • 29. User Consumer Provider C C R R R Redirect user to provider
  • 30. User Consumer Provider C C R R R R User logs in/authorises app
  • 31. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  • 32. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  • 33. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  • 34. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  • 35. User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
  • 36. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  • 37. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  • 38. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  • 39. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  • 40. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  • 41. Access token Access secret
  • 42. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
  • 43. What OAuth doesn’t do
  • 44. No proof of server identity (use TLS)
  • 45. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  • 46. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  • 47. Thoughts on being a Provider
  • 48. Very easy to be a Consumer
  • 49. Very easy to be a Consumer Many design decisions to make as a Provider
  • 50. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  • 51. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  • 52. How large a range of timestamps do you allow?
  • 53. How large a range of timestamps do you allow? What permission granularity do you provide?
  • 54. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  • 55. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  • 56. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  • 57. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  • 58. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd

×