• Like

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Using OAuth with PHP

  • 6,413 views
Uploaded on

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a …

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,413
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
72
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  • 2. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  • 3. What is OAuth anyway?
  • 4. A long time ago, in a website not far away. . .
  • 5. e ct! C onn
  • 6. U:KittehLuvr ct! e P:hunter2 C onn
  • 7. U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2
  • 8. U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2
  • 9. U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 10. U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
  • 11. Full access
  • 12. Full access Fragile
  • 13. Full access Fragile Revoking is painful
  • 14. YOU REVEAL YOUR USERNAME AND PASSWORD
  • 15. YOUR USERNAME AND PASSWORD
  • 16. Who uses it?
  • 17. Twitter (of course), Foursquare, WePay, Yahoo, Photobucket, MySpace, Brightkite, FireEagle, Meetup, OpenSocial, Yammer, GetSatisfaction, Netflix, Ohloh, Evernote, Vimeo, YouTube... Google, Facebook (OAuth 2.0) [Facebook logo crossed out]
  • 18. Building a Consumer
  • 19. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  • 20. Step 1: Register with the provider
  • 21. I would like my OAuth application to consume your service please, Mr. Provider.
  • 22. Certainly. I just need to take a few details from you, and we’ll be all set.
  • 23. OK. Here you go.
  • 24. Consumer key Consumer secret
  • 25. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 26. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 27. User Consumer Provider User clicks connect
  • 28. User Consumer Provider C C Ask provider for request token
  • 29. User Consumer Provider C C R R Provider returns request token and request secret
  • 30. User Consumer Provider C C R R R Redirect user to provider
  • 31. User Consumer Provider C C R R R R User logs in/authorises app
  • 32. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  • 33. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  • 34. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  • 35. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  • 36. User Consumer Provider C C R R R R V V C C R R V A A App makes request on user’s behalf C C A A
  • 37. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI );
  • 38. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  • 39. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  • 40. Twitter OAuth approval screen
  • 41. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  • 42. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  • 43. Access token Access secret
  • 44. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn",print_r($json,true));
  • 45. What OAuth doesn’t do
  • 46. No proof of server identity (use TLS)
  • 47. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  • 48. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  • 49. Thoughts on being a Provider
  • 50. Very easy to be a Consumer
  • 51. Very easy to be a Consumer Many design decisions to make as a Provider
  • 52. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  • 53. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  • 54. How large a range of timestamps do you allow?
  • 55. How large a range of timestamps do you allow? What permission granularity do you provide?
  • 56. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  • 57. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  • 58. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  • 59. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  • 60. Links Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ Me: http://twitter.com/dmi Slides: http://slideshare.net/ingramd