Your SlideShare is downloading. ×
0
Using OAuth with PHP
Dave Ingram
@dmi
4th November 2010
Coming up
• What is OAuth?
• How do you write a Consumer in PHP?
• What doesn’t OAuth do?
• Thoughts on being a Provider
What is OAuth anyway?
A long time ago, in a website not far away. . .
Connect!
Connect!
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
O HAI TWITTER
LOOK AT MAH
KITTEH LOL!
Full access
Full access
Fragile
Full access
Fragile
Revoking is painful
YOU REVEAL YOUR USERNAME
AND PASSWORD
YOUR USERNAME
AND PASSWORD
Who uses it?
Building a Consumer
To sign requests, you need:
Consumer key
Consumer secret
(Unique per application)
+
Access token
Access secret
(Unique per...
Step 1: Register with the provider
I would like my OAuth
application to
consume your service
please, Mr. Provider.
Certainly. I just need
to take a few details
from you, and we’ll be
all set.
OK. Here you go.
Consumer key
Consumer secret
Step 2: Write your application
Step 3: ??????
Step 4: Profit!
Step 2: Write your application
Step 3: ??????
Step 4: Profit!
User Consumer Provider
User clicks connect
User Consumer Provider
C C
Ask provider for
request token
User Consumer Provider
C C
R R
Provider returns
request token and
request secret
User Consumer Provider
C C
R R
R
Redirect user to provider
User Consumer Provider
C C
R R
R
R
User logs in/authorises
app
User Consumer Provider
C C
R R
R
R
V
Provider redirects user
back to app with
verifier
User Consumer Provider
C C
R R
R
R
V
V
User’s arrival with
verifier notifies app
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
App then exchanges
request token for
access token
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
A A
Provider returns
access token and
access secret
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
A A
C C A A
App makes request on
user’s behalf
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMAC...
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMAC...
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMAC...
Get access token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACS...
Get access token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACS...
Access token
Access secret
Make API requests
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMAC...
What OAuth doesn’t do
No proof of server identity (use TLS)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No open-source consumer
Thoughts on being a
Provider
Very easy to be a Consumer
Very easy to be a Consumer
Many design decisions to make as a Provider
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to chang...
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to chang...
How large a range of timestamps do you allow?
How large a range of timestamps do you allow?
What permission granularity do you provide?
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are token...
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are token...
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are token...
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are token...
Links
OAuth Spec: http://oauth.net/
Intro/tutorial: http://hueniverse.com/
PECL extension: http://pecl.php.net/oauth/
Me: ...
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Using OAuth with PHP
Upcoming SlideShare
Loading in...5
×

Using OAuth with PHP

6,746

Published on

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

Published in: Technology, Self Improvement

Transcript of "Using OAuth with PHP"

  1. 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  2. 2. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  3. 3. What is OAuth anyway?
  4. 4. A long time ago, in a website not far away. . .
  5. 5. Connect!
  6. 6. Connect! U:KittehLuvr P:hunter2
  7. 7. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  8. 8. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  9. 9. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  10. 10. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
  11. 11. Full access
  12. 12. Full access Fragile
  13. 13. Full access Fragile Revoking is painful
  14. 14. YOU REVEAL YOUR USERNAME AND PASSWORD
  15. 15. YOUR USERNAME AND PASSWORD
  16. 16. Who uses it?
  17. 17. Building a Consumer
  18. 18. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  19. 19. Step 1: Register with the provider
  20. 20. I would like my OAuth application to consume your service please, Mr. Provider.
  21. 21. Certainly. I just need to take a few details from you, and we’ll be all set.
  22. 22. OK. Here you go.
  23. 23. Consumer key Consumer secret
  24. 24. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  25. 25. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  26. 26. User Consumer Provider User clicks connect
  27. 27. User Consumer Provider C C Ask provider for request token
  28. 28. User Consumer Provider C C R R Provider returns request token and request secret
  29. 29. User Consumer Provider C C R R R Redirect user to provider
  30. 30. User Consumer Provider C C R R R R User logs in/authorises app
  31. 31. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  32. 32. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  33. 33. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  34. 34. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  35. 35. User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
  36. 36. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  37. 37. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  38. 38. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  39. 39. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  40. 40. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  41. 41. Access token Access secret
  42. 42. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
  43. 43. What OAuth doesn’t do
  44. 44. No proof of server identity (use TLS)
  45. 45. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  46. 46. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  47. 47. Thoughts on being a Provider
  48. 48. Very easy to be a Consumer
  49. 49. Very easy to be a Consumer Many design decisions to make as a Provider
  50. 50. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  51. 51. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  52. 52. How large a range of timestamps do you allow?
  53. 53. How large a range of timestamps do you allow? What permission granularity do you provide?
  54. 54. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  55. 55. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  56. 56. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  57. 57. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  58. 58. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×