• Like
  • Save

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Using OAuth with PHP

on

  • 6,782 views

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a ...

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

Statistics

Views

Total Views
6,782
Views on SlideShare
6,780
Embed Views
2

Actions

Likes
4
Downloads
70
Comments
0

2 Embeds 2

http://twitter.com 1
http://test.idoc.vn 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Using OAuth with PHP Using OAuth with PHP Presentation Transcript

    • Using OAuth with PHP Dave Ingram @dmi 4th November 2010
    • Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
    • What is OAuth anyway?
    • A long time ago, in a website not far away. . .
    • e ct! C onn
    • U:KittehLuvr ct! e P:hunter2 C onn
    • U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2
    • U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2
    • U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
    • U:KittehLuvr ct! e P:hunter2 C onn U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
    • Full access
    • Full access Fragile
    • Full access Fragile Revoking is painful
    • YOU REVEAL YOUR USERNAME AND PASSWORD
    • YOUR USERNAME AND PASSWORD
    • Who uses it?
    • Twitter (of course), Foursquare, WePay, Yahoo, Photobucket, MySpace, Brightkite, FireEagle, Meetup, OpenSocial, Yammer, GetSatisfaction, Netflix, Ohloh, Evernote, Vimeo, YouTube... Google, Facebook (OAuth 2.0) [Facebook logo crossed out]
    • Building a Consumer
    • To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
    • Step 1: Register with the provider
    • I would like my OAuth application to consume your service please, Mr. Provider.
    • Certainly. I just need to take a few details from you, and we’ll be all set.
    • OK. Here you go.
    • Consumer key Consumer secret
    • Step 2: Write your application Step 3: ?????? Step 4: Profit!
    • Step 2: Write your application Step 3: ?????? Step 4: Profit!
    • User Consumer Provider User clicks connect
    • User Consumer Provider C C Ask provider for request token
    • User Consumer Provider C C R R Provider returns request token and request secret
    • User Consumer Provider C C R R R Redirect user to provider
    • User Consumer Provider C C R R R R User logs in/authorises app
    • User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
    • User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
    • User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
    • User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
    • User Consumer Provider C C R R R R V V C C R R V A A App makes request on user’s behalf C C A A
    • Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI );
    • Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
    • Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
    • Twitter OAuth approval screen
    • Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
    • Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
    • Access token Access secret
    • Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn",print_r($json,true));
    • What OAuth doesn’t do
    • No proof of server identity (use TLS)
    • No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
    • No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
    • Thoughts on being a Provider
    • Very easy to be a Consumer
    • Very easy to be a Consumer Many design decisions to make as a Provider
    • Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
    • Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
    • How large a range of timestamps do you allow?
    • How large a range of timestamps do you allow? What permission granularity do you provide?
    • How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
    • How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
    • How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
    • How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
    • Links Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ Me: http://twitter.com/dmi Slides: http://slideshare.net/ingramd