Your SlideShare is downloading. ×
Using OAuth with PHP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Using OAuth with PHP

6,543
views

Published on

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a …

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

Published in: Technology, Self Improvement

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,543
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
73
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  • 2. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  • 3. What is OAuth anyway?
  • 4. A long time ago, in a website not far away. . .
  • 5. Connect!
  • 6. Connect! U:KittehLuvr P:hunter2
  • 7. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 8. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 9. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  • 10. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
  • 11. Full access
  • 12. Full access Fragile
  • 13. Full access Fragile Revoking is painful
  • 14. YOU REVEAL YOUR USERNAME AND PASSWORD
  • 15. YOUR USERNAME AND PASSWORD
  • 16. Who uses it?
  • 17. Building a Consumer
  • 18. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  • 19. Step 1: Register with the provider
  • 20. I would like my OAuth application to consume your service please, Mr. Provider.
  • 21. Certainly. I just need to take a few details from you, and we’ll be all set.
  • 22. OK. Here you go.
  • 23. Consumer key Consumer secret
  • 24. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 25. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 26. User Consumer Provider User clicks connect
  • 27. User Consumer Provider C C Ask provider for request token
  • 28. User Consumer Provider C C R R Provider returns request token and request secret
  • 29. User Consumer Provider C C R R R Redirect user to provider
  • 30. User Consumer Provider C C R R R R User logs in/authorises app
  • 31. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  • 32. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  • 33. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  • 34. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  • 35. User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
  • 36. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  • 37. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  • 38. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  • 39. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  • 40. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  • 41. Access token Access secret
  • 42. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
  • 43. What OAuth doesn’t do
  • 44. No proof of server identity (use TLS)
  • 45. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  • 46. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  • 47. Thoughts on being a Provider
  • 48. Very easy to be a Consumer
  • 49. Very easy to be a Consumer Many design decisions to make as a Provider
  • 50. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  • 51. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  • 52. How large a range of timestamps do you allow?
  • 53. How large a range of timestamps do you allow? What permission granularity do you provide?
  • 54. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  • 55. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  • 56. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  • 57. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  • 58. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd