Using OAuth with PHP

6,926
-1

Published on

A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.

Published in: Technology, Self Improvement

Using OAuth with PHP

  1. 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  2. 2. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  3. 3. What is OAuth anyway?
  4. 4. A long time ago, in a website not far away. . .
  5. 5. Connect!
  6. 6. Connect! U:KittehLuvr P:hunter2
  7. 7. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  8. 8. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  9. 9. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
  10. 10. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
  11. 11. Full access
  12. 12. Full access Fragile
  13. 13. Full access Fragile Revoking is painful
  14. 14. YOU REVEAL YOUR USERNAME AND PASSWORD
  15. 15. YOUR USERNAME AND PASSWORD
  16. 16. Who uses it?
  17. 17. Building a Consumer
  18. 18. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  19. 19. Step 1: Register with the provider
  20. 20. I would like my OAuth application to consume your service please, Mr. Provider.
  21. 21. Certainly. I just need to take a few details from you, and we’ll be all set.
  22. 22. OK. Here you go.
  23. 23. Consumer key Consumer secret
  24. 24. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  25. 25. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  26. 26. User Consumer Provider User clicks connect
  27. 27. User Consumer Provider C C Ask provider for request token
  28. 28. User Consumer Provider C C R R Provider returns request token and request secret
  29. 29. User Consumer Provider C C R R R Redirect user to provider
  30. 30. User Consumer Provider C C R R R R User logs in/authorises app
  31. 31. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  32. 32. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  33. 33. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  34. 34. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  35. 35. User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
  36. 36. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  37. 37. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  38. 38. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  39. 39. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  40. 40. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  41. 41. Access token Access secret
  42. 42. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
  43. 43. What OAuth doesn’t do
  44. 44. No proof of server identity (use TLS)
  45. 45. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  46. 46. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  47. 47. Thoughts on being a Provider
  48. 48. Very easy to be a Consumer
  49. 49. Very easy to be a Consumer Many design decisions to make as a Provider
  50. 50. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  51. 51. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  52. 52. How large a range of timestamps do you allow?
  53. 53. How large a range of timestamps do you allow? What permission granularity do you provide?
  54. 54. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  55. 55. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  56. 56. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  57. 57. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  58. 58. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×