OAuth using PHP5
Upcoming SlideShare
Loading in...5
×
 

OAuth using PHP5

on

  • 1,816 views

An introduction on OAuth and how to use it with PHP5. Brief introduction

An introduction on OAuth and how to use it with PHP5. Brief introduction

Statistics

Views

Total Views
1,816
Views on SlideShare
1,816
Embed Views
0

Actions

Likes
1
Downloads
35
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

OAuth using PHP5 OAuth using PHP5 Presentation Transcript

  • OAuthNurulazrad Murad @azrad 3rd Nov 2012
  • look for “primus core”
  • topics
  • topicswhat is OAuth?
  • topicswhat is OAuth?writing a Consumer in PHP
  • traditionally, this is how we do it
  • onn ect! cuser: azradpass: secret
  • onn ect! cuser: azradpass: secret user: azrad pass: secret
  • onn ect! cuser: azradpass: secret user: azrad pass: secretuser: azrad
  • you reveal your username and password
  • who using it?
  • who using it?
  • the love triangle
  • end user consumer applicationservice provider
  • end user consumer applicationservice provider
  • OAuth goal... oAuth is...
  • OAuth goal... oAuth is...Authentication• must logged-in to access the website/application
  • OAuth goal... oAuth is...Authentication• must logged-in to access the website/applicationToken-based authentication• logged-in user has unique token per application
  • OAuth goal...oAuth goal...
  • OAuth goal... oAuth goal...be simple• standard for website API authentication• consistent for developers• easy for users to understand *
  • OAuth goal... oAuth goal... be simple • standard for website API authentication • consistent for developers • easy for users to understand ** this is hard
  • OAuth goal...oAuth goal...
  • OAuth goal... oAuth goal...be secure• secure for users• easy to implement security features for developers• balance security with ease of use
  • OAuth goal...oAuth goal...
  • OAuth goal... oAuth goal...be open• any website can implement OAuth• any developer can user OAuth• open source client libraries• published technical specifications
  • OAuth goal...
  • OAuth goal...be flexible• don’t need username and password• authentication method agnostic• can use OpenID (or not)• whatever works best for the web service• developers don’t need to handle auth
  • what the user end sees? example from Primus Core Helang Api
  • how does OAuth works?
  • register a consumer app
  • register a consumer app provide service provider with data about your application (name, url...)
  • register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret
  • register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret service provider gives documentation of authorization URLs and methods
  • user consumer service provider
  • user consumer service provider click connect
  • user consumer service provider click connect request token
  • user consumer service provider click connect request token request token, request secret
  • user consumer service provider click connect request token request token, request secret redirect user to provider
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret
  • user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret request on user’s behalf
  • the codes
  • https://github.com/myelin/fireeagle-php-lib
  • request token + secret from FE
  • request token + secret from FE if (@$_GET[f] == start) { // get a request token + secret from FE and redirect to the authorizationpage // START step 1 $fe = new FireEagle($fe_key, $fe_secret); $tok = $fe->getRequestToken($fe_callback); if (!isset($tok[oauth_token]) || !is_string($tok[oauth_token]) || !isset($tok[oauth_token_secret]) || !is_string($tok[oauth_token_secret])) { echo "ERROR! FireEagle::getRequestToken() returned an invalidresponse. Giving up."; exit; } $_SESSION[auth_state] = "start"; $_SESSION[request_token] = $token = $tok[oauth_token]; $_SESSION[request_secret] = $tok[oauth_token_secret]; header("Location: ".$fe->getAuthorizeURL($token)); // END step 1
  • } else if (@$_GET[f] == callback) { // the user has authorized us at FE, so now we can pick up our access token + secret // START step 2 if (@$_SESSION[auth_state] != "start") { echo "Out of sequence."; exit; } if ($_GET[oauth_token] != $_SESSION[request_token]) { echo "Token mismatch."; exit; } if ((FireEagle::$FE_OAUTH_VERSION == OAUTH_VERSION_10A) && !isset($_GET[oauth_verifier])) { echo "OAuth protocol error. No verifier in response."; exit; } $fe = new FireEagle($fe_key, $fe_secret, $_SESSION[request_token], $_SESSION[request_secret]); $tok = $fe->getAccessToken($_GET[oauth_verifier]); if (!isset($tok[oauth_token]) || !is_string($tok[oauth_token]) || !isset($tok[oauth_token_secret]) || !is_string($tok[oauth_token_secret])) { error_log("Bad token from FireEagle::getAccessToken(): ".var_export($tok, TRUE)); echo "ERROR! FireEagle::getAccessToken() returned an invalid response. Giving up."; exit; } $_SESSION[access_token] = $tok[oauth_token]; $_SESSION[access_secret] = $tok[oauth_token_secret]; $_SESSION[auth_state] = "done"; header("Location: ".$_SERVER[SCRIPT_NAME]); get access // END step 2 token + secret
  • // we have our access token + secret, so now we can actually *use* the api // START step 3 $fe = new FireEagle($fe_key, $fe_secret, $_SESSION[access_token], $_SESSION[access_secret]); $loc = $fe->user(); // equivalent to $fe->call("user") ?><h2>Where you are<?php if ($loc->user->best_guess) echo ": ".htmlspecialchars($loc->user->best_guess->name) ?></h2><?php if (empty($loc->user->location_hierarchy)) { ?><p>Fire Eagle doesnt know where you are yet.</p><?php // } else { foreach ($loc->user->location_hierarchy as $location) { switch ($location->geotype) { case point: $locinfo = "[".$location->latitude.", ".$location->longitude."]"; break; case box: $locinfo = "[[".$location->bbox[0][1].", ".$location->bbox[0][0]."], [" .$location->bbox[1][1].", ".$location->bbox[1][0]."]]"; break; default: $locinfo = "[unknown]"; break; } if ($location->best_guess) $locinfo .= " BEST GUESS"; print "<h3>".htmlspecialchars($location->level_name).": ".htmlspecialchars($location->name)." $locinfo</h3>"; print "<ul>"; // turn location object into array, with sorted keys $l = array(); foreach ($location as $k => $v) $l[$k] = $v; ksort($l); foreach ($l as $k => $v) { print "<li>".htmlspecialchars($k).": <b>".htmlspecialchars(var_export($v, TRUE))."</b></li>"; } print "</ul>"; } }
  • demo
  • where is info passed?
  • where is info passed?http authorisation header
  • where is info passed?http authorisation headerhttp post request body (form params)
  • where is info passed?http authorisation headerhttp post request body (form params)url query string parameters
  • security
  • securitytokens: aren’t passing username/password
  • securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requests
  • securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters help serviceprovider recognise consumer
  • securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters help serviceprovider recognise consumersignature methods: HMAC-SHA1, RSA-SHA1,plaintext over a secure channel (SSL)
  • current status of OAuth
  • current status of OAuth oauth.net
  • current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849)
  • current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft
  • current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft several libraries for consumers and service providers
  • linksOAuth spec http://oauth.netPECL Extension http://pecl.php.net/oauthFireeagle http://fireeagle.yahoo.netFE library (PHP) https://github.com/myelin/fireeagle-php-lib
  • thanks!twitter: @azradtumblr: nurulazrad.tumblr.comworks at: www.primuscore.com
  • creditOAuth - Open API Authentication byleahculver on Dec 01, 2007Implementing OAuth with PHP by LornaMitchell on May 17, 2011Using OAuth with PHP by David Ingram onNov 04, 2010