OAuthNurulazrad Murad @azrad     3rd Nov 2012
look for “primus core”
topics
topicswhat is OAuth?
topicswhat is OAuth?writing a Consumer in PHP
traditionally, this is how we do it
onn ect!               cuser: azradpass: secret
onn ect!               cuser: azradpass: secret               user: azrad               pass: secret
onn ect!               cuser: azradpass: secret               user: azrad               pass: secretuser: azrad
you reveal your username      and password
who using it?
who using it?
the love triangle
end user                              consumer applicationservice provider
end user                              consumer applicationservice provider
OAuth goal... oAuth is...
OAuth goal...         oAuth is...Authentication•   must logged-in to access the website/application
OAuth goal...         oAuth is...Authentication•   must logged-in to access the website/applicationToken-based authenticat...
OAuth goal...oAuth goal...
OAuth goal...        oAuth goal...be simple•   standard for website API authentication•   consistent for developers•   eas...
OAuth goal...           oAuth goal...  be simple   •   standard for website API authentication   •   consistent for develo...
OAuth goal...oAuth goal...
OAuth goal...         oAuth goal...be secure•   secure for users•   easy to implement security features for developers•   ...
OAuth goal...oAuth goal...
OAuth goal...         oAuth goal...be open•   any website can implement OAuth•   any developer can user OAuth•   open sour...
OAuth goal...
OAuth goal...be flexible•   don’t need username and password•   authentication method agnostic•   can use OpenID (or not)• ...
what the user end sees?  example from Primus Core Helang Api
how does OAuth works?
register a consumer app
register a consumer app provide service provider with data about your application (name, url...)
register a consumer app provide service provider with data about your application (name, url...) service provider assigns ...
register a consumer app provide service provider with data about your application (name, url...) service provider assigns ...
user   consumer   service provider
user             consumer   service provider click connect
user             consumer             service provider click connect        request token
user             consumer                         service provider click connect        request token                     ...
user                               consumer                         service provider click connect                        ...
user                               consumer                         service provider click connect                        ...
user                               consumer                           service provider click connect                      ...
user                               consumer                           service provider click connect                      ...
user                               consumer                           service provider click connect                      ...
user                               consumer                           service provider click connect                      ...
user                               consumer                           service provider click connect                      ...
the codes
https://github.com/myelin/fireeagle-php-lib
request token + secret from FE
request token + secret from FE if (@$_GET[f] == start) {   // get a request token + secret from FE and redirect to the aut...
} else if (@$_GET[f] == callback) {  // the user has authorized us at FE, so now we can pick up our access token + secret ...
// we have our access token + secret, so now we can actually *use* the api  // START step 3  $fe = new FireEagle($fe_key, ...
demo
where is info passed?
where is info passed?http authorisation header
where is info passed?http authorisation headerhttp post request body (form params)
where is info passed?http authorisation headerhttp post request body (form params)url query string parameters
security
securitytokens: aren’t passing username/password
securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requests
securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters h...
securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters h...
current status of OAuth
current status of OAuth oauth.net
current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849)
current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft
current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft several libraries for consumers and...
linksOAuth spec          http://oauth.netPECL Extension      http://pecl.php.net/oauthFireeagle           http://fireeagle....
thanks!twitter: @azradtumblr: nurulazrad.tumblr.comworks at: www.primuscore.com
creditOAuth - Open API Authentication byleahculver on Dec 01, 2007Implementing OAuth with PHP by LornaMitchell on May 17, ...
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
OAuth using PHP5
Upcoming SlideShare
Loading in...5
×

OAuth using PHP5

2,304

Published on

An introduction on OAuth and how to use it with PHP5. Brief introduction

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,304
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
48
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • OAuth using PHP5

    1. 1. OAuthNurulazrad Murad @azrad 3rd Nov 2012
    2. 2. look for “primus core”
    3. 3. topics
    4. 4. topicswhat is OAuth?
    5. 5. topicswhat is OAuth?writing a Consumer in PHP
    6. 6. traditionally, this is how we do it
    7. 7. onn ect! cuser: azradpass: secret
    8. 8. onn ect! cuser: azradpass: secret user: azrad pass: secret
    9. 9. onn ect! cuser: azradpass: secret user: azrad pass: secretuser: azrad
    10. 10. you reveal your username and password
    11. 11. who using it?
    12. 12. who using it?
    13. 13. the love triangle
    14. 14. end user consumer applicationservice provider
    15. 15. end user consumer applicationservice provider
    16. 16. OAuth goal... oAuth is...
    17. 17. OAuth goal... oAuth is...Authentication• must logged-in to access the website/application
    18. 18. OAuth goal... oAuth is...Authentication• must logged-in to access the website/applicationToken-based authentication• logged-in user has unique token per application
    19. 19. OAuth goal...oAuth goal...
    20. 20. OAuth goal... oAuth goal...be simple• standard for website API authentication• consistent for developers• easy for users to understand *
    21. 21. OAuth goal... oAuth goal... be simple • standard for website API authentication • consistent for developers • easy for users to understand ** this is hard
    22. 22. OAuth goal...oAuth goal...
    23. 23. OAuth goal... oAuth goal...be secure• secure for users• easy to implement security features for developers• balance security with ease of use
    24. 24. OAuth goal...oAuth goal...
    25. 25. OAuth goal... oAuth goal...be open• any website can implement OAuth• any developer can user OAuth• open source client libraries• published technical specifications
    26. 26. OAuth goal...
    27. 27. OAuth goal...be flexible• don’t need username and password• authentication method agnostic• can use OpenID (or not)• whatever works best for the web service• developers don’t need to handle auth
    28. 28. what the user end sees? example from Primus Core Helang Api
    29. 29. how does OAuth works?
    30. 30. register a consumer app
    31. 31. register a consumer app provide service provider with data about your application (name, url...)
    32. 32. register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret
    33. 33. register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret service provider gives documentation of authorization URLs and methods
    34. 34. user consumer service provider
    35. 35. user consumer service provider click connect
    36. 36. user consumer service provider click connect request token
    37. 37. user consumer service provider click connect request token request token, request secret
    38. 38. user consumer service provider click connect request token request token, request secret redirect user to provider
    39. 39. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token
    40. 40. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier
    41. 41. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier
    42. 42. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token
    43. 43. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret
    44. 44. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret request on user’s behalf
    45. 45. the codes
    46. 46. https://github.com/myelin/fireeagle-php-lib
    47. 47. request token + secret from FE
    48. 48. request token + secret from FE if (@$_GET[f] == start) { // get a request token + secret from FE and redirect to the authorizationpage // START step 1 $fe = new FireEagle($fe_key, $fe_secret); $tok = $fe->getRequestToken($fe_callback); if (!isset($tok[oauth_token]) || !is_string($tok[oauth_token]) || !isset($tok[oauth_token_secret]) || !is_string($tok[oauth_token_secret])) { echo "ERROR! FireEagle::getRequestToken() returned an invalidresponse. Giving up."; exit; } $_SESSION[auth_state] = "start"; $_SESSION[request_token] = $token = $tok[oauth_token]; $_SESSION[request_secret] = $tok[oauth_token_secret]; header("Location: ".$fe->getAuthorizeURL($token)); // END step 1
    49. 49. } else if (@$_GET[f] == callback) { // the user has authorized us at FE, so now we can pick up our access token + secret // START step 2 if (@$_SESSION[auth_state] != "start") { echo "Out of sequence."; exit; } if ($_GET[oauth_token] != $_SESSION[request_token]) { echo "Token mismatch."; exit; } if ((FireEagle::$FE_OAUTH_VERSION == OAUTH_VERSION_10A) && !isset($_GET[oauth_verifier])) { echo "OAuth protocol error. No verifier in response."; exit; } $fe = new FireEagle($fe_key, $fe_secret, $_SESSION[request_token], $_SESSION[request_secret]); $tok = $fe->getAccessToken($_GET[oauth_verifier]); if (!isset($tok[oauth_token]) || !is_string($tok[oauth_token]) || !isset($tok[oauth_token_secret]) || !is_string($tok[oauth_token_secret])) { error_log("Bad token from FireEagle::getAccessToken(): ".var_export($tok, TRUE)); echo "ERROR! FireEagle::getAccessToken() returned an invalid response. Giving up."; exit; } $_SESSION[access_token] = $tok[oauth_token]; $_SESSION[access_secret] = $tok[oauth_token_secret]; $_SESSION[auth_state] = "done"; header("Location: ".$_SERVER[SCRIPT_NAME]); get access // END step 2 token + secret
    50. 50. // we have our access token + secret, so now we can actually *use* the api // START step 3 $fe = new FireEagle($fe_key, $fe_secret, $_SESSION[access_token], $_SESSION[access_secret]); $loc = $fe->user(); // equivalent to $fe->call("user") ?><h2>Where you are<?php if ($loc->user->best_guess) echo ": ".htmlspecialchars($loc->user->best_guess->name) ?></h2><?php if (empty($loc->user->location_hierarchy)) { ?><p>Fire Eagle doesnt know where you are yet.</p><?php // } else { foreach ($loc->user->location_hierarchy as $location) { switch ($location->geotype) { case point: $locinfo = "[".$location->latitude.", ".$location->longitude."]"; break; case box: $locinfo = "[[".$location->bbox[0][1].", ".$location->bbox[0][0]."], [" .$location->bbox[1][1].", ".$location->bbox[1][0]."]]"; break; default: $locinfo = "[unknown]"; break; } if ($location->best_guess) $locinfo .= " BEST GUESS"; print "<h3>".htmlspecialchars($location->level_name).": ".htmlspecialchars($location->name)." $locinfo</h3>"; print "<ul>"; // turn location object into array, with sorted keys $l = array(); foreach ($location as $k => $v) $l[$k] = $v; ksort($l); foreach ($l as $k => $v) { print "<li>".htmlspecialchars($k).": <b>".htmlspecialchars(var_export($v, TRUE))."</b></li>"; } print "</ul>"; } }
    51. 51. demo
    52. 52. where is info passed?
    53. 53. where is info passed?http authorisation header
    54. 54. where is info passed?http authorisation headerhttp post request body (form params)
    55. 55. where is info passed?http authorisation headerhttp post request body (form params)url query string parameters
    56. 56. security
    57. 57. securitytokens: aren’t passing username/password
    58. 58. securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requests
    59. 59. securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters help serviceprovider recognise consumer
    60. 60. securitytokens: aren’t passing username/passwordtimestamp and nonce: very unique requestssignature: encrypted parameters help serviceprovider recognise consumersignature methods: HMAC-SHA1, RSA-SHA1,plaintext over a secure channel (SSL)
    61. 61. current status of OAuth
    62. 62. current status of OAuth oauth.net
    63. 63. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849)
    64. 64. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft
    65. 65. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft several libraries for consumers and service providers
    66. 66. linksOAuth spec http://oauth.netPECL Extension http://pecl.php.net/oauthFireeagle http://fireeagle.yahoo.netFE library (PHP) https://github.com/myelin/fireeagle-php-lib
    67. 67. thanks!twitter: @azradtumblr: nurulazrad.tumblr.comworks at: www.primuscore.com
    68. 68. creditOAuth - Open API Authentication byleahculver on Dec 01, 2007Implementing OAuth with PHP by LornaMitchell on May 17, 2011Using OAuth with PHP by David Ingram onNov 04, 2010
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×