I used to dislike OAuth (Open Standard for Authentication): how do I implement it? In this slideshow, we delve into consuming it with the Google APIs. We go first into the background and then step-by-step through the process. Follow along today!
14. AUTHENTICATING USERS
• Can OAuth be used to provide
“login with…”?
• NO: OAuth is not an
authentication protocol.
• SOLUTION: use OpenID Connect
(Google/Microsoft) or similar.
15. OAUTH GRANTS
• Authorization Code grant
• Implicit grant
• Resource owner credentials grant
• Client credentials grant
18. OAUTH PROCESS:
• We redirect user to provider (Google/Facebook/etc.).
• User authorizes us.
• We obtain access token.
• We make requests with access token.
33. OAUTH PROCESS:
• We redirect user to provider (Google/Facebook/etc.).
• User authorizes us.
• We obtain access token.
• We make requests with access token.
34. THE CODES:
• Authorization code is short-lived.
• It is the key to determine who the user is and what they gave
access to.
• Access token has a longer life.
• It is the key that gives access to the user’s resources.
35. USERNAME/PASSWORD OAUTH2
Has no expiration.
(unless credentials change)
Access token has expiration.
Able to access everything
in account.
Only can access authorized data.
Can be used to maliciously
take over an account.
Access to data can be
revoked at any time.
Loosing the username/password can
mean all data is compromised.
Loosing the access token can mean
some data is compromised.
38. ID VS SECRET?
• Both are for identifying who you are.
• Client ID: “public” key
• Client Secret: “private” key, never to be sent through
user’s browser
39. AUTHORIZATION SERVER
• Registers/logs in/validates the user.
• Checks the client ID.
• Validates the scopes that we request access to and
ensures those fall within what we originally asked for.
• Asks the user whether it is acceptable to give access.
• Sends the authorization code through the user to us.
40. AUTHORIZATION SERVER
• Looks up the authorization code.
• Generates the access token.
• Returns access token back to us.
41. DO IT YOURSELF…
• https://oauth2.thephpleague.com/
• As always, an excellent package by the amazing PHP League
46. ONLINE STEPS
• Go to: http://console.developers.google.com/
• Enable Drive API
• Create OAuth Credentials
47. CONTINUING
• Save the file as client_secrets.json in your website’s home
directory.
• Change the token_uri attribute to have this value:
• https://www.googleapis.com/oauth2/v3/token
• Open https://[domain_name]/manual
48. OAUTH IN PHP…
“If debugging is the process of removing software bugs,
then programming must be the process of putting them in.”
50. REFRESHTOKENS
• Refresh tokens are indefinite.
• Access tokens have an expiration.
• Refresh tokens are used to create new access tokens.
• access_type=offline to use refresh tokens.
53. THE CALLBACK
• Success: “code” parameter contains authorization code.
• OpenID: State key will be sent back.
• Error: “error” parameter contains error message.
GET /authorize/?code=4/ASDFASDFASDFASDF123123123123 HTTP/1.1
Host: developers.google.com
65. DO:
• Protect against common security threats.
• Store random state key in the session and send that to
the provider.
• Store the access token securely.
66. ACCESSTOKEN STORAGE
• Do you need to store access token?
• Encrypt it.
• Store it in the session or the DB.
• Maybe? Store encryption key as cookie.
67. IMPLICIT GRANT
• Used for client-side authorization.
• Access token is public.
• Resource access must be very limited.
• Access token is sent back with first round-trip to
authorization server.
68. CLIENT CREDENTIALS GRANT
• Machine-to-machine authentication.
• Agreed-upon signature that has limited permissions
associated with it.
69. INDUSTRYTERMINOLOGY
• Client: the software we write.
• Resource Server: website with which we will interact.
• ex: Google API
• Resource Owner: the customer.
• ex: the entity who uses our service to access their data.
71. THE STEPS:
• Redirect user to provider (Google/Facebook/etc.).
• Provider authenticates user, user authorizes us.
• We exchange authorization code for access token.
• We make requests with access token.