Using OAuth with PHP
Report
David IngramFollow
Nov. 4, 2010•0 likes•4,567 views
5 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
Using OAuth with PHP
Nov. 4, 2010•0 likes•4,567 views
5 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
Self Improvement
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
David IngramFollow
Using OAuth with PHP
- Using OAuth with PHP Dave Ingram @dmi 4th November 2010
- Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
- What is OAuth anyway?
- A long time ago, in a website not far away. . .
- Connect!
- Connect! U:KittehLuvr P:hunter2
- Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
- Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
- Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2
- Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!
- Full access
- Full access Fragile
- Full access Fragile Revoking is painful
- YOU REVEAL YOUR USERNAME AND PASSWORD
- YOUR USERNAME AND PASSWORD
- Who uses it?
- Building a Consumer
- To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
- Step 1: Register with the provider
- I would like my OAuth application to consume your service please, Mr. Provider.
- Certainly. I just need to take a few details from you, and we’ll be all set.
- OK. Here you go.
- Consumer key Consumer secret
- Step 2: Write your application Step 3: ?????? Step 4: Profit!
- Step 2: Write your application Step 3: ?????? Step 4: Profit!
- User Consumer Provider User clicks connect
- User Consumer Provider C C Ask provider for request token
- User Consumer Provider C C R R Provider returns request token and request secret
- User Consumer Provider C C R R R Redirect user to provider
- User Consumer Provider C C R R R R User logs in/authorises app
- User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
- User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
- User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
- User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
- User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
- Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
- Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
- Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
- Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
- Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
- Access token Access secret
- Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
- What OAuth doesn’t do
- No proof of server identity (use TLS)
- No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
- No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
- Thoughts on being a Provider
- Very easy to be a Consumer
- Very easy to be a Consumer Many design decisions to make as a Provider
- Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
- Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
- How large a range of timestamps do you allow?
- How large a range of timestamps do you allow? What permission granularity do you provide?
- How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
- How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
- How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
- How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
- Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd