SlideShare a Scribd company logo
1 of 76
Download to read offline
Using OAuth with PHP
Dave Ingram
@dmi
4th November 2010
Coming up
• What is OAuth?
• How do you write a Consumer in PHP?
• What doesn’t OAuth do?
• Thoughts on being a Provider
What is OAuth anyway?
A long time ago, in a website not far away. . .
Connect!
Connect!
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
Connect!
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
U:KittehLuvr
P:hunter2
O HAI TWITTER
LOOK AT MAH
KITTEH LOL!
Full access
Full access
Fragile
Full access
Fragile
Revoking is painful
YOU REVEAL YOUR USERNAME
AND PASSWORD
YOUR USERNAME
AND PASSWORD
Who uses it?
Building a Consumer
To sign requests, you need:
Consumer key
Consumer secret
(Unique per application)
+
Access token
Access secret
(Unique per application user)
Step 1: Register with the provider
I would like my OAuth
application to
consume your service
please, Mr. Provider.
Certainly. I just need
to take a few details
from you, and we’ll be
all set.
OK. Here you go.
Consumer key
Consumer secret
Step 2: Write your application
Step 3: ??????
Step 4: Profit!
Step 2: Write your application
Step 3: ??????
Step 4: Profit!
User Consumer Provider
User clicks connect
User Consumer Provider
C C
Ask provider for
request token
User Consumer Provider
C C
R R
Provider returns
request token and
request secret
User Consumer Provider
C C
R R
R
Redirect user to provider
User Consumer Provider
C C
R R
R
R
User logs in/authorises
app
User Consumer Provider
C C
R R
R
R
V
Provider redirects user
back to app with
verifier
User Consumer Provider
C C
R R
R
R
V
V
User’s arrival with
verifier notifies app
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
App then exchanges
request token for
access token
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
A A
Provider returns
access token and
access secret
User Consumer Provider
C C
R R
R
R
V
V
C C R R V
A A
C C A A
App makes request on
user’s behalf
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1,
);
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1,
);
// Fetch the request token
$response = $o->getRequestToken(
'https://api.twitter.com/oauth/request_token'
);
// Save for later exchange
$_SESSION['req_token'] = $response['oauth_token'];
$_SESSION['req_secret'] = $response['oauth_token_secret'];
Get request token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY,
MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1,
);
// Fetch the request token
$response = $o->getRequestToken(
'https://api.twitter.com/oauth/request_token'
);
// Save for later exchange
$_SESSION['req_token'] = $response['oauth_token'];
$_SESSION['req_secret'] = $response['oauth_token_secret'];
// Send user to provider's site
header('Location: https://api.twitter.com/oauth/authorize'.
'?oauth_token='.$response['oauth_token']);
Get access token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the request token
$o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
Get access token
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the request token
$o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
// Exchange request for access token (verifier is automatic)
$response = $o->getAccessToken(
'https://api.twitter.com/oauth/access_token'
);
// Save access tokens for later use
$current_user->saveTwitterTokens(
$response['oauth_token'],
$response['oauth_token_secret'],
);
header('Location: /twitter-link-ok');
Access token
Access secret
Make API requests
// Create OAuth client object
$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the access token
$o->setToken(
$current_user->getTwitterToken(),
$current_user->getTwitterSecret()
);
$args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!');
$oauth->fetch(
'https://api.twitter.com/v1/statuses/update.json',
$args,
OAUTH_HTTP_METHOD_POST
);
$json = json_decode($oauth->getLastResponse());
printf("Result: %sn", print_r($json, true));
What OAuth doesn’t do
No proof of server identity (use TLS)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No open-source consumer
Thoughts on being a
Provider
Very easy to be a Consumer
Very easy to be a Consumer
Many design decisions to make as a Provider
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to change
your mind
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to change
your mind
For example. . .
How large a range of timestamps do you allow?
How large a range of timestamps do you allow?
What permission granularity do you provide?
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particular
consumers? (e.g. Twitter)
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particular
consumers? (e.g. Twitter)
What about attacks? Phishing, DoS, clickjacking, CSRF
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particular
consumers? (e.g. Twitter)
What about attacks? Phishing, DoS, clickjacking, CSRF
Beware proxying/caching (use the right headers!)
Links
OAuth Spec: http://oauth.net/
Intro/tutorial: http://hueniverse.com/
PECL extension: http://pecl.php.net/oauth/
Me: http://twitter.com/dmi
http://www.dmi.me.uk/talks/
http://www.dmi.me.uk/code/php/
Slides: http://slideshare.net/ingramd

More Related Content

What's hot

Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
Subhajit Bhuiya
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

What's hot (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Similar to Using OAuth with PHP

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
Cyber Security Alliance
 
Rails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaRails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp Tampa
Bryce Kerley
 

Similar to Using OAuth with PHP (20)

APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring SecurityOAuth2 & OpenID Connect with Spring Security
OAuth2 & OpenID Connect with Spring Security
 
Twitter4R OAuth
Twitter4R OAuthTwitter4R OAuth
Twitter4R OAuth
 
Stateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - MexicoStateless Microservice Security via JWT and MicroProfile - Mexico
Stateless Microservice Security via JWT and MicroProfile - Mexico
 
Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES Stateless Microservice Security via JWT and MicroProfile - ES
Stateless Microservice Security via JWT and MicroProfile - ES
 
Stateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - GuatemalaStateless Microservice Security via JWT and MicroProfile - Guatemala
Stateless Microservice Security via JWT and MicroProfile - Guatemala
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Deconstructing and Evolving REST security
Deconstructing and Evolving REST securityDeconstructing and Evolving REST security
Deconstructing and Evolving REST security
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Rails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaRails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp Tampa
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 

Using OAuth with PHP

  • 1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010
  • 2.
  • 3.
  • 4.
  • 5. Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  • 6. What is OAuth anyway?
  • 7. A long time ago, in a website not far away. . .
  • 8.
  • 9.
  • 19. YOU REVEAL YOUR USERNAME AND PASSWORD
  • 21.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 35. To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)
  • 36. Step 1: Register with the provider
  • 37. I would like my OAuth application to consume your service please, Mr. Provider.
  • 38. Certainly. I just need to take a few details from you, and we’ll be all set.
  • 41. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 42. Step 2: Write your application Step 3: ?????? Step 4: Profit!
  • 43. User Consumer Provider User clicks connect
  • 44. User Consumer Provider C C Ask provider for request token
  • 45. User Consumer Provider C C R R Provider returns request token and request secret
  • 46. User Consumer Provider C C R R R Redirect user to provider
  • 47. User Consumer Provider C C R R R R User logs in/authorises app
  • 48. User Consumer Provider C C R R R R V Provider redirects user back to app with verifier
  • 49. User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app
  • 50. User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token
  • 51. User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret
  • 52. User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf
  • 53. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  • 54. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  • 55. Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  • 56.
  • 57. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  • 58. Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  • 60. Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %sn", print_r($json, true));
  • 62. No proof of server identity (use TLS)
  • 63. No proof of server identity (use TLS) No confidentiality (use TLS/SSL)
  • 64. No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer
  • 65. Thoughts on being a Provider
  • 66. Very easy to be a Consumer
  • 67. Very easy to be a Consumer Many design decisions to make as a Provider
  • 68. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind
  • 69. Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  • 70. How large a range of timestamps do you allow?
  • 71. How large a range of timestamps do you allow? What permission granularity do you provide?
  • 72. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?
  • 73. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  • 74. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  • 75. How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  • 76. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd