OAuth 2.0 allows clients secure access to user resources stored on another server. It involves 3 players: a client, service provider, and resource server. The client registers with the service provider to get an ID and secret. During authorization, the user is redirected to the service provider to grant the client access. If approved, a code is returned to the client to request an access token from the service provider. The client can then use the token to access protected resources from the resource server on behalf of the user. Facebook Connect uses OAuth 2.0 to allow third-party apps to access a user's Facebook profile and other data through the user's authorization. Developers must set up the login URL, handle the callback to get the

1. OAuth 2.0
October 2015

2. OAuth 2.0
What I will cover:
 Brief overview of OAuth 2.0
 How all the concepts fit together
 How you can use OAuth in your own projects
 i.e. API's, identity provider etc
 Implementing Facebook into your projects

3. The players
Service Provider Client
User
Resources Server
User owns private
data in resources
server (eg. Personal
details, photos)
Client wants to
access user's data in
resources server.
RS provides access
to data via REST API
endpoints.

4. Preliminary
 Before anything happens, Client is registered with
Service Provider so SP can recognize it
 Client is given a “client_id” and “secret_key”
 Secret Key MUST never be exposed in public.
 Keep it within your php code – not in any client-side code
eg. javascript etc

5. Authorization Grant
 3rd Party website (aka client or application) wants to
access data owned by User but stored in Resource
Server
 Resource Server provides an endpoint so a client
can get data
 GET /me/photo → returns a private photo of User
 RS won't just give access to anyone. User must
authorize client to access private data
 Service Provider (SP) provides 2 endpoints to
facilitate authorization
 GET /authorize ← Use first
 POST /token ← What client actually wants

6. Authorization
 Client will redirect user to SP's website @ /authorize
endpoint.
 User is no longer at client's website
 GET /authorize
 Query parameters:
 “response_type” = 'code‘
 “client_id” = <CLIENT_ID>
 “redirect_uri” = <REDIRECT_URI>
 “scope” = <what permissions client is asking user to give it>
 SP will check if User gives Client permission. Either
User had given permission in the past OR it will be
asked to authorize
 SP will redirect user to <REDIRECT_URI> (an
endpoint on client's website). A “code” will be given.
Or an “error”. These are query parameters. i.e.
code=298e63d823b86e52a95

7. Token
 That redirect endpoint isn't just an ordinary website
URL. It must expect a code (or error) being returned
amongst its query parameters
 If there is no error, the client must quickly request a
token.
 POST /token
 “client_id” = <CLIENT_ID>
 “client_secret” = <SECRET KEY>
 “grant_type” = 'authorization code‘
 “code” = <CODE FROM PRIOR REQUEST>
 “redirect_uri” = <SAME AS BEFORE>
 Returns JSON array with “access_token” and
“expires_on” OR “error” i.e.
access_token=206c80413b9a96c1384463edd

8. Making API requests
 Now that you have a token, you can call API
requests on Resources Server
 User can revoke authorization anytime
 Token can expire (which means Client has to
go through process of getting a new token)
 The SP has a registrar of all the non-expired
tokens and the corresponding client and
scope permissions

9. Uses
 Many other grant types
 Implicit Grant, Client Credentials, Refresh Token, Resource
Owner Password Credentials and many many more
 You can use OAuth specifications for many projects
ranging from identity provider to a web service where
other 3rd parties can use your API
 You can design a SP
 You can design a client
 Make sure SP (Resources Server if separate to SP)
uses HTTPS connection

10. Facebook Connect/Graph API
 Allows users to log on to your site using
their Facebook account
 Facebook allows 3rd party applications to
access user's data (i.e. profile data such as
name, age, gender etc)
 Facebook allows you to make your website
social-savvy
 Make posts on user's timeline
 Access their friends list
 Grab their photos (like Tinder does)

11. Facebook Connect
 eHarmony gives you the
option of creating an
account with them
(traditional way)
 Login using an account
registered with them
 Login using facebook
connect
 The site never needs
to know user's
password

12. Account registration in your
database
 Traditionally:
 Using Facebook:
FB guarantees every fb account will have a UNIQUE fb_id
No need for a password
You can save token in
a session if you want

13. Initial Setting up

14. PHP – install and configure
 Install SDK using composer: require
“facebook/php-sdk”

15. Step 1 – website link to open
dialog
 You can put $loginUrl in your view:
<a href=”<?= $loginUrl ?>”>Connect using Facebook</a>
 'scope' determines what permissions your app requires from the user.
Facebook will ask the user to authorize your app to use those
permissions. (i.e. 'scope'=> 'read_stream, user_photos')
 $loginUrl will contain client_id, scope, redirect_uri as query params

16. Objective
1. On Website: Work out the correct URL for the
facebook login dialog box to appear
 You must pass information to it such as
client_id, scope, redirect_uri, state etc
2. Once user logs on, you need to grab user's
fb_id
 Check if fb_id already exists in your records
 NO: New registration
 YES: Prior registered customer
3. Get and Store token to make future api requests

17. Step 2 – get fb_id
 $facebook->getUser() will return fb_id. Check if
that user already exists in your db.
 YES: Great! You have their personal details
already stored + Token
 NO: Use api to get basic details of user and
create new account

18. Step 2 – contd.
 $user_profile contains an array which contains
information about the user. You can use this information
to populate your database records of your user base

19. Step 3 – Storing the token
 You don't technically need to store the token because the
SDK takes care of it in the behind the scenes.
 $facebook->getUser(), before returning the fb_id does
many things behind the scenes
 Gets access code, exchanges it for token, saves token in
session and finally returns the fb_id
 BUT if you don't store the token yourself, you must
always ask the user to log in, in order for SDK to do
everything behind the scenes. If you have the token, you
can also access Graph API without facebook SDK.
 You can store token yourself: $facebook-
>getAccessToken();

20. Step 4 – Using access token
 You don't need access token. SDK provides method
that will access Graph API conveniently
 $facebook->api($url, $method, $parameters)
 But you can use API manually(HTTP REST API) . All
the endpoints and documentation are online.
 You obviously must sign the HTTP request with the
token in the body (access_token=<$token>) or
possibly header

21. Thank You