Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using OAuth with PHP

Dave Ingram
March 23, 2012
Programming
5
280

Using OAuth with PHP

Talk given at PHP London on 4th November 2010.

Dave Ingram

March 23, 2012
Tweet

More Decks by Dave Ingram

See All by Dave Ingram
API Design: It's Not Rocket Surgery (PHPUK13)
dmi
7
1.5k
API Design: It's Not Rocket Surgery (ODI)
dmi
5
830
API Design: it's not rocket surgery (PHPNW2012)
dmi
2
480
API Design: It's Not Rocket Surgery
dmi
4
370
Being an Effective Git (User)
dmi
3
260
API Design: More Than the REST (PHPUK 2012 uncon)
dmi
6
660

Other Decks in Programming

See All in Programming
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
410
Micro Frontends for Java Microservices - Utah JUG 2024
mraible
PRO
1
110
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
1k
Going beyond Apache Parquet's default settings
xhochy
0
120
Deep Dive into React Stream/Serialize
mugi_uno
3
560
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
160
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
420
ServerAction で Progressive Enhancement はどこまで頑張れるか? / progressive-enhancement-with-server-action
takefumiyoshii
6
400
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.2k
Let's learn code review
riofujimon
2
570
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
120
SIMD Parallel Programming with the Vector API
josepaumard
0
220

Featured

See All Featured
Designing for humans not robots
tammielis
248
25k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
33
6k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Side Projects
sachag
451
41k
What's new in Ruby 2.0
geeforr
337
31k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
The Invisible Customer
myddelton
114
12k
GitHub's CSS Performance
jonrohan
1025
450k
Six Lessons from altMBA
skipperchong
22
3k
Art, The Web, and Tiny UX
lynnandtonic
290
19k

Transcript

  1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010

  2. None
  3. None
  4. None

  5. Coming up • What is OAuth? • How do you

    write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider

  6. What is OAuth anyway?

  7. A long time ago, in a website not far away.

    . .
  8. None
  9. None

  10. Connect!

  11. Connect! U:KittehLuvr P:hunter2

  12. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  13. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  14. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  15. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER

    LOOK AT MAH KITTEH LOL!

  16. Full access

  17. Full access Fragile

  18. Full access Fragile Revoking is painful

  19. YOU REVEAL YOUR USERNAME AND PASSWORD

  20. YOUR USERNAME AND PASSWORD

  21. None

  22. Who uses it?

  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. Building a Consumer

  35. To sign requests, you need: Consumer key Consumer secret (Unique

    per application) + Access token Access secret (Unique per application user)

  36. Step 1: Register with the provider

  37. I would like my OAuth application to consume your service

    please, Mr. Provider.

  38. Certainly. I just need to take a few details from

    you, and we’ll be all set.

  39. OK. Here you go.

  40. Consumer key Consumer secret

  41. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  42. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  43. User Consumer Provider User clicks connect

  44. User Consumer Provider C C Ask provider for request token

  45. User Consumer Provider C C R R Provider returns request

    token and request secret

  46. User Consumer Provider C C R R R Redirect user

    to provider

  47. User Consumer Provider C C R R R R User

    logs in/authorises app

  48. User Consumer Provider C C R R R R V

    Provider redirects user back to app with verifier

  49. User Consumer Provider C C R R R R V

    V User’s arrival with verifier notifies app

  50. User Consumer Provider C C R R R R V

    V C C R R V App then exchanges request token for access token

  51. User Consumer Provider C C R R R R V

    V C C R R V A A Provider returns access token and access secret

  52. User Consumer Provider C C R R R R V

    V C C R R V A A C C A A App makes request on user’s behalf

  53. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );

  54. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];

  55. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  56. None

  57. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);

  58. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');

  59. Access token Access secret

  60. Make API requests // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));

  61. What OAuth doesn’t do

  62. No proof of server identity (use TLS)

  63. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL)

  64. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL) No open-source consumer

  65. Thoughts on being a Provider

  66. Very easy to be a Consumer

  67. Very easy to be a Consumer Many design decisions to

    make as a Provider

  68. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind

  69. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind For example. . .

  70. How large a range of timestamps do you allow?

  71. How large a range of timestamps do you allow? What

    permission granularity do you provide?

  72. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets?

  73. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)

  74. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF

  75. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)

  76. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me:

    http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd