Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using OAuth with PHP

Dave Ingram
March 23, 2012
Programming
5
280

Using OAuth with PHP

Talk given at PHP London on 4th November 2010.

Dave Ingram

March 23, 2012
Tweet

More Decks by Dave Ingram

See All by Dave Ingram
API Design: It's Not Rocket Surgery (PHPUK13)
dmi
7
1.6k
API Design: It's Not Rocket Surgery (ODI)
dmi
5
890
API Design: it's not rocket surgery (PHPNW2012)
dmi
2
520
API Design: It's Not Rocket Surgery
dmi
4
410
Being an Effective Git (User)
dmi
3
270
API Design: More Than the REST (PHPUK 2012 uncon)
dmi
6
720

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
CSC509 Lecture 12
javiergs
PRO
0
160
Outline View in SwiftUI
1024jp
1
330
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
940
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
620
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
Ethereum_.pdf
nekomatu
0
460
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.8k
CSC509 Lecture 11
javiergs
PRO
0
180

Featured

See All Featured
Done Done
chrislema
181
16k
Side Projects
sachag
452
42k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
A designer walks into a library…
pauljervisheath
204
24k
A better future with KSS
kneath
238
17k
Docker and Python
trallard
40
3.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Why Our Code Smells
bkeepers
PRO
334
57k

Transcript

  1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010

  2. None
  3. None
  4. None

  5. Coming up • What is OAuth? • How do you

    write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider

  6. What is OAuth anyway?

  7. A long time ago, in a website not far away.

    . .
  8. None
  9. None

  10. Connect!

  11. Connect! U:KittehLuvr P:hunter2

  12. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  13. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  14. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  15. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER

    LOOK AT MAH KITTEH LOL!

  16. Full access

  17. Full access Fragile

  18. Full access Fragile Revoking is painful

  19. YOU REVEAL YOUR USERNAME AND PASSWORD

  20. YOUR USERNAME AND PASSWORD

  21. None

  22. Who uses it?

  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. Building a Consumer

  35. To sign requests, you need: Consumer key Consumer secret (Unique

    per application) + Access token Access secret (Unique per application user)

  36. Step 1: Register with the provider

  37. I would like my OAuth application to consume your service

    please, Mr. Provider.

  38. Certainly. I just need to take a few details from

    you, and we’ll be all set.

  39. OK. Here you go.

  40. Consumer key Consumer secret

  41. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  42. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  43. User Consumer Provider User clicks connect

  44. User Consumer Provider C C Ask provider for request token

  45. User Consumer Provider C C R R Provider returns request

    token and request secret

  46. User Consumer Provider C C R R R Redirect user

    to provider

  47. User Consumer Provider C C R R R R User

    logs in/authorises app

  48. User Consumer Provider C C R R R R V

    Provider redirects user back to app with verifier

  49. User Consumer Provider C C R R R R V

    V User’s arrival with verifier notifies app

  50. User Consumer Provider C C R R R R V

    V C C R R V App then exchanges request token for access token

  51. User Consumer Provider C C R R R R V

    V C C R R V A A Provider returns access token and access secret

  52. User Consumer Provider C C R R R R V

    V C C R R V A A C C A A App makes request on user’s behalf

  53. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );

  54. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];

  55. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  56. None

  57. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);

  58. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');

  59. Access token Access secret

  60. Make API requests // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));

  61. What OAuth doesn’t do

  62. No proof of server identity (use TLS)

  63. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL)

  64. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL) No open-source consumer

  65. Thoughts on being a Provider

  66. Very easy to be a Consumer

  67. Very easy to be a Consumer Many design decisions to

    make as a Provider

  68. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind

  69. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind For example. . .

  70. How large a range of timestamps do you allow?

  71. How large a range of timestamps do you allow? What

    permission granularity do you provide?

  72. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets?

  73. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)

  74. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF

  75. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)

  76. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me:

    http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd