Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using OAuth with PHP

Dave Ingram
March 23, 2012
Programming
5
280

Using OAuth with PHP

Talk given at PHP London on 4th November 2010.

Dave Ingram

March 23, 2012
Tweet

More Decks by Dave Ingram

See All by Dave Ingram
API Design: It's Not Rocket Surgery (PHPUK13)
dmi
7
1.6k
API Design: It's Not Rocket Surgery (ODI)
dmi
5
880
API Design: it's not rocket surgery (PHPNW2012)
dmi
2
520
API Design: It's Not Rocket Surgery
dmi
4
400
Being an Effective Git (User)
dmi
3
270
API Design: More Than the REST (PHPUK 2012 uncon)
dmi
6
710

Other Decks in Programming

See All in Programming
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
210
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
390
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
Identifying User Idenity
moro
6
7.9k
CSC509 Lecture 09
javiergs
PRO
0
110
Vue.js学習の振り返り
hiro_xre
2
130
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
Vue SFCのtemplateでTypeScriptの型を活用しよう
tsukkee
3
1.5k
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
23k
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
5
3.6k

Featured

See All Featured
The Language of Interfaces
destraynor
154
24k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
KATA
mclloyd
29
13k
The Invisible Side of Design
smashingmag
297
50k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Cult of Friendly URLs
andyhume
78
6k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010

  2. None
  3. None
  4. None

  5. Coming up • What is OAuth? • How do you

    write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider

  6. What is OAuth anyway?

  7. A long time ago, in a website not far away.

    . .
  8. None
  9. None

  10. Connect!

  11. Connect! U:KittehLuvr P:hunter2

  12. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  13. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  14. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  15. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER

    LOOK AT MAH KITTEH LOL!

  16. Full access

  17. Full access Fragile

  18. Full access Fragile Revoking is painful

  19. YOU REVEAL YOUR USERNAME AND PASSWORD

  20. YOUR USERNAME AND PASSWORD

  21. None

  22. Who uses it?

  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. Building a Consumer

  35. To sign requests, you need: Consumer key Consumer secret (Unique

    per application) + Access token Access secret (Unique per application user)

  36. Step 1: Register with the provider

  37. I would like my OAuth application to consume your service

    please, Mr. Provider.

  38. Certainly. I just need to take a few details from

    you, and we’ll be all set.

  39. OK. Here you go.

  40. Consumer key Consumer secret

  41. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  42. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!

  43. User Consumer Provider User clicks connect

  44. User Consumer Provider C C Ask provider for request token

  45. User Consumer Provider C C R R Provider returns request

    token and request secret

  46. User Consumer Provider C C R R R Redirect user

    to provider

  47. User Consumer Provider C C R R R R User

    logs in/authorises app

  48. User Consumer Provider C C R R R R V

    Provider redirects user back to app with verifier

  49. User Consumer Provider C C R R R R V

    V User’s arrival with verifier notifies app

  50. User Consumer Provider C C R R R R V

    V C C R R V App then exchanges request token for access token

  51. User Consumer Provider C C R R R R V

    V C C R R V A A Provider returns access token and access secret

  52. User Consumer Provider C C R R R R V

    V C C R R V A A C C A A App makes request on user’s behalf

  53. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );

  54. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];

  55. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  56. None

  57. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);

  58. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');

  59. Access token Access secret

  60. Make API requests // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));

  61. What OAuth doesn’t do

  62. No proof of server identity (use TLS)

  63. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL)

  64. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL) No open-source consumer

  65. Thoughts on being a Provider

  66. Very easy to be a Consumer

  67. Very easy to be a Consumer Many design decisions to

    make as a Provider

  68. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind

  69. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind For example. . .

  70. How large a range of timestamps do you allow?

  71. How large a range of timestamps do you allow? What

    permission granularity do you provide?

  72. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets?

  73. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)

  74. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF

  75. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)

  76. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me:

    http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd