Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using OAuth with PHP

Using OAuth with PHP

Talk given at PHP London on 4th November 2010.

Dave Ingram

March 23, 2012
Tweet

More Decks by Dave Ingram

Other Decks in Programming

Transcript

  1. Coming up • What is OAuth? • How do you

    write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  2. To sign requests, you need: Consumer key Consumer secret (Unique

    per application) + Access token Access secret (Unique per application user)
  3. User Consumer Provider C C R R R R V

    Provider redirects user back to app with verifier
  4. User Consumer Provider C C R R R R V

    V User’s arrival with verifier notifies app
  5. User Consumer Provider C C R R R R V

    V C C R R V App then exchanges request token for access token
  6. User Consumer Provider C C R R R R V

    V C C R R V A A Provider returns access token and access secret
  7. User Consumer Provider C C R R R R V

    V C C R R V A A C C A A App makes request on user’s behalf
  8. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  9. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  10. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  11. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  12. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  13. Make API requests // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));
  14. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind
  15. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  16. How large a range of timestamps do you allow? What

    permission granularity do you provide?
  17. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets?
  18. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  19. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  20. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  21. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me:

    http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd