Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using OAuth with PHP

Using OAuth with PHP

Talk given at PHP London on 4th November 2010.

15c49bd9f73317bf66952b9ee17414ef?s=128

Dave Ingram

March 23, 2012
Tweet

Transcript

  1. Using OAuth with PHP Dave Ingram @dmi 4th November 2010

  2. None
  3. None
  4. None
  5. Coming up • What is OAuth? • How do you

    write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider
  6. What is OAuth anyway?

  7. A long time ago, in a website not far away.

    . .
  8. None
  9. None
  10. Connect!

  11. Connect! U:KittehLuvr P:hunter2

  12. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  13. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  14. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

  15. Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER

    LOOK AT MAH KITTEH LOL!
  16. Full access

  17. Full access Fragile

  18. Full access Fragile Revoking is painful

  19. YOU REVEAL YOUR USERNAME AND PASSWORD

  20. YOUR USERNAME AND PASSWORD

  21. None
  22. Who uses it?

  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None
  34. Building a Consumer

  35. To sign requests, you need: Consumer key Consumer secret (Unique

    per application) + Access token Access secret (Unique per application user)
  36. Step 1: Register with the provider

  37. I would like my OAuth application to consume your service

    please, Mr. Provider.
  38. Certainly. I just need to take a few details from

    you, and we’ll be all set.
  39. OK. Here you go.

  40. Consumer key Consumer secret

  41. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!
  42. Step 2: Write your application Step 3: ?????? Step 4:

    Profit!
  43. User Consumer Provider User clicks connect

  44. User Consumer Provider C C Ask provider for request token

  45. User Consumer Provider C C R R Provider returns request

    token and request secret
  46. User Consumer Provider C C R R R Redirect user

    to provider
  47. User Consumer Provider C C R R R R User

    logs in/authorises app
  48. User Consumer Provider C C R R R R V

    Provider redirects user back to app with verifier
  49. User Consumer Provider C C R R R R V

    V User’s arrival with verifier notifies app
  50. User Consumer Provider C C R R R R V

    V C C R R V App then exchanges request token for access token
  51. User Consumer Provider C C R R R R V

    V C C R R V A A Provider returns access token and access secret
  52. User Consumer Provider C C R R R R V

    V C C R R V A A C C A A App makes request on user’s behalf
  53. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );
  54. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];
  55. Get request token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);
  56. None
  57. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
  58. Get access token // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');
  59. Access token Access secret

  60. Make API requests // Create OAuth client object $o =

    new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));
  61. What OAuth doesn’t do

  62. No proof of server identity (use TLS)

  63. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL)
  64. No proof of server identity (use TLS) No confidentiality (use

    TLS/SSL) No open-source consumer
  65. Thoughts on being a Provider

  66. Very easy to be a Consumer

  67. Very easy to be a Consumer Many design decisions to

    make as a Provider
  68. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind
  69. Very easy to be a Consumer Many design decisions to

    make as a Provider A fair amount of work, and not always easy to change your mind For example. . .
  70. How large a range of timestamps do you allow?

  71. How large a range of timestamps do you allow? What

    permission granularity do you provide?
  72. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets?
  73. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)
  74. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF
  75. How large a range of timestamps do you allow? What

    permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)
  76. Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me:

    http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd