Using OAuth with PHP

Transcript

1. Using OAuth with PHP
   Dave Ingram
   @dmi
   4th November 2010
   

   View Slide

2. View Slide

3. View Slide

4. View Slide

5. Coming up
   • What is OAuth?
   • How do you write a Consumer in PHP?
   • What doesn’t OAuth do?
   • Thoughts on being a Provider
   

   View Slide

6. What is OAuth anyway?
   

   View Slide

7. A long time ago, in a website not far away. . .
   

   View Slide

8. View Slide

9. View Slide

10. Connect!
    

    View Slide

11. Connect!
    U:KittehLuvr
    P:hunter2
    

    View Slide

12. Connect!
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    

    View Slide

13. Connect!
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    

    View Slide

14. Connect!
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    

    View Slide

15. Connect!
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    U:KittehLuvr
    P:hunter2
    O HAI TWITTER
    LOOK AT MAH
    KITTEH LOL!
    

    View Slide

16. Full access
    

    View Slide

17. Full access
    Fragile
    

    View Slide

18. Full access
    Fragile
    Revoking is painful
    

    View Slide

19. YOU REVEAL YOUR USERNAME
    AND PASSWORD
    

    View Slide

20. YOUR USERNAME
    AND PASSWORD
    

    View Slide

21. View Slide

22. Who uses it?
    

    View Slide

23. View Slide

24. View Slide

25. View Slide

26. View Slide

27. View Slide

28. View Slide

29. View Slide

30. View Slide

31. View Slide

32. View Slide

33. View Slide

34. Building a Consumer
    

    View Slide

35. To sign requests, you need:
    Consumer key
    Consumer secret
    (Unique per application)
    +
    Access token
    Access secret
    (Unique per application user)
    

    View Slide

36. Step 1: Register with the provider
    

    View Slide

37. I would like my OAuth
    application to
    consume your service
    please, Mr. Provider.
    

    View Slide

38. Certainly. I just need
    to take a few details
    from you, and we’ll be
    all set.
    

    View Slide

39. OK. Here you go.
    

    View Slide

40. Consumer key
    Consumer secret
    

    View Slide

41. Step 2: Write your application
    Step 3: ??????
    Step 4: Profit!
    

    View Slide

42. Step 2: Write your application
    Step 3: ??????
    Step 4: Profit!
    

    View Slide

43. User Consumer Provider
    User clicks connect
    

    View Slide

44. User Consumer Provider
    C C
    Ask provider for
    request token
    

    View Slide

45. User Consumer Provider
    C C
    R R
    Provider returns
    request token and
    request secret
    

    View Slide

46. User Consumer Provider
    C C
    R R
    R
    Redirect user to provider
    

    View Slide

47. User Consumer Provider
    C C
    R R
    R
    R
    User logs in/authorises
    app
    

    View Slide

48. User Consumer Provider
    C C
    R R
    R
    R
    V
    Provider redirects user
    back to app with
    verifier
    

    View Slide

49. User Consumer Provider
    C C
    R R
    R
    R
    V
    V
    User’s arrival with
    verifier notifies app
    

    View Slide

50. User Consumer Provider
    C C
    R R
    R
    R
    V
    V
    C C R R V
    App then exchanges
    request token for
    access token
    

    View Slide

51. User Consumer Provider
    C C
    R R
    R
    R
    V
    V
    C C R R V
    A A
    Provider returns
    access token and
    access secret
    

    View Slide

52. User Consumer Provider
    C C
    R R
    R
    R
    V
    V
    C C R R V
    A A
    C C A A
    App makes request on
    user’s behalf
    

    View Slide

53. Get request token
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY,
    MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1,
    );
    

    View Slide

54. Get request token
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY,
    MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1,
    );
    // Fetch the request token
    $response = $o->getRequestToken(
    'https://api.twitter.com/oauth/request_token'
    );
    // Save for later exchange
    $_SESSION['req_token'] = $response['oauth_token'];
    $_SESSION['req_secret'] = $response['oauth_token_secret'];
    

    View Slide

55. Get request token
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY,
    MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1,
    );
    // Fetch the request token
    $response = $o->getRequestToken(
    'https://api.twitter.com/oauth/request_token'
    );
    // Save for later exchange
    $_SESSION['req_token'] = $response['oauth_token'];
    $_SESSION['req_secret'] = $response['oauth_token_secret'];
    // Send user to provider's site
    header('Location: https://api.twitter.com/oauth/authorize'.
    '?oauth_token='.$response['oauth_token']);
    

    View Slide

56. View Slide

57. Get access token
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1
    );
    // Sign requests with the request token
    $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
    

    View Slide

58. Get access token
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1
    );
    // Sign requests with the request token
    $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);
    // Exchange request for access token (verifier is automatic)
    $response = $o->getAccessToken(
    'https://api.twitter.com/oauth/access_token'
    );
    // Save access tokens for later use
    $current_user->saveTwitterTokens(
    $response['oauth_token'],
    $response['oauth_token_secret'],
    );
    header('Location: /twitter-link-ok');
    

    View Slide

59. Access token
    Access secret
    

    View Slide

60. Make API requests
    // Create OAuth client object
    $o = new OAuth(
    MY_CONSUMER_KEY, MY_CONSUMER_SECRET,
    OAUTH_SIG_METHOD_HMACSHA1
    );
    // Sign requests with the access token
    $o->setToken(
    $current_user->getTwitterToken(),
    $current_user->getTwitterSecret()
    );
    $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!');
    $oauth->fetch(
    'https://api.twitter.com/v1/statuses/update.json',
    $args,
    OAUTH_HTTP_METHOD_POST
    );
    $json = json_decode($oauth->getLastResponse());
    printf("Result: %s\n", print_r($json, true));
    

    View Slide

61. What OAuth doesn’t do
    

    View Slide

62. No proof of server identity (use TLS)
    

    View Slide

63. No proof of server identity (use TLS)
    No confidentiality (use TLS/SSL)
    

    View Slide

64. No proof of server identity (use TLS)
    No confidentiality (use TLS/SSL)
    No open-source consumer
    

    View Slide

65. Thoughts on being a
    Provider
    

    View Slide

66. Very easy to be a Consumer
    

    View Slide

67. Very easy to be a Consumer
    Many design decisions to make as a Provider
    

    View Slide

68. Very easy to be a Consumer
    Many design decisions to make as a Provider
    A fair amount of work, and not always easy to change
    your mind
    

    View Slide

69. Very easy to be a Consumer
    Many design decisions to make as a Provider
    A fair amount of work, and not always easy to change
    your mind
    For example. . .
    

    View Slide

70. How large a range of timestamps do you allow?
    

    View Slide

71. How large a range of timestamps do you allow?
    What permission granularity do you provide?
    

    View Slide

72. How large a range of timestamps do you allow?
    What permission granularity do you provide?
    What format and length are tokens/secrets?
    

    View Slide

73. How large a range of timestamps do you allow?
    What permission granularity do you provide?
    What format and length are tokens/secrets?
    Do you identify actions as coming from particular
    consumers? (e.g. Twitter)
    

    View Slide

74. How large a range of timestamps do you allow?
    What permission granularity do you provide?
    What format and length are tokens/secrets?
    Do you identify actions as coming from particular
    consumers? (e.g. Twitter)
    What about attacks? Phishing, DoS, clickjacking, CSRF
    

    View Slide

75. How large a range of timestamps do you allow?
    What permission granularity do you provide?
    What format and length are tokens/secrets?
    Do you identify actions as coming from particular
    consumers? (e.g. Twitter)
    What about attacks? Phishing, DoS, clickjacking, CSRF
    Beware proxying/caching (use the right headers!)
    

    View Slide

76. Links
    OAuth Spec: http://oauth.net/
    Intro/tutorial: http://hueniverse.com/
    PECL extension: http://pecl.php.net/oauth/
    Me: http://twitter.com/dmi
    http://www.dmi.me.uk/talks/
    http://www.dmi.me.uk/code/php/
    Slides: http://slideshare.net/ingramd
    

    View Slide