Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Intro to OAuth
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Frost
May 23, 2014
Technology
0
600
Intro to OAuth
Introduction to OAuth talk, given at PHP[tek] 2014
Frost
May 23, 2014
Tweet
Share
More Decks by Frost
See All by Frost
Mocking Dependencies in PHPUnit
mfrost503
0
390
Mocking Dependencies in PHPUnit
mfrost503
1
420
Other Decks in Technology
See All in Technology
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
riku_423
2
570
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.3k
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
thara0402
0
190
AI駆動開発を事業のコアに置く
tasukuonizawa
1
200
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
bwkw
3
940
量子クラウドサービスの裏側 〜Deep Dive into OQTOPUS〜
oqtopus
0
120
CDKで始めるTypeScript開発のススメ
tsukuboshi
1
430
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
210
Data Hubグループ 紹介資料
sansan33
PRO
0
2.7k
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
knishioka
2
660
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
110
会社紹介資料 / Sansan Company Profile
sansan33
PRO
15
400k
Featured
See All Featured
The SEO Collaboration Effect
kristinabergwall1
0
350
Visualization
eitanlees
150
17k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
350
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.1k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
93
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.3k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
117
110k
AI: The stuff that nobody shows you
jnunemaker
PRO
2
260
Practical Orchestrator
shlominoach
191
11k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.3k
A Modern Web Designer's Workflow
chriscoyier
698
190k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
62
Transcript
Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630
Who Am I? • Senior Engineer - Synacor • Author
• OSS Contributor • Mentoring Proponent • Podcast co-host
What is OAuth?
None
Tokens
Statelessness
Applications have tokens too
So what you’re saying is…
Yep!
Tokens can be stolen though
This is bad
Good news though!
There are different versions
Technically OAuth 1 is deprecated
Just like the mysql extension You’re probably going to run
into it at some point anyway….
So here’s the plan
None
OAuth 1.0 Client
So we need tokens, right?
Token Definitions
Consumer Tokens
Temporary Credentials
Access Tokens
Token Request Flow
Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
Let’s break this down, eh?
You need an application
Request the temporary tokens
If you signed it right…
You’ll have temporary credentials
You now use these to request Access Tokens
If you sign that request right…
You’ll have your actual Access Tokens!
You can store them in a session or database and
use them now!
Remember all that signing talk?
This is the hardest part…
Base String
<?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'
=> $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];
HTTP Method and URI
Let’s see how this actually works
<?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =
[! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);
Composite Key This is way easier…
Cram the 2 secrets together…
$consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)
.'&'. rawurlencode($access_secret);
Signing with HMAC-SHA1
$signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !
true! )); Here’s your signature!
There are other signature types but…
However…
None
Authorization Header
$params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!
! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?
$header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params
as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…
Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"
This is the final result
Whew! That was some work
OAuth 1.0 Server
Token Generation
Recreate the signature with the info you received
If they match, they win!
If not…
None
Access Control…
OAuth 2 Client
Good news!
No signatures
Must use SSL/TLS
Consumer Credentials
Access Token
Grants
Authorization Code Grant
Authorization example - Foursquare
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php
Token Request
http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>
https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code
If you can use this, you should
Implicit Grant
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php
Resource Owner Credentials Grant
Client Credentials Grant
Scopes
“Scopes” in OAuth 1
Scopes in OAuth 2
None
Important Note on Scopes
Provides an ACL Framework
Refresh Tokens
Same Scope
OAuth 2 Server
Issuing Tokens
Should I Support All The Grants?
Maybe…
Authorization/Implicit Grants
Storing Token Info
Scopes
Reading Tokens
Query String, Header, Both?
A Caution Against Rolling Your Own
RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC
6749 - http://tools.ietf.org/html/rfc6749
Questions?
Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630