Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Intro to OAuth
Search
Frost
May 23, 2014
Technology
0
520
Intro to OAuth
Introduction to OAuth talk, given at PHP[tek] 2014
Frost
May 23, 2014
Tweet
Share
More Decks by Frost
See All by Frost
Mocking Dependencies in PHPUnit
mfrost503
0
340
Mocking Dependencies in PHPUnit
mfrost503
1
390
Other Decks in Technology
See All in Technology
【TiDB GAME DAY 2025】Shadowverse: Worlds Beyond にみる TiDB 活用術
cygames
0
910
新卒3年目の後悔〜機械学習モデルジョブの運用を頑張った話〜
kameitomohiro
0
400
PHP開発者のためのSOLID原則再入門 #phpcon / PHP Conference Japan 2025
shogogg
2
470
Definition of Done
kawaguti
PRO
6
470
生成AIでwebアプリケーションを作ってみた
tajimon
2
140
BigQuery Remote FunctionでLooker Studioをインタラクティブ化
cuebic9bic
2
230
20250625 Snowflake Summit 2025活用事例 レポート / Nowcast Snowflake Summit 2025 Case Study Report
kkuv
1
250
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
320
標準技術と独自システムで作る「つらくない」SaaS アカウント管理 / Effortless SaaS Account Management with Standard Technologies & Custom Systems
yuyatakeyama
2
1.1k
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
110
GeminiとNotebookLMによる金融実務の業務革新
abenben
0
180
解析の定理証明実践@Lean 4
dec9ue
0
130
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Documentation Writing (for coders)
carmenintech
71
4.9k
KATA
mclloyd
29
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
137
34k
Code Reviewing Like a Champion
maltzj
524
40k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.6k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
Unsuck your backbone
ammeep
671
58k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
The Cost Of JavaScript in 2023
addyosmani
51
8.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
490
Transcript
Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630
Who Am I? • Senior Engineer - Synacor • Author
• OSS Contributor • Mentoring Proponent • Podcast co-host
What is OAuth?
None
Tokens
Statelessness
Applications have tokens too
So what you’re saying is…
Yep!
Tokens can be stolen though
This is bad
Good news though!
There are different versions
Technically OAuth 1 is deprecated
Just like the mysql extension You’re probably going to run
into it at some point anyway….
So here’s the plan
None
OAuth 1.0 Client
So we need tokens, right?
Token Definitions
Consumer Tokens
Temporary Credentials
Access Tokens
Token Request Flow
Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
Let’s break this down, eh?
You need an application
Request the temporary tokens
If you signed it right…
You’ll have temporary credentials
You now use these to request Access Tokens
If you sign that request right…
You’ll have your actual Access Tokens!
You can store them in a session or database and
use them now!
Remember all that signing talk?
This is the hardest part…
Base String
<?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'
=> $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];
HTTP Method and URI
Let’s see how this actually works
<?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =
[! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);
Composite Key This is way easier…
Cram the 2 secrets together…
$consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)
.'&'. rawurlencode($access_secret);
Signing with HMAC-SHA1
$signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !
true! )); Here’s your signature!
There are other signature types but…
However…
None
Authorization Header
$params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!
! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?
$header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params
as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…
Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"
This is the final result
Whew! That was some work
OAuth 1.0 Server
Token Generation
Recreate the signature with the info you received
If they match, they win!
If not…
None
Access Control…
OAuth 2 Client
Good news!
No signatures
Must use SSL/TLS
Consumer Credentials
Access Token
Grants
Authorization Code Grant
Authorization example - Foursquare
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php
Token Request
http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>
https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code
If you can use this, you should
Implicit Grant
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php
Resource Owner Credentials Grant
Client Credentials Grant
Scopes
“Scopes” in OAuth 1
Scopes in OAuth 2
None
Important Note on Scopes
Provides an ACL Framework
Refresh Tokens
Same Scope
OAuth 2 Server
Issuing Tokens
Should I Support All The Grants?
Maybe…
Authorization/Implicit Grants
Storing Token Info
Scopes
Reading Tokens
Query String, Header, Both?
A Caution Against Rolling Your Own
RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC
6749 - http://tools.ietf.org/html/rfc6749
Questions?
Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630