Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Intro to OAuth
Search
Frost
May 23, 2014
Technology
0
530
Intro to OAuth
Introduction to OAuth talk, given at PHP[tek] 2014
Frost
May 23, 2014
Tweet
Share
More Decks by Frost
See All by Frost
Mocking Dependencies in PHPUnit
mfrost503
0
360
Mocking Dependencies in PHPUnit
mfrost503
1
400
Other Decks in Technology
See All in Technology
DDD集約とサービスコンテキスト境界との関係性
pandayumi
3
280
サンドボックス技術でAI利活用を促進する
koh_naga
0
200
生成AI時代のデータ基盤設計〜ペースレイヤリングで実現する高速開発と持続性〜 / Levtech Meetup_Session_2
sansan_randd
1
150
Automating Web Accessibility Testing with AI Agents
maminami373
0
1.2k
DevIO2025_継続的なサービス開発のための技術的意思決定のポイント / how-to-tech-decision-makaing-devio2025
nologyance
1
390
COVESA VSSによる車両データモデルの標準化とAWS IoT FleetWiseの活用
osawa
1
280
生成AIでセキュリティ運用を効率化する話
sakaitakeshi
0
670
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
daitasu
0
160
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
akkiesoft
0
250
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
8.7k
大「個人開発サービス」時代に僕たちはどう生きるか
sotarok
20
9.9k
LLMを搭載したプロダクトの品質保証の模索と学び
qa
0
1k
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Designing Experiences People Love
moore
142
24k
Being A Developer After 40
akosma
90
590k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Statistics for Hackers
jakevdp
799
220k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
GitHub's CSS Performance
jonrohan
1032
460k
The Invisible Side of Design
smashingmag
301
51k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Transcript
Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630
Who Am I? • Senior Engineer - Synacor • Author
• OSS Contributor • Mentoring Proponent • Podcast co-host
What is OAuth?
None
Tokens
Statelessness
Applications have tokens too
So what you’re saying is…
Yep!
Tokens can be stolen though
This is bad
Good news though!
There are different versions
Technically OAuth 1 is deprecated
Just like the mysql extension You’re probably going to run
into it at some point anyway….
So here’s the plan
None
OAuth 1.0 Client
So we need tokens, right?
Token Definitions
Consumer Tokens
Temporary Credentials
Access Tokens
Token Request Flow
Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
Let’s break this down, eh?
You need an application
Request the temporary tokens
If you signed it right…
You’ll have temporary credentials
You now use these to request Access Tokens
If you sign that request right…
You’ll have your actual Access Tokens!
You can store them in a session or database and
use them now!
Remember all that signing talk?
This is the hardest part…
Base String
<?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'
=> $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];
HTTP Method and URI
Let’s see how this actually works
<?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =
[! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);
Composite Key This is way easier…
Cram the 2 secrets together…
$consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)
.'&'. rawurlencode($access_secret);
Signing with HMAC-SHA1
$signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !
true! )); Here’s your signature!
There are other signature types but…
However…
None
Authorization Header
$params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!
! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?
$header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params
as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…
Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"
This is the final result
Whew! That was some work
OAuth 1.0 Server
Token Generation
Recreate the signature with the info you received
If they match, they win!
If not…
None
Access Control…
OAuth 2 Client
Good news!
No signatures
Must use SSL/TLS
Consumer Credentials
Access Token
Grants
Authorization Code Grant
Authorization example - Foursquare
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php
Token Request
http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>
https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code
If you can use this, you should
Implicit Grant
http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php
Resource Owner Credentials Grant
Client Credentials Grant
Scopes
“Scopes” in OAuth 1
Scopes in OAuth 2
None
Important Note on Scopes
Provides an ACL Framework
Refresh Tokens
Same Scope
OAuth 2 Server
Issuing Tokens
Should I Support All The Grants?
Maybe…
Authorization/Implicit Grants
Storing Token Info
Scopes
Reading Tokens
Query String, Header, Both?
A Caution Against Rolling Your Own
RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC
6749 - http://tools.ietf.org/html/rfc6749
Questions?
Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630