Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth

61959992a4c7d18d7ac66902baaf0a82?s=47 Frost
May 23, 2014

Intro to OAuth

Introduction to OAuth talk, given at PHP[tek] 2014

61959992a4c7d18d7ac66902baaf0a82?s=128

Frost

May 23, 2014
Tweet

Transcript

  1. Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630

  2. Who Am I? • Senior Engineer - Synacor • Author

    • OSS Contributor • Mentoring Proponent • Podcast co-host
  3. What is OAuth?

  4. None
  5. Tokens

  6. Statelessness

  7. Applications have tokens too

  8. So what you’re saying is…

  9. Yep!

  10. Tokens can be stolen though

  11. This is bad

  12. Good news though!

  13. There are different versions

  14. Technically OAuth 1 is deprecated

  15. Just like the mysql extension You’re probably going to run

    into it at some point anyway….
  16. So here’s the plan

  17. None
  18. OAuth 1.0 Client

  19. So we need tokens, right?

  20. Token Definitions

  21. Consumer Tokens

  22. Temporary Credentials

  23. Access Tokens

  24. Token Request Flow

  25. Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

  26. Let’s break this down, eh?

  27. You need an application

  28. Request the temporary tokens

  29. If you signed it right…

  30. You’ll have temporary credentials

  31. You now use these to request Access Tokens

  32. If you sign that request right…

  33. You’ll have your actual Access Tokens!

  34. You can store them in a session or database and

    use them now!
  35. Remember all that signing talk?

  36. This is the hardest part…

  37. Base String

  38. <?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'

    => $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];
  39. HTTP Method and URI

  40. Let’s see how this actually works

  41. <?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =

    [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);
  42. Composite Key This is way easier…

  43. Cram the 2 secrets together…

  44. $consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)

    .'&'. rawurlencode($access_secret);
  45. Signing with HMAC-SHA1

  46. $signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !

    true! )); Here’s your signature!
  47. There are other signature types but…

  48. However…

  49. None
  50. Authorization Header

  51. $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!

    ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?
  52. $header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params

    as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…
  53. Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"

    This is the final result
  54. Whew! That was some work

  55. OAuth 1.0 Server

  56. Token Generation

  57. Recreate the signature with the info you received

  58. If they match, they win!

  59. If not…

  60. None
  61. Access Control…

  62. OAuth 2 Client

  63. Good news!

  64. No signatures

  65. Must use SSL/TLS

  66. Consumer Credentials

  67. Access Token

  68. Grants

  69. Authorization Code Grant

  70. Authorization example - Foursquare

  71. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php

  72. Token Request

  73. http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>

  74. https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code

  75. If you can use this, you should

  76. Implicit Grant

  77. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php

  78. Resource Owner Credentials Grant

  79. Client Credentials Grant

  80. Scopes

  81. “Scopes” in OAuth 1

  82. Scopes in OAuth 2

  83. None
  84. Important Note on Scopes

  85. Provides an ACL Framework

  86. Refresh Tokens

  87. Same Scope

  88. OAuth 2 Server

  89. Issuing Tokens

  90. Should I Support All The Grants?

  91. Maybe…

  92. Authorization/Implicit Grants

  93. Storing Token Info

  94. Scopes

  95. Reading Tokens

  96. Query String, Header, Both?

  97. A Caution Against Rolling Your Own

  98. RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC

    6749 - http://tools.ietf.org/html/rfc6749
  99. Questions?

  100. Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630