Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth

Frost
May 23, 2014

Intro to OAuth

Introduction to OAuth talk, given at PHP[tek] 2014

Frost

May 23, 2014
Tweet

More Decks by Frost

Other Decks in Technology

Transcript

  1. Intro to OAuth
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View full-size slide

  2. Who Am I?
    • Senior Engineer - Synacor
    • Author
    • OSS Contributor
    • Mentoring Proponent
    • Podcast co-host

    View full-size slide

  3. What is OAuth?

    View full-size slide

  4. Statelessness

    View full-size slide

  5. Applications have tokens too

    View full-size slide

  6. So what you’re saying is…

    View full-size slide

  7. Tokens can be stolen though

    View full-size slide

  8. Good news though!

    View full-size slide

  9. There are different versions

    View full-size slide

  10. Technically OAuth 1 is
    deprecated

    View full-size slide

  11. Just like the mysql extension
    You’re probably going to run into it at some point anyway….

    View full-size slide

  12. So here’s the plan

    View full-size slide

  13. OAuth 1.0
    Client

    View full-size slide

  14. So we need tokens, right?

    View full-size slide

  15. Token Definitions

    View full-size slide

  16. Consumer Tokens

    View full-size slide

  17. Temporary Credentials

    View full-size slide

  18. Access Tokens

    View full-size slide

  19. Token Request Flow

    View full-size slide

  20. Super simple right?
    https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

    View full-size slide

  21. Let’s break this down, eh?

    View full-size slide

  22. You need an application

    View full-size slide

  23. Request the temporary tokens

    View full-size slide

  24. If you signed it right…

    View full-size slide

  25. You’ll have temporary
    credentials

    View full-size slide

  26. You now use these to request
    Access Tokens

    View full-size slide

  27. If you sign that request right…

    View full-size slide

  28. You’ll have your actual Access
    Tokens!

    View full-size slide

  29. You can store them in a session
    or database and use them now!

    View full-size slide

  30. Remember all that signing talk?

    View full-size slide

  31. This is the hardest part…

    View full-size slide

  32. !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];

    View full-size slide

  33. HTTP Method and URI

    View full-size slide

  34. Let’s see how this actually works

    View full-size slide

  35. $httpMethod = 'POST';!
    $uri = ‘http://api.example.com/request_tokens';!
    !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    'oauth_callback' => $this->getCallback(),!
    'oauth_signature_method' => $this->getSignatureMethod(),!
    'oauth_timestamp' => time(),!
    ‘oauth_consumer_key' => $this->getConsumerKey(),!
    'oauth_token' => ‘',!
    'oauth_version' => '1.0',!
    ];!
    !
    $tempArray = [];!
    ksort($params);!
    foreach($params as $key => $value) {!
    ! $tempArray = $key . '=' . rawurlencode($value);!
    }!
    !
    $baseString = $httpMethod . '&';!
    $baseString .= rawurlencode($uri) . '&';!
    $baseString .= implode('&', $tempArray);

    View full-size slide

  36. Composite Key
    This is way easier…

    View full-size slide

  37. Cram the 2 secrets together…

    View full-size slide

  38. $consumer_secret = 'VERYSECRETZ';!
    $access_secret = 'SUCHSECURITY';!
    !
    $composite_key =
    rawurlencode($consumer_secret) .'&'.
    rawurlencode($access_secret);

    View full-size slide

  39. Signing with HMAC-SHA1

    View full-size slide

  40. $signature = base64_encode(hash_hmac(!
    ! 'sha1',!
    ! $baseString,!
    ! $compositeKey,!
    ! true!
    ));
    Here’s your signature!

    View full-size slide

  41. There are other signature types
    but…

    View full-size slide

  42. Authorization Header

    View full-size slide

  43. $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];!
    !
    $params[‘oauth_signature’] = $signature;
    You probably remember this array?

    View full-size slide

  44. $header = “Authorization: OAuth “;!
    $tempArray = [];!
    !
    foreach($params as $key => $value) {!
    $tempArray[] = $key . ‘=“‘. rawurlencode($value);!
    }!
    !
    $header .= implode(‘,’, $tempArray);!
    We’ve seen similar code before…

    View full-size slide

  45. Authorization: OAuth
    oauth_consumer_key="xxxxxxxxx",
    oauth_nonce="fklj2324kljfksjf234k",
    oauth_signature="8xJAdrE00wGH21w87P
    6N%2F8c0XZfeo%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1399488541",
    oauth_token="xxxxxxxxx",
    oauth_version="1.0"
    This is the final result

    View full-size slide

  46. Whew! That was some work

    View full-size slide

  47. OAuth 1.0
    Server

    View full-size slide

  48. Token Generation

    View full-size slide

  49. Recreate the signature with the
    info you received

    View full-size slide

  50. If they match, they win!

    View full-size slide

  51. Access Control…

    View full-size slide

  52. OAuth 2
    Client

    View full-size slide

  53. No signatures

    View full-size slide

  54. Must use SSL/TLS

    View full-size slide

  55. Consumer Credentials

    View full-size slide

  56. Access Token

    View full-size slide

  57. Authorization Code Grant

    View full-size slide

  58. Authorization example -
    Foursquare

    View full-size slide

  59. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=code&redirect_uri=htt
    p://oauth.dev/examples/Foursquare/callback.php

    View full-size slide

  60. Token Request

    View full-size slide

  61. http://oauth.dev/examples/
    Foursquare/callback.php?
    code=

    View full-size slide

  62. https://foursquare.com/oauth2/access_token?
    client_id=&client_secret=>&code=&callback=http://oauth.dev/examples/
    Foursquare/callback.php&grant_type=authorization_code

    View full-size slide

  63. If you can use this, you should

    View full-size slide

  64. Implicit Grant

    View full-size slide

  65. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=token&redirect_uri=ht
    tp://oauth.dev/examples/Foursquare/callback.php

    View full-size slide

  66. Resource Owner Credentials
    Grant

    View full-size slide

  67. Client Credentials Grant

    View full-size slide

  68. “Scopes” in OAuth 1

    View full-size slide

  69. Scopes in OAuth 2

    View full-size slide

  70. Important Note on Scopes

    View full-size slide

  71. Provides an ACL Framework

    View full-size slide

  72. Refresh Tokens

    View full-size slide

  73. OAuth 2
    Server

    View full-size slide

  74. Issuing Tokens

    View full-size slide

  75. Should I Support All The
    Grants?

    View full-size slide

  76. Authorization/Implicit Grants

    View full-size slide

  77. Storing Token Info

    View full-size slide

  78. Reading Tokens

    View full-size slide

  79. Query String, Header, Both?

    View full-size slide

  80. A Caution Against Rolling Your
    Own

    View full-size slide

  81. RFCs
    OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849
    OAuth 2 RFC 6749 - http://tools.ietf.org/html/rfc6749

    View full-size slide

  82. Thank you!
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View full-size slide